一、基于用户的访问控制

1、控制类型

  • 认证质询:WWW-Authenticate:响应码为401,拒绝客户端请求,并说明要求客户端提供账号和密码

  • 认证:Authorization:客户端用户填入账号和密码后再次发送请求报文;认证通过时,则服务器发送响应的资源

  • 认证方式两种

        basic:明文
        digest:消息摘要认证,兼容性差

  • 安全域:需要用户认证后方能访问的路径;应该通过名称对其进行标识,以便于告知用户认证的原因

  • 用户的账号和密码

        虚拟账号:仅用于访问某服务时用到的认证标识
        存储方法:文本文件,SQL数据库,ldap目录存储,nis等

2、basic认证配置

  • (1) 定义安全域

        <Directory "/path">
            Options None
            AllowOverride None
            AuthType Basic(验证方法)
            AuthName "String"(描述信息)
            AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"(账户文件存放位置)
            Require user username1 username2 ...(允许用户为哪些)
        </Directory>
        允许账号文件中的所有用户登录访问:
            Require valid-user

 

  • (2) 提供账号和密码存储(文本文件)

        使用专用命令完成此类文件的创建及用户管理

        htpasswd [options] /PATH/HTTPD_PASSWD_FILE username

        -c:自动创建文件,仅应该在文件不存在时使用

        -m:md5格式加密,默认方式

        -s: sha格式加密

        -D:删除指定用户

#实验:创建加密的用户及密码[root@Centos6-serverconf.d]#pwd/etc/httpd/conf.d[root@Centos6-serverconf.d]#ls -a.  ..  .httpusers  [root@Centos6-serverconf.d]#htpasswd -c .httpusers http1New password: Re-type new password: Adding password for user http1[root@Centos6-serverconf.d]#htpasswd -s .httpusers http2Adding password for user http2[root@Centos6-serverconf.d]#htpasswd -m .httpusers http3Adding password for user http3[root@Centos6-serverconf.d]#cat .httpusers http1:b4QECtkC6VarQhttp2:{SHA}s6VCX366xaGxnQ00QYzgpPZKelE=http3:$apr1$H31NOGIE$tafiBf6tKSZmId1VqUz1H0[root@Centos6-serverconf.d]#mkdir /app/website/secret[root@Centos6-serverconf.d]#echo /app/website/secret/index.html > /app/website/secret/index.html[root@Centos6-serverconf.d]#vim auth.conf
        Authtype Basic        AuthName "Admin dir"        AuthUserFile "/etc/httpd/conf.d/.htusers"        Require user http1 http2                                                                       [root@Centos6-serverconf.d]#service httpd restart [root@centos7mini~]#curl -I HTTP/1.1 401 Authorization Required                       --->401提示Date: Wed, 24 Jan 2018 07:19:41 GMTServer: ApacheWWW-Authenticate: Basic realm="Admin dir"Connection: closeContent-Type: text/html; charset=iso-8859-1

 

 

TIM图片20180128162214.pngTIM图片20180128162822.png

  • 基于组账号进行认证

        (1) 定义安全域

        <Directory “/path">
            AuthType Basic
            AuthName "String“
            AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"
            AuthGroupFile "/PATH/HTTPD_GROUP_FILE"
            Require group grpname1 grpname2 ...
        </Directory>

        (2) 创建用户账号和组账号文件;

        组文件:每一行定义一个组

        GRP_NAME: username1 username2 ...

  • 示例:

        <Directory "/www/htdocs/admin">
            Options None
            AllowOverride None
            AuthType Basic
            AuthName "Administator private"
            AuthUserFile "/etc/httpd/conf.d/.httpusers"
            AuthGroupFile "/etc/httpd/conf.d/.httpgroups"

            Require group admins

        </Directory>

        vim /etc/httpd/conf.d/.httpgroups

        admins: http1 http3

        users: http2 

[root@Centos6-serverconf.d]#vim auth.conf 
        Authtype Basic        AuthName "Administator private"        AuthUserFile "/etc/httpd/conf.d/.httpusers"        AuthGroupFile "/etc/httpd/conf.d/.httpgroups"        Require group admins                                                                           [root@Centos6-serverconf.d]#vim .httpgroupsadmins: http1 http3users: http2

