Apache2.4基于域名的虚拟主机+用户授权限制+客户端地址限制
笺注:这是在 [url=http://blog.zhuohua.store/viewthread.php?tid=80&extra=page%3D1]LNMP一键安装包(lamp_CentOS6.9)[/url] 的基础上进行的。基于域名的虚拟主机,使用不同端口号:
Apache2.4的主配置文件要有以下代码:
[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'IncludeOptional'
[color=Purple]IncludeOptional conf/vhost/*.conf[/color]
[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'Listen' |grep -v "^#"
[color=Purple]Listen 80
Listen 81
Listen 82[/color]
站点 zhuohua.store 的Apache配置文件:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/[color=Blue]zhuohua.store.conf[/color]
<VirtualHost *:[color=DarkRed]81[/color]> [color=DarkOrchid]#使用TCP 81端口[/color]
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/zhuohua.store"
ServerName zhuohua.store
ServerAlias www.zhuohua.store ww.zhuohua.store
[color=DarkRed]#[/color]ErrorLog "/home/wwwlogs/-error_log"
[color=DarkRed]#[/color]CustomLog "/home/wwwlogs/-access_log" combined
<Directory "/www/zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
</VirtualHost>
站点 bbs.zhuohua.store 的Apache配置文件:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/[color=Blue]bbs.zhuohua.store.conf[/color]
<VirtualHost *:[color=DarkRed]82[/color]> [color=DarkOrchid]#使用TCP 82端口[/color]
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "[color=Blue]/home/wwwlogs/bbs.zhuohua.store-error_log[/color]"
CustomLog "[color=Blue]/home/wwwlogs/bbs.zhuohua.store-access_log[/color]" combined
<Directory "/www/bbs.zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
编辑防火墙的配置文件,打开TCP 81、82端口:
[root@localhost ~]# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Jun 25 01:55:34 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:156]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[color=Purple]-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 82 -j ACCEPT[/color]
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun 25 01:55:34 2020
[root@localhost ~]# service iptables restart
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则:[确定]
iptables:正在卸载模块:[确定]
iptables:应用防火墙规则:[确定]
分别给两个站点创建测试页:
[root@localhost ~]# echo '111' > /www/zhuohua.store/111.html
[root@localhost ~]# echo '222' > /www/bbs.zhuohua.store/222.html
客户端远程测试:
http://zhuohua.store:[color=DarkRed]81[/color]/111.html
[attach]15823[/attach]
http://bbs.zhuohua.store:[color=DarkRed]82[/color]/222.html
[attach]15824[/attach]
查看站点 bbs.zhuohua.store 的访问日志:(记录客户端访问的成功信息)
[root@localhost ~]# cat [color=Blue]/home/wwwlogs/bbs.zhuohua.store-access_log[/color]
192.168.168.28 - - [25/Jun/2020:02:14:52 +0800] "GET / HTTP/1.1" 403 274 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0"
192.168.168.28 - - [25/Jun/2020:02:39:00 +0800] "GET /222.html HTTP/1.1" 200 4 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0"
192.168.168.28 - - [25/Jun/2020:02:39:00 +0800] "GET /favicon.ico HTTP/1.1" 404 276 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0"
查看站点 bbs.zhuohua.store 的错误日志:(记录客户端访问的错误信息)
[root@localhost ~]# cat [color=Blue]/home/wwwlogs/bbs.zhuohua.store-error_log[/color]
[Thu Jun 25 02:14:52.634622 2020] [autoindex:error] [pid 2247] [client 192.168.168.28:1171] AH01276: Cannot serve directory /www/bbs.zhuohua.store/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive
############
默认站点,使用自定义端口号:
Apache2.4的主配置文件要有以下代码:
[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'httpd-vhosts.conf'
[color=Purple]Include conf/extra/httpd-vhosts.conf[/color]
[root@localhost ~]# cat /usr/local/apache/conf/extra/httpd-vhosts.conf |grep -v "^#"
<VirtualHost *:[color=DarkRed]82[/color]> [color=DarkOrchid]#使用TCP 82端口[/color]
ServerAdmin webmaster@example.com
