Apache2.4域名跳转+防盗链+SSL
笺注:这是在 [url=http://blog.zhuohua.store/viewthread.php?tid=80&extra=page%3D1]LNMP一键安装包(lamp_CentOS6.9)[/url] 的基础上进行的。域名跳转:
访问www.zhuohua.store和ww.zhuohua.store都会自动跳转到
http://zhuohua.store
Apache2.4的主配置文件要有以下代码:
[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'IncludeOptional'
[color=Purple]IncludeOptional conf/vhost/*.conf[/color]
修改站点 zhuohua.store 的Apache配置文件:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/[color=Blue]zhuohua.store.conf[/color]
插入以下代码:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} !^[color=Blue]zhuohua.store[/color]$
RewriteRule ^/(.*)$ [color=Blue]http://zhuohua.store[/color]/$1 [R=301,L]
</IfModule>
如下图:
[attach]15836[/attach]
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
给站点创建测试页:
[root@localhost ~]# echo '111' > /www/zhuohua.store/111.html
客户端远程测试:(输入以下三个网址中的任何一个,效果都一样)
http://www.zhuohua.store/111.html
http://ww.zhuohua.store/111.html
http://zhuohua.store/111.html
[attach]15837[/attach]
############
############
Apache防盗链:
修改站点 zhuohua.store 的Apache配置文件:
[root@localhost ~]# vi /usr/local/apache/conf/vhost/[color=Blue]zhuohua.store.conf[/color]
插入以下代码:
SetEnvIfNoCase Referer "[color=Blue]http://zhuohua.store[/color]" local_ref
SetEnvIfNoCase Referer "[color=Blue]http://baidu.com[/color]" local_ref
SetEnvIfNoCase Referer "[color=Blue]http://www.baidu.com[/color]" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<filesmatch "\.([color=DarkRed]gif|jpg|png|jpeg|flv|swf|rar|zip|txt[/color])">
Order allow,deny
Allow from env=local_ref
</filesmatch>
如下图:
[attach]15838[/attach]
注释:
http://zhuohua.store、http://baidu.com、http://www.baidu.com 为允许文件链出的网站域名白名单;
gif|jpg|png|jpeg|flv|swf|rar|zip|txt 为防盗链文件类型,可自定义
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
记得创建测试文件:
[root@localhost ~]# echo '111' > /www/zhuohua.store/1.png
[root@localhost ~]# echo '222' > /www/zhuohua.store/2.doc
防盗链测试:
被允许的网站域名引用指定类型的文件正常:
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://[color=Blue]zhuohua.store[/color]/1[color=DarkRed].png[/color]" zhuohua.store/1[color=DarkRed].png[/color]
[color=Purple]HTTP/1.1 200 OK[/color]
Date: Wed, 24 Jun 2020 18:38:48 GMT
Server: Apache
Last-Modified: Wed, 24 Jun 2020 18:33:22 GMT
ETag: "4-5a8d8b5eaa320"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: image/png
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://[color=Blue]baidu.com[/color]/1[color=DarkRed].png[/color]" zhuohua.store/1[color=DarkRed].png[/color]
[color=Purple]HTTP/1.1 200 OK[/color]
Date: Wed, 24 Jun 2020 18:39:57 GMT
Server: Apache
Last-Modified: Wed, 24 Jun 2020 18:33:22 GMT
ETag: "4-5a8d8b5eaa320"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: image/png
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://[color=Blue]www.baidu.com[/color]/1[color=DarkRed].png[/color]" zhuohua.store/1[color=DarkRed].png[/color]
[color=Purple]HTTP/1.1 200 OK[/color]
Date: Wed, 24 Jun 2020 18:40:13 GMT
Server: Apache
Last-Modified: Wed, 24 Jun 2020 18:33:22 GMT
ETag: "4-5a8d8b5eaa320"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: image/png
未被允许的网站域名引用指定类型的文件不正常:
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://[color=Blue]www.aaa.com[/color]/1[color=DarkRed].png[/color]" zhuohua.store/1[color=DarkRed].png[/color]
[color=Purple]HTTP/1.1 403 Forbidden[/color]
Date: Wed, 24 Jun 2020 18:41:11 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1
由于没有对doc文件类型进行限制,所以doc文件没有防盗链功能:
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://[color=Blue]www.baidu.com[/color]/2[color=DarkRed].doc[/color]" zhuohua.store/2[color=DarkRed].doc[/color]
[color=Purple]HTTP/1.1 200 OK[/color]
Date: Wed, 24 Jun 2020 18:42:36 GMT
Server: Apache
Last-Modified: Wed, 24 Jun 2020 18:35:05 GMT
ETag: "4-5a8d8bc1213a4"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: application/msword
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://[color=Blue]www.aaa.com[/color]/2[color=DarkRed].doc[/color]" zhuohua.store/2[color=DarkRed].doc[/color]
[color=Purple]HTTP/1.1 200 OK[/color]
Date: Wed, 24 Jun 2020 18:43:08 GMT
Server: Apache