 

3、远程客户端和用户验证的控制

  • Satisfy ALL|Any

        ALL 客户机IP和用户验证都需要通过才可以
        Any 客户机IP和用户验证,有一个满足即可

  • 示例:

        Require valid-user
        Order allow,deny
        Allow from 192.168.1
        Satisfy Any

4、实现用户家目录的http共享

  • 基于模块mod_userdir.so实现

  • SELinux: http_enable_homedirs

  • 相关设置:

        vim /etc/httpd/conf/httpd.conf
        <IfModule mod_userdir.c>
            #UserDir disabled
            UserDir public_html #指定共享目录的名称
        </IfModule>
        

        准备目录

            su – wang;mkdir ~/public_html
            setfacl –m u:apache:x ~student
        访问
            http://localhost/~wang/index.html

  • 注意:要修改共享文件夹的访问权限

[root@Centos6-serverconf.d]#httpd -M | grep userdir userdir_module (shared)[root@Centos6-serverconf.d]#getenforce                    --->默认就把SELinux关闭了Disabled[root@Centos6-serverconf.d]#vim /etc/httpd/conf/httpd.conf 
#    UserDir disabled                                     --->注释掉或者改成enabled    UserDir publicweb                                     --->共享文件夹的名字[root@Centos6-serverconf.d]#ll -d /home/L/drwx------ 3 L L 4096 Jan 24 15:59 /home/L/[root@Centos6-serverconf.d]#tail /var/log/httpd/error_log [Wed Jan 24 16:21:32 2018] [error] [client 192.168.1.5] (13)Permission denied: access to /~L/ denied[root@Centos6-serverconf.d]#setfacl -m u:apache:x /home/L/[root@centos7mini~]#curl /home/L/publicweb/index.html[root@Centos6-serverconf.d]#mkdir /root/publicweb[root@Centos6-serverconf.d]#echo /root/publicweb/index.html > /root/publicweb/index.html[root@Centos6-serverconf.d]#setfacl -m u:apache:x /root/

TIM图片20180128172224.png

 

 

5、错误页面信息设置

  • ServerSignature     On | Off | EMail

  • 当客户请求的网页并不存在时,服务器将产生错误文档,缺省情况下由于打开了 ServerSignature 选项

        错误文档的最后一行将包含服务器的名字、Apache的版本等信息

    如果不对外显示这些信息,就可以将这个参数设置为Off
    设置为Email,将显示 ServerAdmin 的Email提示。

  • 建议设置为 Off

[root@Centos6-serverconf.d]#vim /etc/httpd/conf/httpd.conf ServerSignature Off

TIM图片20180128173740.png

6、ServerType inetd | standalone.

  • standalone 独立服务模式

  • inetd 非独立服务模式

  • 只适用于Unix平台

7、status页面

  • LoadModule status_module modules/mod_status.so

        <Location /server-status>
            SetHandler server-status
            Order allow,deny
            Allow from 172.16
        </Location>

