blog.zhuohua.store - Powered by Discuz! Board

标题: Apache2.4域名跳转+防盗链+SSL [打印本页]

作者: admin 时间: 2020-2-9 21:22 标题: Apache2.4域名跳转+防盗链+SSL

笺注：这是在 LNMP一键安装包（lamp_CentOS6.9) 的基础上进行的。域名跳转：访问www.zhuohua.store和ww.zhuohua.store都会自动跳转到 http://zhuohua.store Apache2.4的主配置文件要有以下代码： [root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'IncludeOptional' IncludeOptional conf/vhost/*.conf 修改站点 zhuohua.store 的Apache配置文件： [root@localhost ~]# cat /usr/local/apache/conf/vhost/zhuohua.store.conf 插入以下代码： RewriteEngine on RewriteCond %{HTTP_HOST} !^zhuohua.store$ RewriteRule ^/(.*)$ http://zhuohua.store/$1 [R=301,L] 如下图：图片1.png

重启Apache： [root@localhost ~]# service httpd restart restart apache... done 给站点创建测试页： [root@localhost ~]# echo '111' > /www/zhuohua.store/111.html 客户端远程测试：（输入以下三个网址中的任何一个，效果都一样） http://www.zhuohua.store/111.html http://ww.zhuohua.store/111.html http://zhuohua.store/111.html 图片2.png

############ ############ Apache防盗链：修改站点 zhuohua.store 的Apache配置文件： [root@localhost ~]# vi /usr/local/apache/conf/vhost/zhuohua.store.conf 插入以下代码： SetEnvIfNoCase Referer "http://zhuohua.store" local_ref SetEnvIfNoCase Referer "http://baidu.com" local_ref SetEnvIfNoCase Referer "http://www.baidu.com" local_ref SetEnvIfNoCase Referer "^$" local_ref gif|jpg|png|jpeg|flv|swf|rar|zip|txt)"> Order allow,deny Allow from env=local_ref 如下图：图片3.png

注释： http://zhuohua.store、http://baidu.com、http://www.baidu.com 为允许文件链出的网站域名白名单； gif|jpg|png|jpeg|flv|swf|rar|zip|txt 为防盗链文件类型，可自定义重启Apache： [root@localhost ~]# service httpd restart restart apache... done 记得创建测试文件： [root@localhost ~]# echo '111' > /www/zhuohua.store/1.png [root@localhost ~]# echo '222' > /www/zhuohua.store/2.doc 防盗链测试：被允许的网站域名引用指定类型的文件正常： [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://zhuohua.store/1.png" zhuohua.store/1.png HTTP/1.1 200 OK Date: Wed, 24 Jun 2020 18:38:48 GMT Server: Apache Last-Modified: Wed, 24 Jun 2020 18:33:22 GMT ETag: "4-5a8d8b5eaa320" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: image/png [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://baidu.com/1.png" zhuohua.store/1.png HTTP/1.1 200 OK Date: Wed, 24 Jun 2020 18:39:57 GMT Server: Apache Last-Modified: Wed, 24 Jun 2020 18:33:22 GMT ETag: "4-5a8d8b5eaa320" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: image/png [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.baidu.com/1.png" zhuohua.store/1.png HTTP/1.1 200 OK Date: Wed, 24 Jun 2020 18:40:13 GMT Server: Apache Last-Modified: Wed, 24 Jun 2020 18:33:22 GMT ETag: "4-5a8d8b5eaa320" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: image/png 未被允许的网站域名引用指定类型的文件不正常： [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.aaa.com/1.png" zhuohua.store/1.png HTTP/1.1 403 Forbidden Date: Wed, 24 Jun 2020 18:41:11 GMT Server: Apache Connection: close Content-Type: text/html; charset=iso-8859-1 由于没有对doc文件类型进行限制，所以doc文件没有防盗链功能： [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.baidu.com/2.doc" zhuohua.store/2.doc HTTP/1.1 200 OK Date: Wed, 24 Jun 2020 18:42:36 GMT Server: Apache Last-Modified: Wed, 24 Jun 2020 18:35:05 GMT ETag: "4-5a8d8bc1213a4" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: application/msword [root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.aaa.com/2.doc" zhuohua.store/2.doc HTTP/1.1 200 OK Date: Wed, 24 Jun 2020 18:43:08 GMT Server: Apache Last-Modified: Wed, 24 Jun 2020 18:35:05 GMT ETag: "4-5a8d8bc1213a4" Accept-Ranges: bytes Content-Length: 4 Connection: close Content-Type: application/msword ############## Apache配置SSL 笺注：以下生成一对自定义的SSL证书，方法与生成的证书，在Apache和Nginx是通用的。 [root@localhost ~]# cd /usr/local/apache/conf/ [root@localhost conf]# openssl genrsa -des3 -out tmp.key Generating RSA private key, 1024 bit long modulus ........++++++ ...............++++++ e is 65537 (0x10001) Enter pass phrase for tmp.key:#输入自定义的密码 Verifying - Enter pass phrase for tmp.key:#输入自定义的密码把tmp.key转换成zhuohua.key： [root@localhost conf]# openssl rsa -in tmp.key -out zhuohua.key Enter pass phrase for tmp.key:#输入自定义的密码 writing RSA key [root@localhost conf]# rm -rf tmp.key 生成CSR文件： [root@localhost conf]# openssl req -new -key zhuohua.key -out zhuohua.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:zhuohua Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []: [root@localhost conf]# 生成CRT证书文件： [root@localhost conf]# openssl x509 -req -days 365 -in zhuohua.csr -signkey zhuohua.key -out zhuohua.crt Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd/CN=zhuohua Getting Private key 生成的SSL证书文件：图片4.png

