一、基于用户的访问控制
1、控制类型
认证质询:WWW-Authenticate:响应码为401,拒绝客户端请求,并说明要求客户端提供账号和密码
认证:Authorization:客户端用户填入账号和密码后再次发送请求报文;认证通过时,则服务器发送响应的资源
认证方式两种: basic:明文 digest:消息摘要认证,兼容性差
安全域:需要用户认证后方能访问的路径;应该通过名称对其进行标识,以便于告知用户认证的原因
用户的账号和密码 虚拟账号:仅用于访问某服务时用到的认证标识 存储方法:文本文件,SQL数据库,ldap目录存储,nis等
2、basic认证配置
(1) 定义安全域 <Directory "/path"> Options None AllowOverride None AuthType Basic(验证方法) AuthName "String"(描述信息) AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"(账户文件存放位置) Require user username1 username2 ...(允许用户为哪些) </Directory> 允许账号文件中的所有用户登录访问: Require valid-user
(2) 提供账号和密码存储(文本文件)
使用专用命令完成此类文件的创建及用户管理
htpasswd [options] /PATH/HTTPD_PASSWD_FILE username
-c:自动创建文件,仅应该在文件不存在时使用
-m:md5格式加密,默认方式
-s: sha格式加密
-D:删除指定用户
#实验:创建加密的用户及密码[root@Centos6-serverconf.d]#pwd/etc/httpd/conf.d[root@Centos6-serverconf.d]#ls -a. .. .httpusers [root@Centos6-serverconf.d]#htpasswd -c .httpusers http1New password: Re-type new password: Adding password for user http1[root@Centos6-serverconf.d]#htpasswd -s .httpusers http2Adding password for user http2[root@Centos6-serverconf.d]#htpasswd -m .httpusers http3Adding password for user http3[root@Centos6-serverconf.d]#cat .httpusers http1:b4QECtkC6VarQhttp2:{SHA}s6VCX366xaGxnQ00QYzgpPZKelE=http3:$apr1$H31NOGIE$tafiBf6tKSZmId1VqUz1H0[root@Centos6-serverconf.d]#mkdir /app/website/secret[root@Centos6-serverconf.d]#echo /app/website/secret/index.html > /app/website/secret/index.html[root@Centos6-serverconf.d]#vim auth.confAuthtype Basic AuthName "Admin dir" AuthUserFile "/etc/httpd/conf.d/.htusers" Require user http1 http2 [root@Centos6-serverconf.d]#service httpd restart [root@centos7mini~]#curl -I HTTP/1.1 401 Authorization Required --->401提示Date: Wed, 24 Jan 2018 07:19:41 GMTServer: ApacheWWW-Authenticate: Basic realm="Admin dir"Connection: closeContent-Type: text/html; charset=iso-8859-1
基于组账号进行认证
(1) 定义安全域 <Directory “/path"> AuthType Basic AuthName "String“ AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE" AuthGroupFile "/PATH/HTTPD_GROUP_FILE" Require group grpname1 grpname2 ... </Directory>
(2) 创建用户账号和组账号文件;
组文件:每一行定义一个组 GRP_NAME: username1 username2 ...
示例: <Directory "/www/htdocs/admin"> Options None AllowOverride None AuthType Basic AuthName "Administator private" AuthUserFile "/etc/httpd/conf.d/.httpusers" AuthGroupFile "/etc/httpd/conf.d/.httpgroups"
Require group admins
</Directory> vim /etc/httpd/conf.d/.httpgroups
admins: http1 http3 users: http2
[root@Centos6-serverconf.d]#vim auth.confAuthtype Basic AuthName "Administator private" AuthUserFile "/etc/httpd/conf.d/.httpusers" AuthGroupFile "/etc/httpd/conf.d/.httpgroups" Require group admins [root@Centos6-serverconf.d]#vim .httpgroupsadmins: http1 http3users: http2
3、远程客户端和用户验证的控制
Satisfy ALL|Any ALL 客户机IP和用户验证都需要通过才可以 Any 客户机IP和用户验证,有一个满足即可
示例: Require valid-user Order allow,deny Allow from 192.168.1 Satisfy Any
4、实现用户家目录的http共享
基于模块mod_userdir.so实现
SELinux: http_enable_homedirs
相关设置: vim /etc/httpd/conf/httpd.conf <IfModule mod_userdir.c> #UserDir disabled UserDir public_html #指定共享目录的名称 </IfModule>
准备目录 su – wang;mkdir ~/public_html setfacl –m u:apache:x ~student 访问 http://localhost/~wang/index.html
注意:要修改共享文件夹的访问权限
[root@Centos6-serverconf.d]#httpd -M | grep userdir userdir_module (shared)[root@Centos6-serverconf.d]#getenforce --->默认就把SELinux关闭了Disabled[root@Centos6-serverconf.d]#vim /etc/httpd/conf/httpd.conf# UserDir disabled --->注释掉或者改成enabled UserDir publicweb --->共享文件夹的名字[root@Centos6-serverconf.d]#ll -d /home/L/drwx------ 3 L L 4096 Jan 24 15:59 /home/L/[root@Centos6-serverconf.d]#tail /var/log/httpd/error_log [Wed Jan 24 16:21:32 2018] [error] [client 192.168.1.5] (13)Permission denied: access to /~L/ denied[root@Centos6-serverconf.d]#setfacl -m u:apache:x /home/L/[root@centos7mini~]#curl /home/L/publicweb/index.html[root@Centos6-serverconf.d]#mkdir /root/publicweb[root@Centos6-serverconf.d]#echo /root/publicweb/index.html > /root/publicweb/index.html[root@Centos6-serverconf.d]#setfacl -m u:apache:x /root/
5、错误页面信息设置
ServerSignature On | Off | EMail
当客户请求的网页并不存在时,服务器将产生错误文档,缺省情况下由于打开了 ServerSignature 选项
错误文档的最后一行将包含服务器的名字、Apache的版本等信息如果不对外显示这些信息,就可以将这个参数设置为Off设置为Email,将显示 ServerAdmin 的Email提示。
建议设置为 Off
[root@Centos6-serverconf.d]#vim /etc/httpd/conf/httpd.conf ServerSignature Off
6、ServerType inetd | standalone.