  •  ExtendedStatus On 显示扩展信息

[root@Centos6-serverconf.d]#vim /etc/httpd/conf/httpd.conf
    SetHandler server-status    Order deny,allow#    Deny from all    Allow from .example.com                                                                            #正常打开网页所显示的内容Apache Server Status for 192.168.1.100Server Version: Apache/2.2.15 (Unix) DAV/2                             #软件版本信息Server Built: Mar 22 2017 06:52:55                                     #软件编译时间Current Time: Wednesday, 24-Jan-2018 16:42:14 CST                      #当前时间Restart Time: Wednesday, 24-Jan-2018 16:41:49 CST                      #上次重启服务时间Parent Server Generation: 0                                            #父代服务器生成:0Server uptime:  24 seconds                                             1 requests currently being processed, 7 idle workers                   #1个工作中,7个空闲状态W_______........................................................................................................................................................................................................................................................Scoreboard Key: "_" Waiting for Connection,  "S" Starting up,  "R" Reading Request, "W" Sending Reply,  "K" Keepalive (read),  "D" DNS Lookup, "C" Closing connection,  "L" Logging,  "G" Gracefully finishing, "I" Idle cleanup of worker,  "." Open slot with no current processPID Key:                                                               #子进程pid编号   48392 in state: W ,   48393 in state: _ ,   48394 in state: _    48395 in state: _ ,   48396 in state: _ ,   48397 in state: _    48398 in state: _ ,   48399 in state: _ ,To obtain a full report with current status information you need to use the ExtendedStatus On directive.#“_”等待连接            “S”启动            “R”读取请求时“W”发送回复            “K”保持连接(读)    “D” DNS查找“C”关闭连接            “L”日志            “G”优雅地完成“I”空闲清理工作人员     “,.”打开没有当前进程的插槽

二、虚拟主机

1、实现方法及注意事项

  • 基于ip:为每个虚拟主机准备至少一个ip地址

  • 基于port:为每个虚拟主机使用至少一个独立的port

  • 基于FQDN:为每个虚拟主机使用至少一个FQDN

  • 注意:一般虚拟机不要与main主机混用;因此,要使用虚拟主机,一般先禁用main主机

  • 禁用方法:注释中心主机的DocumentRoot指令即可

  • 站点标识: socket

        IP相同,但端口不同
        IP不同,但端口均为默认端口
        FQDN不同:
            请求报文中首部
            Host:

  • 虚拟主机的配置方法

        <VirtualHost IP:PORT>
            ServerName FQDN
            DocumentRoot “/path"
        </VirtualHost>

  • 建议:上述配置存放在独立的配置文件中

2、基于IP的虚拟主机示例

  •     <VirtualHost 172.16.100.6:80>

            ServerName
            DocumentRoot "/www/a.com/htdocs"
        </VirtualHost>

        <VirtualHost 172.16.100.7:80>
            ServerName
            DocumentRoot "/www/b.net/htdocs"
        </VirtualHost>

        <VirtualHost 172.16.100.8:80>
            ServerName
            DocumentRoot "/www/c.org/htdocs"
        </VirtualHost>

#实验:基于IP地址的虚拟主机[root@Centos6-serverapp]#lswebsite[root@Centos6-serverapp]#cp website/ website2 -r[root@Centos6-serverapp]#cp website/ website3 -r[root@Centos6-serverapp]#vim website2/index.html /app/website2 [root@Centos6-serverapp]#vim website3/index.html /app/website3 [root@Centos6-serverconf.d]#pwd/etc/httpd/conf.d[root@Centos6-serverconf.d]#vim vhost.conf         documentroot /app/website
        DocumentRoot /app/website        ErrorLog logs/website1-error_log        CustomLog logs/website1-access_log common
        DocumentRoot /app/website2        ErrorLog logs/website2-error_log        CustomLog logs/website2-access_log common
        DocumentRoot /app/website3        ErrorLog logs/website3-error_log        CustomLog logs/website3-access_log common                                                      [root@centos7mini~]#curl 192.168.1.100/app/website[root@centos7mini~]#curl 192.168.1.250/app/website2[root@centos7mini~]#curl 192.168.1.251/app/website3[root@Centos6-serverconf.d]#ll /var/log/httpd/-rw-r--r-- 1 root root      71 Jan 28 19:46 website1-access_log-rw-r--r-- 1 root root       0 Jan 28 19:45 website1-error_log-rw-r--r-- 1 root root      71 Jan 28 19:46 website2-access_log-rw-r--r-- 1 root root       0 Jan 28 19:45 website2-error_log-rw-r--r-- 1 root root      71 Jan 28 19:46 website3-access_log-rw-r--r-- 1 root root       0 Jan 28 19:45 website3-error_log

3、基于端口的虚拟主机

  • 可和基于IP的虚拟主机混和使用

  •     listen 808

        listen 8080
        <VirtualHost 172.16.100.6:80>
            ServerName
            DocumentRoot "/www/a.com/htdocs"
        </VirtualHost>