防火墙配置：（打开TCP 443端口） iptables -I INPUT -p tcp --dport 443 -j ACCEPT iptables-save > /etc/sysconfig/iptables 现在防火墙不需要打开TCP 80端口了： sed -i '/80/d' /etc/sysconfig/iptables service iptables restart [root@localhost ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Jun 25 03:16:58 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:232] -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jun 25 03:16:58 2020 需要安装openssl和Apache的ssl模块：（有就不用安装了） [root@localhost ~]# which openssl /usr/bin/openssl [root@localhost ~]# find / -name "*ssl.conf" /usr/local/apache/conf/extra/httpd-ssl.conf /usr/local/apache/conf/original/extra/httpd-ssl.conf 查看Apache编译安装的参数: [root@localhost ~]# find / -name config.nice /usr/local/apache/build/config.nice [root@localhost ~]# [root@localhost ~]# cat /usr/local/apache/build/config.nice #! /bin/sh # # Created by configure "./configure" \ "--prefix=/usr/local/apache" \ "--enable-mods-shared=most" \ "--enable-headers" \ "--enable-mime-magic" \ "--enable-proxy" \ "--enable-so" \ "--enable-rewrite" \ "--with-ssl" \ "--enable-ssl" \ "--enable-deflate" \ "--with-pcre" \ "--with-included-apr" \ "--with-apr-util" \ "--enable-mpms-shared=all" \ "--with-mpm=prefork" \ "--enable-remoteip" \ "$@" 修改站点 zhuohua.store 的Apache配置文件： [root@localhost ~]# vi /usr/local/apache/conf/vhost/zhuohua.store.conf 文件顶部添加： Listen 443 443> #这里的端口记得改为443 插入以下代码： SSLEngine on SSLCertificateFile /usr/local/apache/conf/zhuohua.crt SSLCertificateKeyFile /usr/local/apache/conf/zhuohua.key 如下图：图片5.png

重启Apache： [root@localhost ~]# service httpd restart restart apache... done 客户端使用QQ浏览器远程测试： https://zhuohua.store/111.html 图片6.png

备注:有警告是因为此证书是自己制作的，并没有得到浏览器的认可，但不影响访问和加密。图片7.png

备注:继续访问即可。图片8.png

图片附件: 图片1.png (2021-3-11 20:37, 168.25 KB) / 下载次数 163
http://blog.zhuohua.store/attachment.php?aid=15836&k=82eccdcf8f638e2c65cced0c894b3a7e&t=1714346369&sid=pzTbo7

图片附件: 图片2.png (2021-3-11 20:38, 15.29 KB) / 下载次数 142
http://blog.zhuohua.store/attachment.php?aid=15837&k=79650820760aef2bf1c05d4fdd1e92db&t=1714346369&sid=pzTbo7

图片附件: 图片3.png (2021-3-11 20:39, 235.95 KB) / 下载次数 151
http://blog.zhuohua.store/attachment.php?aid=15838&k=09a049d008c17fd6545a46a283a5347a&t=1714346369&sid=pzTbo7

图片附件: 图片4.png (2021-3-11 20:44, 60 KB) / 下载次数 144
http://blog.zhuohua.store/attachment.php?aid=15839&k=3114ce0ceeff349a9bf15a172d04119a&t=1714346369&sid=pzTbo7

图片附件: 图片5.png (2021-3-11 20:46, 136.52 KB) / 下载次数 145
http://blog.zhuohua.store/attachment.php?aid=15840&k=64c18b6f7159c9c124d77422acf0768b&t=1714346369&sid=pzTbo7

图片附件: 图片6.png (2021-3-11 20:47, 58.71 KB) / 下载次数 152
http://blog.zhuohua.store/attachment.php?aid=15841&k=81fe16a3900608160810de8b98ed1de2&t=1714346369&sid=pzTbo7

图片附件: 图片7.png (2021-3-11 20:47, 103.19 KB) / 下载次数 159
http://blog.zhuohua.store/attachment.php?aid=15842&k=86cecb11a72f5115dc7d639141781f6b&t=1714346369&sid=pzTbo7

图片附件: 图片8.png (2021-3-11 20:48, 18.54 KB) / 下载次数 143
http://blog.zhuohua.store/attachment.php?aid=15843&k=5556f40d66e1467608f80e5d380b689f&t=1714346369&sid=pzTbo7

欢迎光临 blog.zhuohua.store (http://blog.zhuohua.store/)