实验环境
使用 yum 安装 httpd 软件,配置一个默认的 index.html 页面,启动测试。这里用的是最小化安装的centos8系统。关闭防火墙以及selinux。主机位centos8,对应IP为192.168.32.8
[root@centos8 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:a5:39:58 brd ff:ff:ff:ff:ff:ff
inet 192.168.32.8/24 brd 192.168.32.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
[root@centos8 ~]#cat /etc/redhat-release
CentOS Linux release 8.0.1905 (Core)
[root@centos8 ~]#
[root@centos8 ~]#firewall-cmd --state
not running
[root@centos8 ~]#
[root@centos8 ~]#getenforce
Disabled
[root@centos8 ~]#yum list httpd*
Last metadata expiration check: 3 days, 9:43:01 ago on Sun 08 Dec 2019 05:11:56 AM CST.
Available Packages
httpd.x86_64 2.4.37-12.module_el8.0.0+185+5908b0db centos8
httpd-devel.x86_64 2.4.37-12.module_el8.0.0+185+5908b0db centos8
httpd-filesystem.noarch 2.4.37-12.module_el8.0.0+185+5908b0db centos8
httpd-manual.noarch 2.4.37-12.module_el8.0.0+185+5908b0db centos8
httpd-tools.x86_64 2.4.37-12.module_el8.0.0+185+5908b0db centos8
[root@centos8 ~]#dnf install httpd -y
[root@centos8 ~]#rpm -qi httpd
Name : httpd
Version : 2.4.37
Release : 12.module_el8.0.0+185+5908b0db
Architecture: x86_64
Install Date: Wed 11 Dec 2019 02:55:14 PM CST
Group : System Environment/Daemons
Size : 5148135
License : ASL 2.0
Signature : RSA/SHA256, Thu 10 Oct 2019 05:33:32 AM CST, Key ID 05b555b38483c65d
Source RPM : httpd-2.4.37-12.module_el8.0.0+185+5908b0db.src.rpm
Build Date : Tue 08 Oct 2019 05:42:59 AM CST
Build Host : x86-01.mbox.centos.org
Relocations : (not relocatable)
Packager : CentOS Buildsys <bugs@centos.org>
Vendor : CentOS
URL : https://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#systemctl start httpd
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#echo "This is a HTTPD(apache) test for kaivi" > /var/www/html/index.html
[root@centos8 ~]#curl 192.168.32.8
This is a HTTPD(apache) test for kaivi
1 日志配置
httpd有两种日志类型
访问日志
错误日志
错误日志
ErrorLog logs/error_log
LogLevel warn #只有超过等于这个值的水平才记录到日志里面
LogLevel 可选值: debug, info, notice, warn,error, crit, alert,emerg #日志等级
访问日志
定义日志格式:LogFormat format nickname
LogFormat:日志格式。这个格式可以自己定义
nickname:昵称
使用日志格式:CustomLog file nickname
LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i”” combined
LogFormat “%h %l %u %t “%r” %>s %b” common
LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i” %I %O” combinedio
范例:
LogFormat "%h %l %u %{%F %T}t "%r" %>s %b "%{Referer}i"\"%{User-Agent}i\"" testlog
#里面的双引号需要转义
%h 客户端IP地址
%l 远程用户,启用mod_ident才有效,通常为减号“-”
%u 验证(basic,digest)远程用户,非登录访问时,为一个减号“-”
%t 服务器收到请求时的时间
%r First line of request,即表示请求报文的首行;记录了此次请求的“方法”,“URL”以及协议版本
%>s 对于已在内部重定向的请求,这是原始请求的状态。使用%>s 的最终状态。类型脚本中的exit 数字
%b 响应报文的大小,单位是字节;不包括响应报文http首部
%{Referer}i 请求报文中首部“referer”的值;即从哪个页面中的超链接跳转至当前页面。 { }里面内容就是报文中的一个键值对
%{User-Agent}i 请求报文中首部“User-Agent”的值;即发出请求的应用程序,多数为浏览器型号
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf |grep -A 35 "ErrorLog"
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined #centos8 默认的日志格式选项
