Apache2.4基于域名的虚拟主机+用户授权限制+客户端地址限制
笺注:这是在 LNMP一键安装包(lamp_CentOS6.9) 的基础上进行的。
基于域名的虚拟主机,使用不同端口号:
Apache2.4的主配置文件要有以下代码:
[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'IncludeOptional'
IncludeOptional conf/vhost/*.conf
[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'Listen' |grep -v "^#"
Listen 80
Listen 81
Listen 82
站点 zhuohua.store 的Apache配置文件:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/zhuohua.store.conf
<VirtualHost *:81> #使用TCP 81端口
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/zhuohua.store"
ServerName zhuohua.store
ServerAlias www.zhuohua.store ww.zhuohua.store
#ErrorLog "/home/wwwlogs/-error_log"
#CustomLog "/home/wwwlogs/-access_log" combined
<Directory "/www/zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
</VirtualHost>
站点 bbs.zhuohua.store 的Apache配置文件:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf
<VirtualHost *:82> #使用TCP 82端口
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
编辑防火墙的配置文件,打开TCP 81、82端口:
[root@localhost ~]# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Jun 25 01:55:34 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:156]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 82 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun 25 01:55:34 2020
[root@localhost ~]# service iptables restart
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则:[确定]
iptables:正在卸载模块:[确定]
iptables:应用防火墙规则:[确定]
分别给两个站点创建测试页:
[root@localhost ~]# echo '111' > /www/zhuohua.store/111.html
[root@localhost ~]# echo '222' > /www/bbs.zhuohua.store/222.html
客户端远程测试:
http://zhuohua.store:81/111.html
http://bbs.zhuohua.store:82/222.html
查看站点 bbs.zhuohua.store 的访问日志:(记录客户端访问的成功信息)
[root@localhost ~]# cat /home/wwwlogs/bbs.zhuohua.store-access_log
192.168.168.28 - - [25/Jun/2020:02:14:52 +0800] "GET / HTTP/1.1" 403 274 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0"
192.168.168.28 - - [25/Jun/2020:02:39:00 +0800] "GET /222.html HTTP/1.1" 200 4 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0"
192.168.168.28 - - [25/Jun/2020:02:39:00 +0800] "GET /favicon.ico HTTP/1.1" 404 276 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0"
查看站点 bbs.zhuohua.store 的错误日志:(记录客户端访问的错误信息)
[root@localhost ~]# cat /home/wwwlogs/bbs.zhuohua.store-error_log
[Thu Jun 25 02:14:52.634622 2020] [autoindex:error] [pid 2247] [client 192.168.168.28:1171] AH01276: Cannot serve directory /www/bbs.zhuohua.store/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive
############
默认站点,使用自定义端口号:
Apache2.4的主配置文件要有以下代码:
[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'httpd-vhosts.conf'
Include conf/extra/httpd-vhosts.conf
[root@localhost ~]# cat /usr/local/apache/conf/extra/httpd-vhosts.conf |grep -v "^#"
<VirtualHost *:82> #使用TCP 82端口
ServerAdmin webmaster@example.com
DocumentRoot "/home/wwwroot/default"
ServerName www.lnmp.org
ErrorLog "/home/wwwlogs/IP-error_log"
CustomLog "/home/wwwlogs/IP-access_log" combined
<Directory "/home/wwwroot/default">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
客户端远程测试:
http://192.168.168.130:82/phpinfo.php
############
############
用户授权限制:(对站点目录的访问权限进行设置)
包含认证和授权两个过程,认证是指识别用户身份的过程,授权是允许特定用户访问特定目录区域的过程。
## 目的:在访问站点特定目录里的网页前,要先验证用户名和密码。
分别给不同站点,创建后台目录和后台首页文件:
mkdir -p /www/zhuohua.store/webadmin
mkdir -p /www/bbs.zhuohua.store/webadmin
cd /www/
echo 'zhuohua.store-admin' > zhuohua.store/webadmin/index.htm
echo 'bbs.zhuohua.store-admin' > bbs.zhuohua.store/webadmin/index.htm
给各站点的后台目录,分别创建用户和该用户的认证数据文件、密码:
先确认命令htpasswd已经安装:
[root@localhost ~]# find / -name htpasswd
/usr/local/apache/bin/htpasswd
[root@localhost ~]# /usr/local/apache/bin/htpasswd -bc /usr/local/apache/conf/zhuohua_auth1 zhuohua 111
Adding password for user zhuohua
注释:
/usr/local/apache/conf/zhuohua_auth1 为认证数据文件
zhuohua 为用户名
111 为用户密码
备注:
这命令也可以给用户更改密码。
认证数据文件可以在别的服务器上创建,再拿过来用的。
[root@localhost ~]# /usr/local/apache/bin/htpasswd -bc /usr/local/apache/conf/zhuohua_auth2 happy 222
Adding password for user happy
生成的用户认证数据文件:(密码会加密)
[root@localhost ~]# cat /usr/local/apache/conf/zhuohua_auth1
zhuohua:$apr1$v6dA32JA$J7/cBlqFz7ei8bLtLV.eq/
[root@localhost ~]# cat /usr/local/apache/conf/zhuohua_auth2
happy:$apr1$ro/NNRKq$tP60FEV3m0UojJP4N0AAF.