standalone 独立服务模式
inetd 非独立服务模式
只适用于Unix平台
7、status页面
LoadModule status_module modules/mod_status.so <Location /server-status> SetHandler server-status Order allow,deny Allow from 172.16 </Location>
ExtendedStatus On 显示扩展信息
[root@Centos6-serverconf.d]#vim /etc/httpd/conf/httpd.confSetHandler server-status Order deny,allow# Deny from all Allow from .example.com #正常打开网页所显示的内容Apache Server Status for 192.168.1.100Server Version: Apache/2.2.15 (Unix) DAV/2 #软件版本信息Server Built: Mar 22 2017 06:52:55 #软件编译时间Current Time: Wednesday, 24-Jan-2018 16:42:14 CST #当前时间Restart Time: Wednesday, 24-Jan-2018 16:41:49 CST #上次重启服务时间Parent Server Generation: 0 #父代服务器生成:0Server uptime: 24 seconds 1 requests currently being processed, 7 idle workers #1个工作中,7个空闲状态W_______........................................................................................................................................................................................................................................................Scoreboard Key: "_" Waiting for Connection, "S" Starting up, "R" Reading Request, "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup, "C" Closing connection, "L" Logging, "G" Gracefully finishing, "I" Idle cleanup of worker, "." Open slot with no current processPID Key: #子进程pid编号 48392 in state: W , 48393 in state: _ , 48394 in state: _ 48395 in state: _ , 48396 in state: _ , 48397 in state: _ 48398 in state: _ , 48399 in state: _ ,To obtain a full report with current status information you need to use the ExtendedStatus On directive.#“_”等待连接 “S”启动 “R”读取请求时“W”发送回复 “K”保持连接(读) “D” DNS查找“C”关闭连接 “L”日志 “G”优雅地完成“I”空闲清理工作人员 “,.”打开没有当前进程的插槽
二、虚拟主机
1、实现方法及注意事项
基于ip:为每个虚拟主机准备至少一个ip地址
基于port:为每个虚拟主机使用至少一个独立的port
基于FQDN:为每个虚拟主机使用至少一个FQDN
注意:一般虚拟机不要与main主机混用;因此,要使用虚拟主机,一般先禁用main主机
禁用方法:注释中心主机的DocumentRoot指令即可
站点标识: socket IP相同,但端口不同 IP不同,但端口均为默认端口 FQDN不同: 请求报文中首部 Host:
虚拟主机的配置方法 <VirtualHost IP:PORT> ServerName FQDN DocumentRoot “/path" </VirtualHost>
建议:上述配置存放在独立的配置文件中
2、基于IP的虚拟主机示例
<VirtualHost 172.16.100.6:80> ServerName DocumentRoot "/www/a.com/htdocs" </VirtualHost>
<VirtualHost 172.16.100.7:80> ServerName DocumentRoot "/www/b.net/htdocs" </VirtualHost>
<VirtualHost 172.16.100.8:80> ServerName DocumentRoot "/www/c.org/htdocs" </VirtualHost>
#实验:基于IP地址的虚拟主机[root@Centos6-serverapp]#lswebsite[root@Centos6-serverapp]#cp website/ website2 -r[root@Centos6-serverapp]#cp website/ website3 -r[root@Centos6-serverapp]#vim website2/index.html /app/website2 [root@Centos6-serverapp]#vim website3/index.html /app/website3 [root@Centos6-serverconf.d]#pwd/etc/httpd/conf.d[root@Centos6-serverconf.d]#vim vhost.conf documentroot /app/websiteDocumentRoot /app/website ErrorLog logs/website1-error_log CustomLog logs/website1-access_log common DocumentRoot /app/website2 ErrorLog logs/website2-error_log CustomLog logs/website2-access_log common DocumentRoot /app/website3 ErrorLog logs/website3-error_log CustomLog logs/website3-access_log common [root@centos7mini~]#curl 192.168.1.100/app/website[root@centos7mini~]#curl 192.168.1.250/app/website2[root@centos7mini~]#curl 192.168.1.251/app/website3[root@Centos6-serverconf.d]#ll /var/log/httpd/-rw-r--r-- 1 root root 71 Jan 28 19:46 website1-access_log-rw-r--r-- 1 root root 0 Jan 28 19:45 website1-error_log-rw-r--r-- 1 root root 71 Jan 28 19:46 website2-access_log-rw-r--r-- 1 root root 0 Jan 28 19:45 website2-error_log-rw-r--r-- 1 root root 71 Jan 28 19:46 website3-access_log-rw-r--r-- 1 root root 0 Jan 28 19:45 website3-error_log