[root@centos8 ~]#ll /var/log/httpd/
total 8
-rw-r--r-- 1 root root 556 Dec 11 14:59 access_log
-rw-r--r-- 1 root root 1412 Dec 11 14:58 error_log
[root@centos8 ~]#
[root@centos8 ~]#ls -al /var/log/httpd/error_log*
-rw-r--r-- 1 root root 1412 Dec 11 14:58 /var/log/httpd/error_log
[root@centos8 ~]#
[root@centos8 ~]#
[root@centos8 ~]#ll /var/log/httpd/access_log*
-rw-r--r-- 1 root root 556 Dec 11 14:59 /var/log/httpd/access_log
[root@centos8 ~]#
软链接的形式
查看跳转实验,验证参数{Referer}。{Referer} 请求报文中首部“referer”的值;即从哪个页面中的超链接跳转至当前页面。
复制一个相同的终端,用来监控日志的变化访问日志
查看访问日志
[root@centos8 ~]#tail -f /var/log/httpd/access_log
192.168.32.8 - - [11/Dec/2019:14:58:23 +0800] "GET / HTTP/1.1" 404 - "-" "curl/7.61.1"
192.168.32.1 - - [11/Dec/2019:14:58:45 +0800] "GET / HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.8 - - [11/Dec/2019:14:59:07 +0800] "GET / HTTP/1.1" 200 39 "-" "curl/7.61.1"
192.168.32.1 - - [11/Dec/2019:14:59:11 +0800] "GET / HTTP/1.1" 200 39 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
在另外一个相同终端中新建一些文件,如下:
[root@centos8 ~]#
[root@centos8 ~]#cd /var/www/html/
[root@centos8 html]#vim f1.html
[root@centos8 html]#cat f1.html
<html>
<head>
<meta http-equiv=Content-Type content="text/html;charset=utf-8">
<title>HTML语言</title>
</head>
<body>
<h1 style="color:red">欢迎</h1>
<p><a href=http://192.168.32.8/f2.html>kaivi's Test</a>!</p> #定义下一个链接为192.168.32.8/f2.html文件
</body>
</html>
[root@centos8 html]#
[root@centos8 html]#vim f2.html
[root@centos8 html]#cat f2.html
<h>Jump page successful!</h> #f2.html文件内容
[root@centos8 html]#
第一次访问页面直接访问f2.html文件内容
查看跟踪的访问日志:
[root@centos8 ~]#tail -f /var/log/httpd/access_log
192.168.32.8 - - [11/Dec/2019:14:58:23 +0800] "GET / HTTP/1.1" 404 - "-" "curl/7.61.1"
192.168.32.1 - - [11/Dec/2019:14:58:45 +0800] "GET / HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.8 - - [11/Dec/2019:14:59:07 +0800] "GET / HTTP/1.1" 200 39 "-" "curl/7.61.1"
192.168.32.1 - - [11/Dec/2019:14:59:11 +0800] "GET / HTTP/1.1" 200 39 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.1 - - [11/Dec/2019:15:45:54 +0800] "GET /f2 HTTP/1.1" 404 200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.1 - - [11/Dec/2019:15:46:06 +0800] "GET /f2.html HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
可以看到在参数{Referer}中是 “-”,即为空 (上面结果中 "Mozilla/5.0前面的一个参数)
第二次访问页面先访问f1.html文件内容,然后点击链接进行跳转
查看跟踪的访问日志:
[root@centos8 ~]#tail -f /var/log/httpd/access_log
192.168.32.8 - - [11/Dec/2019:14:58:23 +0800] "GET / HTTP/1.1" 404 - "-" "curl/7.61.1"
192.168.32.1 - - [11/Dec/2019:14:58:45 +0800] "GET / HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.8 - - [11/Dec/2019:14:59:07 +0800] "GET / HTTP/1.1" 200 39 "-" "curl/7.61.1"
