blog.zhuohua.store - Powered by Discuz! Board

标题: Apache2.4基于域名的虚拟主机+用户授权限制+客户端地址限制 [打印本页]

作者: admin 时间: 2020-2-9 21:02 标题: Apache2.4基于域名的虚拟主机+用户授权限制+客户端地址限制

笺注：这是在 LNMP一键安装包（lamp_CentOS6.9) 的基础上进行的。基于域名的虚拟主机，使用不同端口号： Apache2.4的主配置文件要有以下代码： [root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'IncludeOptional' IncludeOptional conf/vhost/*.conf [root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'Listen' |grep -v "^#" Listen 80 Listen 81 Listen 82 站点 zhuohua.store 的Apache配置文件： [root@localhost ~]# cat /usr/local/apache/conf/vhost/zhuohua.store.conf 81> #使用TCP 81端口 ServerAdmin webmaster@example.com php_admin_value open_basedir "/www/zhuohua.store:/tmp/:/var/tmp/:/proc/" DocumentRoot "/www/zhuohua.store" ServerName zhuohua.store ServerAlias www.zhuohua.store ww.zhuohua.store #ErrorLog "/home/wwwlogs/-error_log" #CustomLog "/home/wwwlogs/-access_log" combined SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html index.php 站点 bbs.zhuohua.store 的Apache配置文件： [root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf 82> #使用TCP 82端口 ServerAdmin webmaster@example.com php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/" DocumentRoot "/www/bbs.zhuohua.store" ServerName bbs.zhuohua.store ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log" CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html index.php 重启Apache： [root@localhost ~]# service httpd restart restart apache... done 编辑防火墙的配置文件，打开TCP 81、82端口： [root@localhost ~]# vi /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Jun 25 01:55:34 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:156] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 81 -j ACCEPT -A INPUT -p tcp -m tcp --dport 82 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jun 25 01:55:34 2020 [root@localhost ~]# service iptables restart iptables：将链设置为政策 ACCEPT：filter [确定] iptables：清除防火墙规则：[确定] iptables：正在卸载模块：[确定] iptables：应用防火墙规则：[确定] 分别给两个站点创建测试页： [root@localhost ~]# echo '111' > /www/zhuohua.store/111.html [root@localhost ~]# echo '222' > /www/bbs.zhuohua.store/222.html 客户端远程测试： http://zhuohua.store:81/111.html 图片1.png

http://bbs.zhuohua.store:82/222.html 图片2.png

查看站点 bbs.zhuohua.store 的访问日志：（记录客户端访问的成功信息） [root@localhost ~]# cat /home/wwwlogs/bbs.zhuohua.store-access_log 192.168.168.28 - - [25/Jun/2020:02:14:52 +0800] "GET / HTTP/1.1" 403 274 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0" 192.168.168.28 - - [25/Jun/2020:02:39:00 +0800] "GET /222.html HTTP/1.1" 200 4 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0" 192.168.168.28 - - [25/Jun/2020:02:39:00 +0800] "GET /favicon.ico HTTP/1.1" 404 276 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0" 查看站点 bbs.zhuohua.store 的错误日志：（记录客户端访问的错误信息） [root@localhost ~]# cat /home/wwwlogs/bbs.zhuohua.store-error_log [Thu Jun 25 02:14:52.634622 2020] [autoindex:error] [pid 2247] [client 192.168.168.28:1171] AH01276: Cannot serve directory /www/bbs.zhuohua.store/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive ############ 默认站点，使用自定义端口号： Apache2.4的主配置文件要有以下代码： [root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'httpd-vhosts.conf' Include conf/extra/httpd-vhosts.conf [root@localhost ~]# cat /usr/local/apache/conf/extra/httpd-vhosts.conf |grep -v "^#" 82> #使用TCP 82端口 ServerAdmin webmaster@example.com DocumentRoot "/home/wwwroot/default" ServerName www.lnmp.org ErrorLog "/home/wwwlogs/IP-error_log" CustomLog "/home/wwwlogs/IP-access_log" combined SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html index.php 重启Apache： [root@localhost ~]# service httpd restart restart apache... done 客户端远程测试： http://192.168.168.130:82/phpinfo.php 图片3.png