DocumentRoot "/home/wwwroot/default"
ServerName www.lnmp.org
ErrorLog "/home/wwwlogs/IP-error_log"
CustomLog "/home/wwwlogs/IP-access_log" combined
<Directory "/home/wwwroot/default">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
客户端远程测试:
http://192.168.168.130:[color=DarkRed]82[/color]/phpinfo.php
[attach]15825[/attach]
############
############
用户授权限制:(对站点目录的访问权限进行设置)
包含认证和授权两个过程,认证是指识别用户身份的过程,授权是允许特定用户访问特定目录区域的过程。
## 目的:在访问站点特定目录里的网页前,要先验证用户名和密码。
分别给不同站点,创建后台目录和后台首页文件:
mkdir -p /www/zhuohua.store/webadmin
mkdir -p /www/bbs.zhuohua.store/webadmin
cd /www/
echo 'zhuohua.store-admin' > zhuohua.store/webadmin/index.htm
echo 'bbs.zhuohua.store-admin' > bbs.zhuohua.store/webadmin/index.htm
给各站点的后台目录,分别创建用户和该用户的认证数据文件、密码:
先确认命令[color=Blue]htpasswd[/color]已经安装:
[root@localhost ~]# find / -name [color=Blue]htpasswd[/color]
[color=Purple]/usr/local/apache/bin/htpasswd[/color]
[root@localhost ~]# /usr/local/apache/bin/htpasswd -bc /usr/local/apache/conf/[color=Blue]zhuohua_auth1[/color] [color=DarkRed]zhuohua[/color] [color=Blue]111[/color]
[color=Purple]Adding password for user zhuohua[/color]
注释:
[color=Blue]/usr/local/apache/conf/zhuohua_auth1[/color] 为认证数据文件
[color=DarkRed]zhuohua[/color] 为用户名
[color=Blue]111[/color] 为用户密码
备注:
这命令也可以给用户更改密码。
认证数据文件可以在别的服务器上创建,再拿过来用的。
[root@localhost ~]# /usr/local/apache/bin/htpasswd -bc /usr/local/apache/conf/[color=Blue]zhuohua_auth2[/color] [color=DarkRed]happy[/color] [color=Blue]222[/color]
[color=Purple]Adding password for user happy[/color]
生成的用户认证数据文件:(密码会加密)
[root@localhost ~]# cat /usr/local/apache/conf/zhuohua_auth1
[color=DarkRed]zhuohua[/color]:$apr1$v6dA32JA$J7/cBlqFz7ei8bLtLV.eq/
[root@localhost ~]# cat /usr/local/apache/conf/zhuohua_auth2
[color=DarkRed]happy[/color]:$apr1$ro/NNRKq$tP60FEV3m0UojJP4N0AAF.
给站点 zhuohua.store 添加用户授权限制的配置代码:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/zhuohua.store.conf
<VirtualHost *:81>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/zhuohua.store"
ServerName zhuohua.store
ServerAlias www.zhuohua.store ww.zhuohua.store
#ErrorLog "/home/wwwlogs/-error_log"
#CustomLog "/home/wwwlogs/-access_log" combined
<Directory "/www/zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php [color=DarkOrchid]#根目录的默认首页文件[/color]
</Directory>
<Directory "[color=Blue]/www/zhuohua.store/webadmin[/color]"> [color=DarkOrchid]#站点的后台目录[/color]
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
authname "Welcome to zhuohua"
authtype basic
authuserfile [color=Blue]/usr/local/apache/conf/zhuohua_auth1[/color]
require valid-user
DirectoryIndex index.htm [color=DarkOrchid]#子目录的默认首页文件[/color]
</Directory>
</VirtualHost>
给站点 bbs.zhuohua.store 添加用户授权限制的配置代码:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/[color=Blue]bbs.zhuohua.store.conf[/color]
<VirtualHost *:82>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
<Directory "[color=Blue]/www/bbs.zhuohua.store/webadmin[/color]">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
authname "webadmin directory"
authtype basic
authuserfile [color=Blue]/usr/local/apache/conf/zhuohua_auth2[/color]
require valid-user
DirectoryIndex index.htm
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
客户端远程测试:
http://zhuohua.store:81[color=Blue]/webadmin/[/color]
[attach]15826[/attach]
[attach]15827[/attach]
http://bbs.zhuohua.store:82[color=Blue]/webadmin/[/color]
[attach]15828[/attach]
[attach]15829[/attach]
############
给默认站点的子目录[color=Blue]/home/wwwroot/default/phpmyadmin[/color],也使用用户授权限制:
[root@localhost ~]# cat /usr/local/apache/conf/extra/httpd-vhosts.conf |grep -v "^#"
<VirtualHost *:82>