192.168.32.1 - - [11/Dec/2019:14:59:11 +0800] "GET / HTTP/1.1" 200 39 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.1 - - [11/Dec/2019:15:45:54 +0800] "GET /f2 HTTP/1.1" 404 200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.1 - - [11/Dec/2019:15:46:06 +0800] "GET /f2.html HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.1 - - [11/Dec/2019:15:46:37 +0800] "GET /f1.html HTTP/1.1" 200 231 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.1 - - [11/Dec/2019:15:47:29 +0800] "-" 408 - "-" "-"
192.168.32.1 - - [11/Dec/2019:15:48:06 +0800] "GET /f2.html HTTP/1.1" 304 - "http://192.168.32.8/f1.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
现在可以看到在参数{Referer}中是 “http://192.168.32.8/f1.html” ,即表明从哪个页面中的超链接跳转至当前页面。
其中304 代表缓存实现的。
这个参数可以防止盗链行为
存在的键值对都可以定制在日志格式中,这里定制Host:192.168.32.8 在日志格式中
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
LogFormat "%h \"%{Host}i\" %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" kaivilog
#这个日志定义格式要放在<IfModule log_config_module>这个模块下
#修改默认的日志格式
# CustomLog "logs/access_log" combined
CustomLog "logs/access_log" kaivilog
在centos7中:192.168.32.7中访问
[root@centos8 ~]#curl 192.168.32.8
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#
在centos8中:192.168.32.8本机中访问
[root@centos8 ~]#curl 192.168.32.8
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#
查看跟踪定制日志信息:
[root@centos8 ~]#tail -f /var/log/httpd/access_log
192.168.32.7 "192.168.32.8" [11/Dec/2019:16:22:02 +0800] "GET / HTTP/1.1" 200 39 "-" "curl/7.29.0"
192.168.32.8 "192.168.32.8" [11/Dec/2019:16:27:15 +0800] "GET / HTTP/1.1" 200 39 "-" "curl/7.61.1"
可见已经出现了自定义键值对Host:192.168.32.8对应的日志信息。
定义路径别名
新建一个文件
[root@centos8 ~]#cd /var/www/html/
[root@centos8 html]#ll
total 12
-rw-r--r-- 1 root root 231 Dec 11 15:44 f1.html
-rw-r--r-- 1 root root 29 Dec 11 15:45 f2.html
-rw-r--r-- 1 root root 39 Dec 11 14:59 index.html
[root@centos8 html]#mkdir newsdir -p
[root@centos8 html]#echo "This is newsdir file not a news" > newsdir/index.html
[root@centos8 html]#ll
total 12
-rw-r--r-- 1 root root 231 Dec 11 15:44 f1.html
-rw-r--r-- 1 root root 29 Dec 11 15:45 f2.html
-rw-r--r-- 1 root root 39 Dec 11 14:59 index.html
drwxr-xr-x 2 root root 24 Dec 11 16:41 newsdir
[root@centos8 html]#cat newsdir/index.html
This is newsdir file not a news
[root@centos8 html]#
alias 别名,可以隐藏真实文件系统路径。这里实现的目的是用news文件目录来替代newsdir/index.html访问文件路径,从而起到隐藏真实文件系统路径的目的。
[root@centos8 html]#vim /etc/httpd/conf/httpd.conf
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
Alias /news/ /var/www/html/newsdir/ #新增别名
</IfModule>
去浏览器访问一下页面,看是否能访问
发现权限被拒绝,所以在别名的基础上面,还要给文件夹对应的访问权限,给文件目录明确授权
[root@centos8 html]#vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/newsdir">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
[root@centos8 html]#systemctl restart httpd
设定默认字符集
中文字符集:GBK, GB2312, GB18030
查看centos8中默认字符集:
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf |grep AddDefaultCharset
AddDefaultCharset UTF-8
[root@centos8 ~]#
httpd 服务状态信息显示
当我们需要获取 httpd 服务器在运行过程中的实时状态信息时可以使用该功能
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<Location "/status">
<requireany>
require all denied