############ ############ 用户授权限制：（对站点目录的访问权限进行设置）包含认证和授权两个过程，认证是指识别用户身份的过程，授权是允许特定用户访问特定目录区域的过程。 ## 目的：在访问站点特定目录里的网页前，要先验证用户名和密码。分别给不同站点，创建后台目录和后台首页文件： mkdir -p /www/zhuohua.store/webadmin mkdir -p /www/bbs.zhuohua.store/webadmin cd /www/ echo 'zhuohua.store-admin' > zhuohua.store/webadmin/index.htm echo 'bbs.zhuohua.store-admin' > bbs.zhuohua.store/webadmin/index.htm 给各站点的后台目录，分别创建用户和该用户的认证数据文件、密码：先确认命令htpasswd已经安装： [root@localhost ~]# find / -name htpasswd /usr/local/apache/bin/htpasswd [root@localhost ~]# /usr/local/apache/bin/htpasswd -bc /usr/local/apache/conf/zhuohua_auth1 zhuohua 111 Adding password for user zhuohua 注释： /usr/local/apache/conf/zhuohua_auth1 为认证数据文件 zhuohua 为用户名 111 为用户密码备注：这命令也可以给用户更改密码。认证数据文件可以在别的服务器上创建，再拿过来用的。 [root@localhost ~]# /usr/local/apache/bin/htpasswd -bc /usr/local/apache/conf/zhuohua_auth2 happy 222 Adding password for user happy 生成的用户认证数据文件：（密码会加密） [root@localhost ~]# cat /usr/local/apache/conf/zhuohua_auth1 zhuohua:$apr1$v6dA32JA$J7/cBlqFz7ei8bLtLV.eq/ [root@localhost ~]# cat /usr/local/apache/conf/zhuohua_auth2 happy:$apr1$ro/NNRKq$tP60FEV3m0UojJP4N0AAF. 给站点 zhuohua.store 添加用户授权限制的配置代码： [root@localhost ~]# cat /usr/local/apache/conf/vhost/zhuohua.store.conf ServerAdmin webmaster@example.com php_admin_value open_basedir "/www/zhuohua.store:/tmp/:/var/tmp/:/proc/" DocumentRoot "/www/zhuohua.store" ServerName zhuohua.store ServerAlias www.zhuohua.store ww.zhuohua.store #ErrorLog "/home/wwwlogs/-error_log" #CustomLog "/home/wwwlogs/-access_log" combined SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html index.php #根目录的默认首页文件 /www/zhuohua.store/webadmin"> #站点的后台目录 Options Indexes FollowSymLinks AllowOverride All Order allow,deny allow from all authname "Welcome to zhuohua" authtype basic authuserfile /usr/local/apache/conf/zhuohua_auth1 require valid-user DirectoryIndex index.htm #子目录的默认首页文件给站点 bbs.zhuohua.store 添加用户授权限制的配置代码： [root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf ServerAdmin webmaster@example.com php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/" DocumentRoot "/www/bbs.zhuohua.store" ServerName bbs.zhuohua.store ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log" CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html index.php /www/bbs.zhuohua.store/webadmin"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny allow from all authname "webadmin directory" authtype basic authuserfile /usr/local/apache/conf/zhuohua_auth2 require valid-user DirectoryIndex index.htm 重启Apache： [root@localhost ~]# service httpd restart restart apache... done 客户端远程测试： http://zhuohua.store:81/webadmin/ 图片4.png

http://bbs.zhuohua.store:82/webadmin/ 图片6.png

############ 给默认站点的子目录/home/wwwroot/default/phpmyadmin，也使用用户授权限制： [root@localhost ~]# cat /usr/local/apache/conf/extra/httpd-vhosts.conf |grep -v "^#" ServerAdmin webmaster@example.com DocumentRoot "/home/wwwroot/default" ServerName www.lnmp.org ErrorLog "/home/wwwlogs/IP-error_log" CustomLog "/home/wwwlogs/IP-access_log" combined SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html index.php /home/wwwroot/default/phpmyadmin"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny allow from all authname "Welcome to zhuohua" authtype basic authuserfile /usr/local/apache/conf/zhuohua_auth1 require valid-user DirectoryIndex index.php #子目录的默认首页文件笺注：同一个用户认证数据文件可以同时被不同站点重复使用。重启Apache： [root@localhost ~]# service httpd restart restart apache... done 客户端远程测试： http://192.168.168.130:82/phpmyadmin/ 图片8.png

############ ############ 客户端地址限制（针对客户端的IP地址，对站点某些目录的访问权限进行设置） Order allow,deny ：先允许后拒绝，默认拒绝所有未明确允许的客户端IP地址 Order deny,allow ：先拒绝后允许，默认允许所有未明确拒绝的客户端IP地址例子一：仅仅允许客户端使用IP地址192.168.168.27、192.168.168.28访问站点bbs.zhuohua.store 站点 bbs.zhuohua.store 的客户端地址限制的配置代码： [root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf ServerAdmin webmaster@example.com php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/" DocumentRoot "/www/bbs.zhuohua.store" ServerName bbs.zhuohua.store ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log" CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined /www/bbs.zhuohua.store"> SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from 192.168.168.27 192.168.168.28 DirectoryIndex index.html index.php Options Indexes FollowSymLinks AllowOverride All Order allow,deny allow from all authname "webadmin directory" authtype basic authuserfile /usr/local/apache/conf/zhuohua_auth2 require valid-user DirectoryIndex index.htm 重启Apache： [root@localhost ~]# service httpd restart restart apache... done 测试：客户端使用未被允许的IP地址，访问站点 bbs.zhuohua.store 的根目录里的文件时： http://bbs.zhuohua.store:82/222.html 图片11.png