ServerAdmin webmaster@example.com
DocumentRoot "/home/wwwroot/default"
ServerName www.lnmp.org
ErrorLog "/home/wwwlogs/IP-error_log"
CustomLog "/home/wwwlogs/IP-access_log" combined
<Directory "/home/wwwroot/default">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
<Directory "[color=Blue]/home/wwwroot/default/phpmyadmin[/color]">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
authname "Welcome to zhuohua"
authtype basic
authuserfile [color=Blue]/usr/local/apache/conf/zhuohua_auth1[/color]
require valid-user
DirectoryIndex index.php [color=DarkOrchid]#子目录的默认首页文件[/color]
</Directory>
</VirtualHost>
笺注:同一个用户认证数据文件可以同时被不同站点重复使用。
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
客户端远程测试:
http://192.168.168.130:82[color=Blue]/phpmyadmin/[/color]
[attach]15830[/attach]
[attach]15831[/attach]
[attach]15832[/attach]
############
############
客户端地址限制(针对客户端的IP地址,对站点某些目录的访问权限进行设置)
Order allow,deny :先允许后拒绝,默认拒绝所有未明确允许的客户端IP地址
Order deny,allow :先拒绝后允许,默认允许所有未明确拒绝的客户端IP地址
例子一:仅仅允许客户端使用IP地址192.168.168.27、192.168.168.28访问站点bbs.zhuohua.store
站点 bbs.zhuohua.store 的客户端地址限制的配置代码:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/[color=Blue]bbs.zhuohua.store.conf[/color]
<VirtualHost *:82>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "[color=Blue]/www/bbs.zhuohua.store[/color]">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
[color=Blue] Order allow,deny
Allow from 192.168.168.27 192.168.168.28[/color]
DirectoryIndex index.html index.php
</Directory>
<Directory "/www/bbs.zhuohua.store/webadmin">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
authname "webadmin directory"
authtype basic
authuserfile /usr/local/apache/conf/zhuohua_auth2
require valid-user
DirectoryIndex index.htm
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
测试:
客户端使用未被允许的IP地址,访问站点 bbs.zhuohua.store 的根目录里的文件时:
http://bbs.zhuohua.store:82[color=Blue]/222.html[/color]
[attach]15833[/attach]
但不会影响客户端使用未被允许的IP地址,访问站点 bbs.zhuohua.store 的子目录里的文件:
http://bbs.zhuohua.store:82[color=Blue]/webadmin/[/color]
[attach]15834[/attach]
############
例子二:仅仅不允许客户端使用IP网段192.168.167.0/24、192.168.168.0/24访问站点bbs.zhuohua.store的子目录[color=Blue]/webadmin[/color]:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/[color=Blue]bbs.zhuohua.store.conf[/color]
<VirtualHost *:82>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from 192.168.168.27 192.168.168.28
DirectoryIndex index.html index.php
</Directory>
<Directory "[color=Blue]/www/bbs.zhuohua.store/webadmin[/color]">
Options Indexes FollowSymLinks
AllowOverride All
[color=Blue] Order deny,allow
Deny from 192.168.167.0/24 192.168.168.0/24[/color]
authname "webadmin directory"
authtype basic
authuserfile /usr/local/apache/conf/zhuohua_auth2
require valid-user
DirectoryIndex index.htm
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
测试:
客户端使用未被允许的IP网段,访问站点 bbs.zhuohua.store 的子目录[color=Blue]/webadmin[/color]里的文件时:
[attach]15835[/attach]
相关文章:
[url=http://blog.zhuohua.store/viewthread.php?tid=274&page=1&extra=#pid277]Apache2.2基于域名的虚拟主机+用户授权限制+客户端地址限制[/url]
[url=http://blog.zhuohua.store/viewthread.php?tid=402&page=1&extra=#pid830]CentOS8_Apache2.4基于域名的虚拟主机+代理虚拟主机[/url]
[url=http://blog.zhuohua.store/viewthread.php?tid=291&extra=page%3D1]Nginx用户验证[/url]
[url=http://blog.zhuohua.store/viewthread.php?tid=58&page=1&extra=#pid59]CentOS6_Tomcat基于域名的虚拟主机[/url]
[url=http://blog.zhuohua.store/viewthread.php?tid=111&page=1&extra=#pid112]Windows2008R2_UPUPW_AP5.6_用户授权限制+客户端地址限制+SSL[/url]
[url=http://blog.zhuohua.store/viewthread.php?tid=371&page=1&extra=#pid653]Windows2012R2_UPUPW_Nginx_域名重定向+用户验证+访问控制+SSL[/url]
页:
[1]