require ip 192.168.32.8 192.168.32.7 #定义特定的ip能够访问
</requireany>
SetHandler server-status
</Location>
ExtendedStatus On
[root@centos8 ~]#
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#curl 192.168.32.8/status
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 192.168.32.8 (via 192.168.32.8)</h1>
<dl><dt>Server Version: Apache/2.4.37 (centos)</dt>
<dt>Server MPM: event</dt>
<dt>Server Built: Oct 7 2019 21:42:02
</dt></dl><hr /><dl>
<dt>Current Time: Wednesday, 11-Dec-2019 17:51:14 CST</dt>
<dt>Restart Time: Wednesday, 11-Dec-2019 17:50:35 CST</dt>
<dt>Parent Server Config. Generation: 1</dt>
<dt>Parent Server MPM Generation: 0</dt>
......部分省略
</table>
<hr /> <table>
<tr><th>Srv</th><td>Child Server number - generation</td></tr>
<tr><th>PID</th><td>OS process ID</td></tr>
<tr><th>Acc</th><td>Number of accesses this connection / this child / this slot</td></tr>
<tr><th>M</th><td>Mode of operation</td></tr>
<tr><th>CPU</th><td>CPU usage, number of seconds</td></tr>
<tr><th>SS</th><td>Seconds since beginning of most recent request</td></tr>
<tr><th>Req</th><td>Milliseconds required to process most recent request</td></tr>
<tr><th>Dur</th><td>Sum of milliseconds required to process all requests</td></tr>
<tr><th>Conn</th><td>Kilobytes transferred this connection</td></tr>
<tr><th>Child</th><td>Megabytes transferred this child</td></tr>
<tr><th>Slot</th><td>Total megabytes transferred this slot</td></tr>
</table>
</body></html>
[root@centos8 ~]#curl 127.0.0.1/status #在本机中访问拒绝
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /status
on this server.<br />
</p>
</body></html>
[root@centos8 ~]#
在centos7:192.168.32.7中访问:
[root@centos8 ~]#curl 192.168.32.8/status
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 192.168.32.8 (via 192.168.32.8)</h1>
<dl><dt>Server Version: Apache/2.4.37 (centos)</dt>
<dt>Server MPM: event</dt>
<dt>Server Built: Oct 7 2019 21:42:02
</dt></dl><hr /><dl>
<dt>Current Time: Wednesday, 11-Dec-2019 17:51:59 CST</dt>
<dt>Restart Time: Wednesday, 11-Dec-2019 17:50:35 CST</dt>
<dt>Parent Server Config. Generation: 1</dt>
<dt>Parent Server MPM Generation: 0</dt>
<dt>Server uptime: 1 minute 24 seconds</dt>
<dt>Server load: 0.63 0.18 0.07</dt>
<dt>Total accesses: 2 - Total Traffic: 4 kB - Total Duration: 0</dt>
......部分省略
</table>
<hr /> <table>
<tr><th>Srv</th><td>Child Server number - generation</td></tr>
<tr><th>PID</th><td>OS process ID</td></tr>
<tr><th>Acc</th><td>Number of accesses this connection / this child / this slot</td></tr>
<tr><th>M</th><td>Mode of operation</td></tr>
<tr><th>CPU</th><td>CPU usage, number of seconds</td></tr>
<tr><th>SS</th><td>Seconds since beginning of most recent request</td></tr>
<tr><th>Req</th><td>Milliseconds required to process most recent request</td></tr>
<tr><th>Dur</th><td>Sum of milliseconds required to process all requests</td></tr>
<tr><th>Conn</th><td>Kilobytes transferred this connection</td></tr>