但不会影响客户端使用未被允许的IP地址，访问站点 bbs.zhuohua.store 的子目录里的文件： http://bbs.zhuohua.store:82/webadmin/ 图片12.png

############ 例子二：仅仅不允许客户端使用IP网段192.168.167.0/24、192.168.168.0/24访问站点bbs.zhuohua.store的子目录/webadmin： [root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf ServerAdmin webmaster@example.com php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/" DocumentRoot "/www/bbs.zhuohua.store" ServerName bbs.zhuohua.store ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log" CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from 192.168.168.27 192.168.168.28 DirectoryIndex index.html index.php /www/bbs.zhuohua.store/webadmin"> Options Indexes FollowSymLinks AllowOverride All Order deny,allow Deny from 192.168.167.0/24 192.168.168.0/24 authname "webadmin directory" authtype basic authuserfile /usr/local/apache/conf/zhuohua_auth2 require valid-user DirectoryIndex index.htm 重启Apache： [root@localhost ~]# service httpd restart restart apache... done 测试：客户端使用未被允许的IP网段，访问站点 bbs.zhuohua.store 的子目录/webadmin里的文件时：图片13.png

图片附件: 图片1.png (2021-3-11 20:08, 15.76 KB) / 下载次数 105
http://blog.zhuohua.store/attachment.php?aid=15823&k=8de5eb4c5c84f303fbfd437fd049f55b&t=1714645511&sid=muqi2d

图片附件: 图片2.png (2021-3-11 20:09, 16.44 KB) / 下载次数 117
http://blog.zhuohua.store/attachment.php?aid=15824&k=9c67f6d90aeed77e1bb52c5ba67202e8&t=1714645511&sid=muqi2d

图片附件: 图片3.png (2021-3-11 20:11, 20.58 KB) / 下载次数 111
http://blog.zhuohua.store/attachment.php?aid=15825&k=076e7fbc385d292c94f6e20fc7299ce0&t=1714645511&sid=muqi2d

图片附件: 图片4.png (2021-3-11 20:16, 42.66 KB) / 下载次数 98
http://blog.zhuohua.store/attachment.php?aid=15826&k=f195f4cd4626f2358bb294fe6c99361e&t=1714645511&sid=muqi2d

图片附件: 图片5.png (2021-3-11 20:16, 19.54 KB) / 下载次数 112
http://blog.zhuohua.store/attachment.php?aid=15827&k=70ad90415d07b7535c0fa1f8ab1022a4&t=1714645511&sid=muqi2d

图片附件: 图片6.png (2021-3-11 20:17, 53.55 KB) / 下载次数 103
http://blog.zhuohua.store/attachment.php?aid=15828&k=6b41016eee1ee36549044c96dd7a3e53&t=1714645511&sid=muqi2d

图片附件: 图片7.png (2021-3-11 20:17, 19.71 KB) / 下载次数 129
http://blog.zhuohua.store/attachment.php?aid=15829&k=785809357efa7396780bdf215dfd1759&t=1714645511&sid=muqi2d

图片附件: 图片8.png (2021-3-11 20:18, 41.96 KB) / 下载次数 110
http://blog.zhuohua.store/attachment.php?aid=15830&k=b3cf13e928dba869644c5e457bc41ea1&t=1714645511&sid=muqi2d

图片附件: 图片9.png (2021-3-11 20:18, 27.2 KB) / 下载次数 123
http://blog.zhuohua.store/attachment.php?aid=15831&k=c95baeb669fa6b7ef244c86ec4de953f&t=1714645511&sid=muqi2d

图片附件: 图片10.png (2021-3-11 20:18, 129.37 KB) / 下载次数 105
http://blog.zhuohua.store/attachment.php?aid=15832&k=99cf5938b96f11192fbaf05988e89572&t=1714645511&sid=muqi2d

图片附件: 图片11.png (2021-3-11 20:20, 31.24 KB) / 下载次数 61
http://blog.zhuohua.store/attachment.php?aid=15833&k=7ab67b1b04b0b905c71af5b7089be155&t=1714645511&sid=muqi2d

图片附件: 图片12.png (2021-3-11 20:20, 19.42 KB) / 下载次数 42
http://blog.zhuohua.store/attachment.php?aid=15834&k=427adc5976357e77dbe13d5fae2335f4&t=1714645511&sid=muqi2d

图片附件: 图片13.png (2021-3-11 20:21, 31.87 KB) / 下载次数 61
http://blog.zhuohua.store/attachment.php?aid=15835&k=1302b7d24968f7b4b7612da3a6dd72c9&t=1714645511&sid=muqi2d

欢迎光临 blog.zhuohua.store (http://blog.zhuohua.store/)