为了防止恶意域名绑定到自己的服务器ip上以及直接通过ip访问方式访问。我们可以通过apache配置可以实现这一目的,具体操作步骤如下。
第一步,httpd.conf配置设置
- 启用虚拟主机、ssl、重写模块
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so
- 禁用根目录访问
<Directory />
AllowOverride None
Require all denied
</Directory>
- 允许htdocs目录访问
DocumentRoot "/usr/local/httpd/htdocs"
<Directory "/usr/local/httpd/htdocs">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
# cache
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all denied
</Directory>
httpd-vhosts.conf中配置
将所有未知的域名访问和直接的ip访问独立一个虚拟主机,并将该主机设置为拒绝访问。对于正式域名访问独立一个虚拟主机访问,并设置为允许访问。注意必须将拒绝的虚拟主机放在第一个。
<VirtualHost *:80>
ServerAdmin unAllowedDomain
DocumentRoot "/usr/local/httpd/htdocs"
ErrorLog "/home/logs/apache/unAllowedDomain-error_log"
CustomLog "/home/logs/apache/unAllowedDomain-access_log" common
<Directory "/usr/local/httpd/htdocs">
AllowOverride None
Require all denied
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin xxxx.cn
ServerName www.xxxx.cn
ServerAlias xxxx.cn
DocumentRoot "/usr/local/httpd/htdocs"
ErrorLog "/home/logs/apache/xxxx-error_log"
CustomLog "/home/logs/apache/xxxx-access_log" common
<Directory "/usr/local/httpd/htdocs">
AllowOverride all
Require all granted
</Directory>
</VirtualHost>
httpd-ssl.conf中配置
如果使用了ssl证书访问,这个时候像拒绝https://ip访问需要做如下操作。仍然需要创建一个不允许域名访问虚拟主机站点,并设置为拒绝状态,并且放在第一个。ssl虚拟主机需要注意以下两点:
- serverName必须带上端口号,80端口是默认的因此不需要带端口号
- xxxx.cn无法作为别名进行访问,ServerAlias xxxx.cn:443是无效的,因此需要单独一个虚拟主机站点访问
<VirtualHost *:443>
DocumentRoot "/usr/local/httpd/htdocs"
ServerAdmin unAllowedDomain
ErrorLog "/usr/local/httpd/logs/error_log"
TransferLog "/usr/local/httpd/logs/access_log"
SSLEngine on
SSLCertificateFile "/usr/local/httpd/conf/server.crt"
SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/httpd/htdocs">
SSLOptions +StdEnvVars
AllowOverride None
Require all denied
</Directory>
<Directory "/usr/local/httpd/cgi-bin">
SSLOptions +StdEnvVars
AllowOverride None
Require all denied
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/usr/local/httpd/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/usr/local/httpd/htdocs"
ServerName www.xxxx.cn:443
ServerAdmin you@example.com
ErrorLog "/usr/local/httpd/logs/error_log"
TransferLog "/usr/local/httpd/logs/access_log"
SSLEngine on
SSLCertificateFile "/usr/local/httpd/conf/server.crt"
SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/httpd/htdocs">
AllowOverride all
Require all granted
</Directory>
<Directory "/usr/local/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0CustomLog "/usr/local/httpd/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/usr/local/httpd/htdocs"
ServerName xxxx.cn:443
ServerAdmin you@example.com
ErrorLog "/usr/local/httpd/logs/error_log"
TransferLog "/usr/local/httpd/logs/access_log"
SSLEngine onSSLCertificateFile "/usr/local/httpd/conf/server.crt"
SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt"
<FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars</FilesMatch>
<Directory "/usr/local/httpd/htdocs">
<pre name="code" class="html"> AllowOverride all
Require all granted
</Directory>
<Directory "/usr/local/httpd/cgi-bin"> SSLOptions +StdEnvVars</Directory>
BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/usr/local/httpd/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
"%r\" %b"
</VirtualHost>