<tr><th>Child</th><td>Megabytes transferred this child</td></tr>
<tr><th>Slot</th><td>Total megabytes transferred this slot</td></tr>
</table>
</body></html>
获取 httpd 服务状态信息成功
基于用户的访问控制
认证质询:WWW-Authenticate,响应码为401,拒绝客户端请求,并说明要求客户端需要提供账号和密码
认证:Authorization,客户端用户填入账号和密码后再次发送请求报文;认证通过时,则服务器发送响应的资源
认证方式两种:
basic:明文
digest:消息摘要认证,兼容性差
安全域:需要用户认证后方能访问的路径;应该通过名称对其进行标识,以便于告知用户认证的原因用户的账号和密码
虚拟账号:仅用于访问某服务时用到的认证标识 存储:文本文件,SQL数据库,ldap目录存储,nis等
basic认证配置示例:
(1) 定义安全域
<Directory “/path">
Options None
AllowOverride None
AuthType Basic
AuthName "String“ #文字提示描述
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE" #指定存放密码文件
Require user username1 username2 ... #限制特定的人才能访问
</Directory>
允许账号文件中的所有用户登录访问:
Require valid-user #表示只要在这个文件里面的用户都是有效用户,都可以访问
(2) 提供账号和密码存储(文本文件) 使用专用命令完成此类文件的创建及用户管理
htpasswd [options] /PATH/HTTPD_PASSWD_FILE username
这个账号和linux系统无关
选项:
-c 自动创建文件,仅应该在文件不存在时使用
-p 明文密码
-d CRYPT格式加密,默认
-m md5格式加密
-s sha格式加密
-D 删除指定用户
basic认证配置示例方法一
[root@centos8 ~]#cd /var/www/html/
[root@centos8 html]#mkdir admin
[root@centos8 html]#echo "This is a Test that admin user" > admin/index.html
创建用户
[root@centos8 html]#htpasswd -c /etc/httpd/conf.d/.httpuser likai #指定路径,生成一个隐藏文件
New password:
Re-type new password:
Adding password for user likai
[root@centos8 html]#
再一次创建新的用户,如果加-c就会覆盖,所以增加用户的时候就需要把-c取消
[root@centos8 html]#htpasswd /etc/httpd/conf.d/.httpuser duanxin
New password:
Re-type new password:
Adding password for user duanxin
[root@centos8 html]#cat /etc/httpd/conf.d/.httpuser
likai:$apr1$j1zg7PNj$R5GMcFr3zg4EIYseOJ4dc0
duanxin:$apr1$40I5RFhJ$MUxJQggapHckfFDZatEb/.
[root@centos8 html]#
在配置文件中引用这个文件
[root@centos8 html]#vim /etc/httpd/conf.d/test.conf
[root@centos8 html]#cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/admin>
AuthType Basic
AuthName "FBI warning" #提示信息
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user likai duanxin #特定指定的用户访问
</directory>
[root@centos8 html]#systemctl restart httpd
访问页面时,会出现验证信息
输入正确的账号口令之后才能成功访问:
[root@centos8 ~]#tail -f /var/log/httpd/access_log
192.168.32.1 - likai [11/Dec/2019:19:53:03 +0800] "GET /admin/ HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.1 - - [11/Dec/2019:19:53:54 +0800] "-" 408 - "-" "-"
#出现了likai这个账号的用户
同一个浏览器一次验证之后就不需要提供下一次验证了。
换一个浏览器访问
允许账号文件中的所有用户登录访问配置:
[root@centos8 html]#vim /etc/httpd/conf.d/test.conf
[root@centos8 html]#cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/admin>
AuthType Basic
AuthName "FBI warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
#Require user likai duanxin #注释掉
require valid-user #允许账号文件中的所有用户登录访问
</directory>
[root@centos8 html]#
#新加一个用户账号laowang
[root@centos8 html]#htpasswd /etc/httpd/conf.d/.httpuser laowang
New password:
Re-type new password:
Adding password for user laowang
[root@centos8 html]#cat /etc/httpd/conf.d/.httpuser
likai:$apr1$j1zg7PNj$R5GMcFr3zg4EIYseOJ4dc0
duanxin:$apr1$40I5RFhJ$MUxJQggapHckfFDZatEb/.
laowang:$apr1$0MaR3ZNc$7SMlkGVBaxzD2MJkt00HX.