        <VirtualHost 172.16.100.6:808>
            ServerName
            DocumentRoot "/www/b.net/htdocs"
        </VirtualHost>

        <VirtualHost 172.16.100.6:8080>
            ServerName
            DocumentRoot "/www/c.org/htdocs"
        </VirtualHost>

#实验:基于端口的虚拟主机[root@Centos6-serverconf.d]#vim vhost.conf listen 8001listen 8002listen 8003                                                                                            
        DocumentRoot /app/website        ErrorLog logs/website1-error_log        CustomLog logs/website1-access_log common
        DocumentRoot /app/website2        ErrorLog logs/website2-error_log        CustomLog logs/website2-access_log common
        DocumentRoot /app/website3        ErrorLog logs/website3-error_log        CustomLog logs/website3-access_log common[root@Centos6-serverconf.d]#ss -ntlState       Recv-Q Send-Q                   Local Address:Port                     Peer Address:Port LISTEN      0      128                                 :::8001                               :::*     LISTEN      0      128                                 :::8002                               :::*     LISTEN      0      128                                 :::8003                               :::*     LISTEN      0      128                                 :::80                                 :::*  [root@centos7mini~]#curl 192.168.1.100:8001/app/website[root@centos7mini~]#curl 192.168.1.100:8002/app/website2[root@centos7mini~]#curl 192.168.1.100:8003/app/website3

4、基于FQDN的虚拟主机

  • NameVirtualHost *:80 httpd2.4不需要此指令

        <VirtualHost *:80>
            ServerName
            DocumentRoot "/www/a.com/htdocs"
        </VirtualHost>

        <VirtualHost *:80>
            ServerName
            DocumentRoot "/www/b.net/htdocs"
        </VirtualHost>

        <VirtualHost *:80>
            ServerName
            DocumentRoot "/www/c.org/htdocs"
        </VirtualHost>

#实验:基于FQDN的虚拟主机[root@Centos6-serverconf.d]#vim vhost.conf   NameVirtualHost *:80
        DocumentRoot /app/website        ServerName www.a.com        ErrorLog logs/website1-error_log        CustomLog logs/website1-access_log common
        DocumentRoot /app/website2        ServerName www.b.com        ErrorLog logs/website2-error_log        CustomLog logs/website2-access_log common
                                                                                             DocumentRoot /app/website3        ServerName www.c.com        ErrorLog logs/website3-error_log        CustomLog logs/website3-access_log common#注意:如果通过IP来访问,而不是通过FQDN访问,第一个为IP默认要访问的地址!!![root@centos7mini~]#vim /etc/hosts127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4::1         localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.1.100     [root@centos7mini~]#curl www.a.com/app/website[root@centos7mini~]#curl www.b.com/app/website2[root@centos7mini~]#curl www.c.com/app/website3[root@centos7mini~]#telnet www.b.com 80                ---> 这的FQDN无所谓Trying 192.168.1.100...Connected to www.b.com.Escape character is '^]'.GET / http/1.1HOST:                                         ---> 这的主机头才是要访问的地址HTTP/1.1 200 OKDate: Sun, 28 Jan 2018 12:06:33 GMTServer: ApacheLast-Modified: Sun, 28 Jan 2018 11:34:22 GMTETag: "12000d-e-563d482c9ad21"Accept-Ranges: bytesContent-Length: 14Connection: closeContent-Type: text/html; charset=UTF-8/app/website3Connection closed by foreign host.#注意:一般虚拟机不要与main主机混用;因此,要使用虚拟主机,一般先禁用main主机#注意:如果通过IP来访问,而不是通过FQDN访问,第一个为IP默认要访问的地址!!![root@centos7mini~]#curl 192.168.1.100/app/website[root@centos7mini~]#vim /etc/hosts192.168.1.100     [root@centos7mini~]#curl /app/website[root@centos7mini~]#curl /app/website[root@centos7mini~]#curl /app/website