3、基于端口的虚拟主机
可和基于IP的虚拟主机混和使用
listen 808 listen 8080 <VirtualHost 172.16.100.6:80> ServerName DocumentRoot "/www/a.com/htdocs" </VirtualHost>
<VirtualHost 172.16.100.6:808> ServerName DocumentRoot "/www/b.net/htdocs" </VirtualHost>
<VirtualHost 172.16.100.6:8080> ServerName DocumentRoot "/www/c.org/htdocs" </VirtualHost>
#实验:基于端口的虚拟主机[root@Centos6-serverconf.d]#vim vhost.conf listen 8001listen 8002listen 8003DocumentRoot /app/website ErrorLog logs/website1-error_log CustomLog logs/website1-access_log common DocumentRoot /app/website2 ErrorLog logs/website2-error_log CustomLog logs/website2-access_log common DocumentRoot /app/website3 ErrorLog logs/website3-error_log CustomLog logs/website3-access_log common[root@Centos6-serverconf.d]#ss -ntlState Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 :::8001 :::* LISTEN 0 128 :::8002 :::* LISTEN 0 128 :::8003 :::* LISTEN 0 128 :::80 :::* [root@centos7mini~]#curl 192.168.1.100:8001/app/website[root@centos7mini~]#curl 192.168.1.100:8002/app/website2[root@centos7mini~]#curl 192.168.1.100:8003/app/website3
4、基于FQDN的虚拟主机
NameVirtualHost *:80 httpd2.4不需要此指令 <VirtualHost *:80> ServerName DocumentRoot "/www/a.com/htdocs" </VirtualHost>
<VirtualHost *:80> ServerName DocumentRoot "/www/b.net/htdocs" </VirtualHost>
<VirtualHost *:80> ServerName DocumentRoot "/www/c.org/htdocs" </VirtualHost>
#实验:基于FQDN的虚拟主机[root@Centos6-serverconf.d]#vim vhost.conf NameVirtualHost *:80DocumentRoot /app/website ServerName www.a.com ErrorLog logs/website1-error_log CustomLog logs/website1-access_log common DocumentRoot /app/website2 ServerName www.b.com ErrorLog logs/website2-error_log CustomLog logs/website2-access_log common DocumentRoot /app/website3 ServerName www.c.com ErrorLog logs/website3-error_log CustomLog logs/website3-access_log common#注意:如果通过IP来访问,而不是通过FQDN访问,第一个为IP默认要访问的地址!!![root@centos7mini~]#vim /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.1.100 [root@centos7mini~]#curl www.a.com/app/website[root@centos7mini~]#curl www.b.com/app/website2[root@centos7mini~]#curl www.c.com/app/website3[root@centos7mini~]#telnet www.b.com 80 ---> 这的FQDN无所谓Trying 192.168.1.100...Connected to www.b.com.Escape character is '^]'.GET / http/1.1HOST: ---> 这的主机头才是要访问的地址HTTP/1.1 200 OKDate: Sun, 28 Jan 2018 12:06:33 GMTServer: ApacheLast-Modified: Sun, 28 Jan 2018 11:34:22 GMTETag: "12000d-e-563d482c9ad21"Accept-Ranges: bytesContent-Length: 14Connection: closeContent-Type: text/html; charset=UTF-8/app/website3Connection closed by foreign host.#注意:一般虚拟机不要与main主机混用;因此,要使用虚拟主机,一般先禁用main主机#注意:如果通过IP来访问,而不是通过FQDN访问,第一个为IP默认要访问的地址!!![root@centos7mini~]#curl 192.168.1.100/app/website[root@centos7mini~]#vim /etc/hosts192.168.1.100 [root@centos7mini~]#curl /app/website[root@centos7mini~]#curl /app/website[root@centos7mini~]#curl /app/website