[root@centos8 html]#
访问登入页面:
[root@centos8 ~]#tail -f /var/log/httpd/access_log
192.168.32.1 - laowang [11/Dec/2019:20:07:17 +0800] "GET /admin/ HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
#出现了likai这个账号的用户
使用wireshark 抓包软件,重新刷新,可以看到明文密码
basic认证配置示例方法二
[root@centos8 ~]#
[root@centos8 ~]#mkdir /var/www/html/secret
[root@centos8 ~]#echo "This is a Test that secret user" > /var/www/html/secret/index.html
[root@centos8 ~]#
进到对应目录。新建一个.htaccess文件
[root@centos8 ~]#htpasswd /etc/httpd/conf.d/.httpuser kaivi
New password:
Re-type new password:
Adding password for user kaivi
[root@centos8 ~]#cd /var/www/html/secret
[root@centos8 secret]#ls
index.html
[root@centos8 secret]#vim .htaccess
[root@centos8 secret]#pwd
/var/www/html/secret
[root@centos8 secret]#cat /var/www/html/secret/.htaccess
AuthType Basic
AuthName "FBI warning for secret"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user kaivi #单独建立一个用户 kaivi
[root@centos8 secret]#cd
[root@centos8 ~]#
单独的.htaccess文件并不会生效,还需要修改配置文件
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/admin>
AuthType Basic
AuthName "FBI warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
#Require user likai duanxin
require valid-user
</directory>
<directory /var/www/html/secret> #增加/var/www/html/secret文件访问权限
allowoverride authconfig #表示在.htaccess中只有authconfig 生效 其他无效
</directory>
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#
访问页面时,会出现验证信息
基于组账号进行认证
(1) 定义安全域
<Directory “/path">
AuthType Basic
AuthName "String“
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"
AuthGroupFile "/PATH/HTTPD_GROUP_FILE"
Require group grpname1 grpname2 ...
</Directory>
创建用户账号和组账号文件 组文件:每一行定义一个组
GRP_NAME: username1 username2 …
范例:
<Directory "/www/htdocs/admin">
Options None
AllowOverride None
AuthType Basic
AuthName "Administator private"
AuthUserFile "/etc/httpd/conf.d/.htpasswd" #属于虚拟用户,在虚拟账户文件里面的用户
AuthGroupFile "/etc/httpd/conf.d/.htgroup"
Require group webadmins
</Directory>
vim /etc/httpd/conf.d/.htgroup
webadmins:zhangsan lisi
修改配置文件:
[root@centos8 ~]#htpasswd /etc/httpd/conf.d/.httpuser zhangsan
New password:
Re-type new password:
Adding password for user zhangsan
[root@centos8 ~]#htpasswd /etc/httpd/conf.d/.httpuser lisi
New password:
Re-type new password:
Adding password for user lisi
[root@centos8 ~]#cat /etc/httpd/conf.d/.httpuser
likai:$apr1$j1zg7PNj$R5GMcFr3zg4EIYseOJ4dc0
duanxin:$apr1$40I5RFhJ$MUxJQggapHckfFDZatEb/.
laowang:$apr1$0MaR3ZNc$7SMlkGVBaxzD2MJkt00HX.
kaivi:$apr1$qzjNBY97$LKbyMdjKsQCeLDSKGf6Hl1
zhangsan:$apr1$YpFJXaTG$ccGQjAf/LRtqVSKUOQwpW0
lisi:$apr1$.Bjk4V3K$ahm2KgciWvdiSNAej6tRd.