Last-Modified: Wed, 24 Jun 2020 18:35:05 GMT
ETag: "4-5a8d8bc1213a4"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: application/msword
##############
Apache配置SSL
笺注:
以下生成一对自定义的SSL证书,方法与生成的证书,在Apache和Nginx是通用的。
[root@localhost ~]# [color=Blue]cd /usr/local/apache/conf/[/color]
[root@localhost conf]# [color=Blue]openssl genrsa -des3 -out tmp.key[/color]
Generating RSA private key, 1024 bit long modulus
........++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:[color=DarkOrchid]#输入自定义的密码[/color]
Verifying - Enter pass phrase for tmp.key:[color=DarkOrchid]#输入自定义的密码[/color]
把tmp.key转换成zhuohua.key:
[root@localhost conf]# [color=Blue]openssl rsa -in tmp.key -out zhuohua.key[/color]
Enter pass phrase for tmp.key:[color=DarkOrchid]#输入自定义的密码[/color]
writing RSA key
[root@localhost conf]# [color=Blue]rm -rf tmp.key[/color]
生成CSR文件:
[root@localhost conf]# [color=Blue]openssl req -new -key zhuohua.key -out zhuohua.csr[/color]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:[color=DarkRed]zhuohua[/color]
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[color=DarkRed]123456[/color]
An optional company name []:
[root@localhost conf]#
生成CRT证书文件:
[root@localhost conf]# [color=Blue]openssl x509 -req -days 365 -in zhuohua.csr -signkey zhuohua.key -out zhuohua.crt[/color]
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=zhuohua
Getting Private key
生成的SSL证书文件:
[attach]15839[/attach]
防火墙配置:(打开TCP 443端口)
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
现在防火墙不需要打开TCP 80端口了:
sed -i '/80/d' /etc/sysconfig/iptables
service iptables restart
[root@localhost ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Jun 25 03:16:58 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:232]
[color=Purple]-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT [/color]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun 25 03:16:58 2020
需要安装openssl和Apache的ssl模块:(有就不用安装了)
[root@localhost ~]# which openssl
[color=Purple]/usr/bin/openssl[/color]
[root@localhost ~]# find / -name "*ssl.conf"
[color=Purple]/usr/local/apache/conf/extra/httpd-ssl.conf[/color]
/usr/local/apache/conf/original/extra/httpd-ssl.conf
查看Apache编译安装的参数:
[root@localhost ~]# find / -name config.nice
[color=Purple]/usr/local/apache/build/config.nice[/color]
[root@localhost ~]#
[root@localhost ~]# cat /usr/local/apache/build/config.nice
#! /bin/sh
#
# Created by configure
"./configure" \
"--prefix=/usr/local/apache" \
"--enable-mods-shared=most" \
"--enable-headers" \
"--enable-mime-magic" \
"--enable-proxy" \
"--enable-so" \
"--enable-rewrite" \
[color=Purple]"--with-ssl" \
"--enable-ssl" \[/color]
"--enable-deflate" \
"--with-pcre" \
"--with-included-apr" \
"--with-apr-util" \
"--enable-mpms-shared=all" \
"--with-mpm=prefork" \
"--enable-remoteip" \
"$@"
修改站点 zhuohua.store 的Apache配置文件:
[root@localhost ~]# vi /usr/local/apache/conf/vhost/zhuohua.store.conf
[color=DarkOrchid]文件顶部添加:[/color] [color=DarkRed]Listen 443[/color]
<VirtualHost *:[color=DarkRed]443[/color]> [color=DarkOrchid]#这里的端口记得改为443[/color]
插入以下代码:
SSLEngine on
SSLCertificateFile [color=Blue]/usr/local/apache/conf/zhuohua.crt[/color]
SSLCertificateKeyFile [color=Blue]/usr/local/apache/conf/zhuohua.key[/color]
如下图:
[attach]15840[/attach]
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
客户端使用QQ浏览器远程测试:
[color=DarkRed]https:[/color]//zhuohua.store/111.html
[attach]15841[/attach]
备注:有警告是因为此证书是自己制作的,并没有得到浏览器的认可,但不影响访问和加密。
[attach]15842[/attach]
备注:继续访问即可。
[attach]15843[/attach]
相关文章:
[url=http://blog.zhuohua.store/viewthread.php?tid=275&page=1&extra=#pid278]Apache2.2域名跳转+防盗链+SSL[/url]
[url=http://blog.zhuohua.store/viewthread.php?tid=111&page=1&extra=#pid112]Windows2008R2_UPUPW_AP5.6_用户授权限制+客户端地址限制+SSL[/url]
[url=http://blog.zhuohua.store/viewthread.php?tid=371&page=1&extra=#pid653]Windows2012R2_UPUPW_Nginx_域名重定向+用户验证+访问控制+SSL[/url]
[url=http://blog.zhuohua.store/viewthread.php?tid=292&page=1&extra=#pid295]Nginx基于域名的虚拟主机/域名重定向/访问控制/防盗链/SSL[/url]
[url=http://blog.zhuohua.store/viewthread.php?tid=344&page=1&extra=#pid421]Nginx版网站安全狗配置资源防盗链[/url]
页:
[1]