给站点 zhuohua.store 添加用户授权限制的配置代码:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/zhuohua.store.conf
<VirtualHost *:81>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/zhuohua.store"
ServerName zhuohua.store
ServerAlias www.zhuohua.store ww.zhuohua.store
#ErrorLog "/home/wwwlogs/-error_log"
#CustomLog "/home/wwwlogs/-access_log" combined
<Directory "/www/zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php #根目录的默认首页文件
</Directory>
<Directory "/www/zhuohua.store/webadmin"> #站点的后台目录
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
authname "Welcome to zhuohua"
authtype basic
authuserfile /usr/local/apache/conf/zhuohua_auth1
require valid-user
DirectoryIndex index.htm #子目录的默认首页文件
</Directory>
</VirtualHost>
给站点 bbs.zhuohua.store 添加用户授权限制的配置代码:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf
<VirtualHost *:82>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
<Directory "/www/bbs.zhuohua.store/webadmin">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
authname "webadmin directory"
authtype basic
authuserfile /usr/local/apache/conf/zhuohua_auth2
require valid-user
DirectoryIndex index.htm
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
客户端远程测试:
http://zhuohua.store:81/webadmin/
http://bbs.zhuohua.store:82/webadmin/
############
给默认站点的子目录/home/wwwroot/default/phpmyadmin,也使用用户授权限制:
[root@localhost ~]# cat /usr/local/apache/conf/extra/httpd-vhosts.conf |grep -v "^#"
<VirtualHost *:82>
ServerAdmin webmaster@example.com
DocumentRoot "/home/wwwroot/default"
ServerName www.lnmp.org
ErrorLog "/home/wwwlogs/IP-error_log"
CustomLog "/home/wwwlogs/IP-access_log" combined
<Directory "/home/wwwroot/default">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
<Directory "/home/wwwroot/default/phpmyadmin">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
authname "Welcome to zhuohua"
authtype basic
authuserfile /usr/local/apache/conf/zhuohua_auth1
require valid-user
DirectoryIndex index.php #子目录的默认首页文件
</Directory>
</VirtualHost>
笺注:同一个用户认证数据文件可以同时被不同站点重复使用。
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
客户端远程测试:
http://192.168.168.130:82/phpmyadmin/
############
############
客户端地址限制(针对客户端的IP地址,对站点某些目录的访问权限进行设置)
Order allow,deny :先允许后拒绝,默认拒绝所有未明确允许的客户端IP地址
Order deny,allow :先拒绝后允许,默认允许所有未明确拒绝的客户端IP地址
例子一:仅仅允许客户端使用IP地址192.168.168.27、192.168.168.28访问站点bbs.zhuohua.store
站点 bbs.zhuohua.store 的客户端地址限制的配置代码:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf
<VirtualHost *:82>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from 192.168.168.27 192.168.168.28
DirectoryIndex index.html index.php
</Directory>
<Directory "/www/bbs.zhuohua.store/webadmin">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
authname "webadmin directory"
authtype basic
authuserfile /usr/local/apache/conf/zhuohua_auth2
require valid-user
DirectoryIndex index.htm
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
测试:
客户端使用未被允许的IP地址,访问站点 bbs.zhuohua.store 的根目录里的文件时:
http://bbs.zhuohua.store:82/222.html
但不会影响客户端使用未被允许的IP地址,访问站点 bbs.zhuohua.store 的子目录里的文件:
http://bbs.zhuohua.store:82/webadmin/
############
例子二:仅仅不允许客户端使用IP网段192.168.167.0/24、192.168.168.0/24访问站点bbs.zhuohua.store的子目录/webadmin:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf
<VirtualHost *:82>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from 192.168.168.27 192.168.168.28
DirectoryIndex index.html index.php
</Directory>
<Directory "/www/bbs.zhuohua.store/webadmin">
Options Indexes FollowSymLinks
AllowOverride All
Order deny,allow
Deny from 192.168.167.0/24 192.168.168.0/24
authname "webadmin directory"
authtype basic
authuserfile /usr/local/apache/conf/zhuohua_auth2
require valid-user
DirectoryIndex index.htm
</Directory>
</VirtualHost>
重启Apache:
[root@localhost ~]# service httpd restart
restart apache... done
测试:
客户端使用未被允许的IP网段,访问站点 bbs.zhuohua.store 的子目录/webadmin里的文件时:
相关文章:
Apache2.2基于域名的虚拟主机+用户授权限制+客户端地址限制
CentOS8_Apache2.4基于域名的虚拟主机+代理虚拟主机
Nginx用户验证
CentOS6_Tomcat基于域名的虚拟主机
Windows2008R2_UPUPW_AP5.6_用户授权限制+客户端地址限制+SSL
Windows2012R2_UPUPW_Nginx_域名重定向+用户验证+访问控制+SSL |