blog.zhuohua.store - Powered by Discuz! Board

标题: Apache2.2域名跳转+防盗链+SSL [打印本页]

作者: admin 时间: 2020-1-10 14:55 标题: Apache2.2域名跳转+防盗链+SSL

笺注：这是在 Apache2.2+MySQL5.6+PHP5.6+phpMyAdmin+GLPI 的基础上进行的。域名跳转：访问ww.zhuohua.store、zhuohua.store都会自动跳转到 http://www.zhuohua.store 修改Apache的主配置文件： [root@localhost ~]# vi /etc/httpd/conf/httpd.conf 文件最后追加：（下面这命令有一句可以了，不要重复添加） NameVirtualHost *:80 #添加一个基于域名的虚拟主机www.zhuohua.store： DocumentRoot /var/www/html/www.zhuohua.store ServerName www.zhuohua.store ServerAlias ww.zhuohua.store zhuohua.store ###域名跳转的代码： RewriteEngine on RewriteCond %{HTTP_HOST} !^www.zhuohua.store$ RewriteRule ^/(.*)$ http://www.zhuohua.store/$1 [R=301,L] ###域名跳转的代码 DirectoryIndex index.html index.htm index.php ErrorLog logs/www.zhuohua.store-error_log CustomLog logs/www.zhuohua.store-access_log combined AllowOverride All Order allow,deny Allow from all 如下图：图片1.png

###### 给站点创建文件存放目录、首页文件： cd /var/www/html/ mkdir -p www.zhuohua.store echo 'www.zhuohua.store' > ./www.zhuohua.store/index.html 重启Apache： [root@localhost ~]# service httpd restart 停止 httpd：[确定] 正在启动 httpd：[确定] Windows客户端通过浏览器测试，在没有DNS服务器解析域名的情况下，可以在文件hosts里绑定： C:\WINDOWS\system32\drivers\etc\hosts 图片2.png

记得设置文件hosts的权限：图片3.png

输入以下三个网址中的任何一个，效果都一样： http://www.zhuohua.store http://ww.zhuohua.store http://zhuohua.store 图片4.png

############ ############ Apache防盗链：修改Apache的主配置文件： [root@localhost ~]# vi /etc/httpd/conf/httpd.conf 添加防盗链的配置代码： SetEnvIfNoCase Referer "http://www.zhuohua.store" local_ref SetEnvIfNoCase Referer "http://www.baidu.com" local_ref SetEnvIfNoCase Referer "http://baidu.com" local_ref SetEnvIfNoCase Referer "^$" local_ref gif|jpg|png|jpeg|flv|swf|rar|zip)"> Order allow,deny Allow from env=local_ref 如下图：图片5.png

注释： http://www.zhuohua.store、http://baidu.com、http://www.baidu.com 为允许文件链出的网站域名白名单； gif|jpg|png|jpeg|flv|swf|rar|zip 为防盗链文件类型，可自定义重启Apache： [root@localhost ~]# service httpd restart 停止 httpd：[确定] 正在启动 httpd：[确定] 记得创建测试文件： [root@localhost ~]# echo '111' > /var/www/html/www.zhuohua.store/1.gif [root@localhost ~]# echo '222' > /var/www/html/www.zhuohua.store/2.doc 防盗链测试：被允许的网站域名引用指定类型的文件正常： [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.zhuohua.store/1.gif" www.zhuohua.store/1.gif HTTP/1.1 200 OK Date: Wed, 04 Jul 2018 21:41:53 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 04 Jul 2018 21:40:37 GMT ETag: "1c0644-4-5703347ff4042" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: image/gif [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.baidu.com/1.gif" www.zhuohua.store/1.gif HTTP/1.1 200 OK Date: Wed, 04 Jul 2018 21:42:55 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 04 Jul 2018 21:40:37 GMT ETag: "1c0644-4-5703347ff4042" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: image/gif [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://baidu.com/1.gif" www.zhuohua.store/1.gif HTTP/1.1 200 OK Date: Wed, 04 Jul 2018 21:43:18 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 04 Jul 2018 21:40:37 GMT ETag: "1c0644-4-5703347ff4042" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: image/gif 未被允许的网站域名引用指定类型的文件不正常： [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.aaa.com/1.gif" www.zhuohua.store/1.gif HTTP/1.1 403 Forbidden Date: Wed, 04 Jul 2018 21:44:08 GMT Server: Apache/2.2.15 (CentOS) Connection: close Content-Type: text/html; charset=iso-8859-1 由于没有对doc文件类型进行限制，所以doc文件没有防盗链功能： [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.baidu.com/2.doc" www.zhuohua.store/2.doc HTTP/1.1 200 OK Date: Wed, 04 Jul 2018 21:45:01 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 04 Jul 2018 21:40:43 GMT ETag: "1c0645-4-57033485de2d3" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: application/msword [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.aaa.com/2.doc" www.zhuohua.store/2.doc HTTP/1.1 200 OK Date: Wed, 04 Jul 2018 21:45:29 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 04 Jul 2018 21:40:43 GMT ETag: "1c0645-4-57033485de2d3" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: application/msword ############ ############ Apache配置SSL：笺注：以下生成一对自定义的SSL证书，方法与生成的证书，在Apache和Nginx是通用的。 [root@localhost ~]# cd /etc/httpd/conf/ [root@localhost conf]# openssl genrsa -des3 -out tmp.key Generating RSA private key, 1024 bit long modulus ........++++++ ...............++++++ e is 65537 (0x10001) Enter pass phrase for tmp.key: #输入自定义的密码 Verifying - Enter pass phrase for tmp.key: #输入自定义的密码把tmp.key转换成zhuohua.key： [root@localhost conf]# openssl rsa -in tmp.key -out zhuohua.key Enter pass phrase for tmp.key: #输入自定义的密码 writing RSA key [root@localhost conf]# rm -rf tmp.key 生成CSR文件： [root@localhost conf]# openssl req -new -key zhuohua.key -out zhuohua.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:zhuohua Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []: [root@localhost conf]# 生成CRT证书文件： [root@localhost conf]# openssl x509 -req -days 365 -in zhuohua.csr -signkey zhuohua.key -out zhuohua.crt Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd/CN=zhuohua Getting Private key 生成的SSL证书文件：图片6.png