[root@centos8 ~]#vim /etc/httpd/conf.d/.httpgroup #创建一个虚拟账号组
[root@centos8 ~]#cat /etc/httpd/conf.d/.httpgroup
webadmins: zhangsan lisi #组下面有2个账户zhangsan和lisi
#可以同时创建多个组
[root@centos8 ~]#vim /var/www/html/secret/.htaccess
[root@centos8 ~]#cat /var/www/html/secret/.htaccess
AuthType Basic
AuthName "FBI warning for secret"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup" #开启对组进行验证
Require group webadmins #具体验证的组 这个组里面定义了2个账户zhangsan和lisi
#Require user kaivi
[root@centos8 ~]#
[root@centos8 ~]#systemctl restart httpd
同理,lisi 账号也一样能访问。
远程客户端和用户验证的控制
Satisfy ALL|Any
说明:
ALL 客户机IP和用户验证都需要通过才可以,此为默认值 Any 客户机IP和用户验证,有一个满足即可
范例:
#针对/var/www/html/test目录,来自192.168.1.0/24的客户可以访问,其它网络的用户需要经过用
户验证才能访问
<Directory "/var/www/html/test">
Require valid-user
Allow from 192.168.1
Satisfy Any
</Directory
#/var/www/private目录只有用户验证才能访问
<Directory "/var/www/private">
Require valid-user
</Directory>
#/var/www/private/public 不需要用户验证,任何客户都可以访问
<Directory "/var/www/private/public">
Allow from all
Satisfy Any
</Directory>
实现用户家目录的http共享
基于模块mod_userdir.so实现 相关设置:
[root@centos8 ~]#httpd -M |grep userdir #家目录共享模块
userdir_module (shared)
[root@centos8 ~]#
[root@centos8 ~]#httpd -M |grep basic #验证模块
auth_basic_module (shared)
[root@centos8 ~]#
[root@centos8 ~]#su - kaivi #切换到kaivi账号
Last login: Wed Dec 11 21:08:34 CST 2019 on pts/3
[kaivi@centos8 ~]$ls -a
. .. .bash_history .bash_logout .bash_profile .bashrc
[kaivi@centos8 ~]$mkdir public_html
[kaivi@centos8 ~]$echo "This is kaivi's home file that html" > public_html/index.html
[kaivi@centos8 ~]$cat public_html/index.html
This is kaivi s home file that html
[kaivi@centos8 ~]$
[kaivi@centos8 ~]$ll /home/
total 0
drwx------. 3 kaivi kaivi 102 Dec 11 21:14 kaivi #权限只是给了自己,之后还要给其他人访问权限
[kaivi@centos8 ~]$
[kaivi@centos8 ~]$exit
logout
[root@centos8 ~]#
[root@centos8 ~]#ps -aux |grep httpd
root 3936 0.0 0.0 7320 756 pts/4 S+ 20:08 0:00 tail -f /var/log/httpd/access_log
root 4749 0.0 0.5 280164 11056 ? Ss 20:58 0:00 /usr/sbin/httpd -DFOREGROUND
apache 5039 0.0 0.4 292720 8468 ? S 21:11 0:00 /usr/sbin/httpd -DFOREGROUND
apache 5040 0.0 1.0 1808952 21988 ? Sl 21:11 0:00 /usr/sbin/httpd -DFOREGROUND
apache 5041 0.0 0.7 1808952 15868 ? Sl 21:11 0:00 /usr/sbin/httpd -DFOREGROUND
apache 5042 0.0 0.6 1940088 13824 ? Sl 21:11 0:00 /usr/sbin/httpd -DFOREGROUND
root 5353 0.0 0.0 12112 964 pts/0 S+ 21:42 0:00 grep --color=auto httpd
[root@centos8 ~]#
#授权给apache用户,让其有权限访问kaivi的家目录
[root@centos8 ~]#setfacl -m u:apache:x /home/kaivi/
[root@centos8 conf]#cd /etc/httpd/conf.d/
[root@centos8 conf.d]#ls
autoindex.conf README test.conf userdir.conf welcome.conf
[root@centos8 conf.d]#
其中 userdir.conf 就是官方提供的用户家目录共享配置文件
[root@centos8 ~]#vim /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