防火墙配置：（TCP 443） iptables -I INPUT -p tcp --dport 443 -j ACCEPT iptables-save > /etc/sysconfig/iptables 现在防火墙不需要打开TCP 80 端口了： sed -i '/80/d' /etc/sysconfig/iptables service iptables restart [root@localhost ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Jul 5 05:52:07 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:232] -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jul 5 05:52:07 2018 需要安装openssl和Apache的ssl模块： [root@localhost ~]# yum -y install openssl mod_ssl 测试： [root@localhost ~]# which openssl /usr/bin/openssl [root@localhost ~]# find / -name "*ssl.conf" /etc/httpd/conf.d/ssl.conf 修改Apache的主配置文件： [root@localhost ~]# vi /etc/httpd/conf/httpd.conf NameVirtualHost *:443 #改为443，这命令有一句即可，不要重复添加 443> #基于域名的虚拟主机的端口号改为443 添加以下代码： SSLEngine on SSLCertificateFile /etc/httpd/conf/zhuohua.crt SSLCertificateKeyFile /etc/httpd/conf/zhuohua.key 如下图：图片7.png

注释：域名跳转的代码也要改一下。重启Apache： [root@localhost ~]# service httpd restart 停止 httpd：[确定] 正在启动 httpd：[确定] 客户端使用QQ浏览器远程测试： https://www.zhuohua.store/ 图片8.png

备注:有警告是因为此证书是自己制作的，并没有得到浏览器的认可，但不影响访问和加密。继续访问即可: 图片9.png

笺注：配置了SSL后，依然支持域名跳转： https://ww.zhuohua.store/ https://zhuohua.store/ 图片11.png

图片附件: 图片1.png (2021-3-14 22:05, 230.75 KB) / 下载次数 112
http://blog.zhuohua.store/attachment.php?aid=15907&k=85d07334417337f5602f0af05b1cfc55&t=1714399676&sid=ggUSn9

图片附件: 图片2.png (2021-3-14 22:06, 51.1 KB) / 下载次数 113
http://blog.zhuohua.store/attachment.php?aid=15908&k=68cd7da4bff0460730e5101428766279&t=1714399676&sid=ggUSn9

图片附件: 图片3.png (2021-3-14 22:06, 107.83 KB) / 下载次数 105
http://blog.zhuohua.store/attachment.php?aid=15909&k=0a1901d6877b27185ebbc1899603da38&t=1714399676&sid=ggUSn9

图片附件: 图片4.png (2021-3-14 22:06, 18.25 KB) / 下载次数 108
http://blog.zhuohua.store/attachment.php?aid=15910&k=d6655eb5caa5f8c5384093a708e40860&t=1714399676&sid=ggUSn9

图片附件: 图片5.png (2021-3-14 22:07, 196.86 KB) / 下载次数 107
http://blog.zhuohua.store/attachment.php?aid=15911&k=aba10af7e035d29ac6a41de80380a7fe&t=1714399676&sid=ggUSn9

图片附件: 图片6.png (2021-3-14 22:12, 52.07 KB) / 下载次数 112
http://blog.zhuohua.store/attachment.php?aid=15912&k=8531ec7f93f69ff153a8a50b0328f6af&t=1714399676&sid=ggUSn9

图片附件: 图片7.png (2021-3-14 22:14, 208.07 KB) / 下载次数 96
http://blog.zhuohua.store/attachment.php?aid=15913&k=12ac714e20c571f53cef1151b551f90a&t=1714399676&sid=ggUSn9

图片附件: 图片8.png (2021-3-14 22:14, 74.35 KB) / 下载次数 102
http://blog.zhuohua.store/attachment.php?aid=15914&k=3222602813e001ff8058a213d0f87a03&t=1714399676&sid=ggUSn9

图片附件: 图片9.png (2021-3-14 22:15, 54.28 KB) / 下载次数 103
http://blog.zhuohua.store/attachment.php?aid=15915&k=1600810c7511dc2d2097314036028799&t=1714399676&sid=ggUSn9

图片附件: 图片10.png (2021-3-14 22:15, 21.66 KB) / 下载次数 100
http://blog.zhuohua.store/attachment.php?aid=15916&k=299f2c13db890c1bc96af2363f593d15&t=1714399676&sid=ggUSn9

图片附件: 图片11.png (2021-3-14 22:15, 21.66 KB) / 下载次数 98
http://blog.zhuohua.store/attachment.php?aid=15917&k=3ec81b5fa456ea66524465fed203d4a5&t=1714399676&sid=ggUSn9

欢迎光临 blog.zhuohua.store (http://blog.zhuohua.store/)