# UserDir disabled #默认开启 这里将它取消
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
UserDir public_html #默认关闭 这里将它开启
</IfModule>
#授权
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory "/home/*/public_html"> #注释掉 * 对于全部的家目录都共享
# AllowOverride FileInfo AuthConfig Limit Indexes #注释掉
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec #注释掉
# Require method GET POST OPTIONS #注释掉
#</Directory> #注释掉
<Directory "/home/kaivi/public_html"> #新增,只共享kaivi账号的家目录
require all granted #给对应的访问权限
</Directory>
[root@centos8 ~]#systemctl restart httpd #重启服务
[root@centos8 ~]#
浏览器访问kaivi的家目录。直接访问~kaivi即可。
现在为止,任何主机都能访问kaivi的家目录
[root@centos7 ~]#curl http://192.168.32.8/~kaivi/ #192.168.32.7ip访问
This is kaivi s home file that html
[root@centos7 ~]#
[root@centos8 ~]#curl http://192.168.32.8/~kaivi/ #192.168.32.8ip访问
This is kaivi's home file that html
家目录共享并实现basic验证
考虑通过basic验证
范例:对家目录共享并实现basic验证
[root@centos8 ~]#vim /etc/httpd/conf.d/userdir.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
# UserDir disabled #默认开启的 现在关闭
UserDir public_html #默认关闭的 现在开启,表示开启家目录共享
</IfModule>
#<Directory "/home/*/public_html"> #注释掉 * 对于全部的家目录都共享
# AllowOverride FileInfo AuthConfig Limit Indexes #注释掉
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec #注释掉
# Require method GET POST OPTIONS #注释掉
#</Directory>
<Directory "/home/kaivi/public_html"> #新增 表示对kaivi的家目录开放
AuthType Basic
AuthName "Test kaivi's home open! " #提示语句
AuthUserFile "/etc/httpd/conf.d/.httpuser" #特定的访问用户文件
require user likai duanxin # 定的访问用户
</Directory>
[root@centos8 ~]#cat /etc/httpd/conf.d/.httpuser #特定的访问用户文件
likai:$apr1$j1zg7PNj$R5GMcFr3zg4EIYseOJ4dc0
duanxin:$apr1$40I5RFhJ$MUxJQggapHckfFDZatEb/.
laowang:$apr1$0MaR3ZNc$7SMlkGVBaxzD2MJkt00HX.
kaivi:$apr1$qzjNBY97$LKbyMdjKsQCeLDSKGf6Hl1
zhangsan:$apr1$YpFJXaTG$ccGQjAf/LRtqVSKUOQwpW0
lisi:$apr1$.Bjk4V3K$ahm2KgciWvdiSNAej6tRd.
[root@centos8 ~]#systemctl restart httpd #重启服务
访问日志查看,可以找到对应的访问用户
[root@centos8 ~]#tail -f /var/log/httpd/access_log
192.168.32.1 - likai [11/Dec/2019:22:17:35 +0800] "GET /~kaivi/ HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
192.168.32.1 - - [11/Dec/2019:22:23:02 +0800] "GET /~kaivi HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
192.168.32.1 - duanxin [11/Dec/2019:22:24:12 +0800] "GET /~kaivi HTTP/1.1" 301 235 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
禁止错误网页版本泄露
ServerSignature On | Off | EMail
默认值Off,当客户请求的网页并不存在时,服务器将产生错误文档,如果ServerSignature选项为on,
错误文档的最后一行将包含服务器名字、Apache版本等信息,如果不对外显示这些信息,就可将这个
参数设置为Off,设置为Email,将显示ServerAdmin 的Email提示
默认OFF状态,查看错误网页时显示:
默认ON状态,查看错误网页时显示:
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
ServerSignature On #新增配置文件 ServerSignature
[root@centos8 ~]#systemctl reload httpd
默认值现在时OFF了,所以不用修改,保持即可。
466
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
