返回列表 发帖

Apache2.4基于域名的虚拟主机+用户授权限制+客户端地址限制

笺注:这是在 LNMP一键安装包(lamp_CentOS6.9) 的基础上进行的。


基于域名的虚拟主机,使用不同端口号:

Apache2.4的主配置文件要有以下代码:
[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'IncludeOptional'
IncludeOptional conf/vhost/*.conf

[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'Listen' |grep -v "^#"
Listen 80
Listen 81
Listen 82




站点 zhuohua.store 的Apache配置文件:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/zhuohua.store.conf
<VirtualHost *:81>  #使用TCP 81端口
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/zhuohua.store"
ServerName zhuohua.store
ServerAlias  www.zhuohua.store ww.zhuohua.store
#ErrorLog "/home/wwwlogs/-error_log"
#CustomLog "/home/wwwlogs/-access_log" combined
<Directory "/www/zhuohua.store">
    SetOutputFilter DEFLATE
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    DirectoryIndex index.html index.php
</Directory>
</VirtualHost>



站点 bbs.zhuohua.store 的Apache配置文件:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf
<VirtualHost *:82>  #使用TCP 82端口
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
    SetOutputFilter DEFLATE
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    DirectoryIndex index.html index.php
</Directory>
</VirtualHost>


重启Apache:
[root@localhost ~]# service httpd restart
restart apache...  done



编辑防火墙的配置文件,打开TCP 81、82端口:
[root@localhost ~]# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Jun 25 01:55:34 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:156]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 82 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun 25 01:55:34 2020

[root@localhost ~]# service iptables restart
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则:[确定]
iptables:正在卸载模块:[确定]
iptables:应用防火墙规则:[确定]



分别给两个站点创建测试页:
[root@localhost ~]# echo '111' > /www/zhuohua.store/111.html
[root@localhost ~]# echo '222' > /www/bbs.zhuohua.store/222.html



客户端远程测试:
http://zhuohua.store:81/111.html
图片1.png
2021-3-11 20:08


http://bbs.zhuohua.store:82/222.html
图片2.png
2021-3-11 20:09




查看站点 bbs.zhuohua.store 的访问日志:(记录客户端访问的成功信息)
[root@localhost ~]# cat /home/wwwlogs/bbs.zhuohua.store-access_log
192.168.168.28 - - [25/Jun/2020:02:14:52 +0800] "GET / HTTP/1.1" 403 274 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0"
192.168.168.28 - - [25/Jun/2020:02:39:00 +0800] "GET /222.html HTTP/1.1" 200 4 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0"
192.168.168.28 - - [25/Jun/2020:02:39:00 +0800] "GET /favicon.ico HTTP/1.1" 404 276 "-" "Mozilla/5.0 (Windows NT 6.1; rv:67.0) Gecko/20100101 Firefox/67.0"


查看站点 bbs.zhuohua.store 的错误日志:(记录客户端访问的错误信息)
[root@localhost ~]# cat /home/wwwlogs/bbs.zhuohua.store-error_log
[Thu Jun 25 02:14:52.634622 2020] [autoindex:error] [pid 2247] [client 192.168.168.28:1171] AH01276: Cannot serve directory /www/bbs.zhuohua.store/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive





############

默认站点,使用自定义端口号:

Apache2.4的主配置文件要有以下代码:
[root@localhost ~]# cat /usr/local/apache/conf/httpd.conf |grep 'httpd-vhosts.conf'
Include conf/extra/httpd-vhosts.conf

[root@localhost ~]# cat /usr/local/apache/conf/extra/httpd-vhosts.conf |grep -v "^#"
<VirtualHost *:82>  #使用TCP 82端口
ServerAdmin webmaster@example.com
DocumentRoot "/home/wwwroot/default"
ServerName www.lnmp.org
ErrorLog "/home/wwwlogs/IP-error_log"
CustomLog "/home/wwwlogs/IP-access_log" combined
<Directory "/home/wwwroot/default">
    SetOutputFilter DEFLATE
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    DirectoryIndex index.html index.php
</Directory>
</VirtualHost>


重启Apache:
[root@localhost ~]# service httpd restart
restart apache...  done


客户端远程测试:
http://192.168.168.130:82/phpinfo.php
图片3.png
2021-3-11 20:11















############
############

用户授权限制:(对站点目录的访问权限进行设置)
包含认证和授权两个过程,认证是指识别用户身份的过程,授权是允许特定用户访问特定目录区域的过程。

## 目的:在访问站点特定目录里的网页前,要先验证用户名和密码。

分别给不同站点,创建后台目录和后台首页文件:
mkdir -p /www/zhuohua.store/webadmin
mkdir -p /www/bbs.zhuohua.store/webadmin

cd /www/
echo 'zhuohua.store-admin' > zhuohua.store/webadmin/index.htm
echo 'bbs.zhuohua.store-admin' > bbs.zhuohua.store/webadmin/index.htm


给各站点的后台目录,分别创建用户和该用户的认证数据文件、密码:

先确认命令htpasswd已经安装:
[root@localhost ~]# find / -name htpasswd
/usr/local/apache/bin/htpasswd

[root@localhost ~]# /usr/local/apache/bin/htpasswd -bc /usr/local/apache/conf/zhuohua_auth1 zhuohua 111
Adding password for user zhuohua

注释:
/usr/local/apache/conf/zhuohua_auth1 为认证数据文件
zhuohua 为用户名
111 为用户密码

备注:
这命令也可以给用户更改密码。
认证数据文件可以在别的服务器上创建,再拿过来用的。


[root@localhost ~]# /usr/local/apache/bin/htpasswd -bc /usr/local/apache/conf/zhuohua_auth2 happy 222
Adding password for user happy


生成的用户认证数据文件:(密码会加密)
[root@localhost ~]# cat /usr/local/apache/conf/zhuohua_auth1
zhuohua:$apr1$v6dA32JA$J7/cBlqFz7ei8bLtLV.eq/

[root@localhost ~]# cat /usr/local/apache/conf/zhuohua_auth2
happy:$apr1$ro/NNRKq$tP60FEV3m0UojJP4N0AAF.


给站点 zhuohua.store 添加用户授权限制的配置代码:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/zhuohua.store.conf
<VirtualHost *:81>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/zhuohua.store"
ServerName zhuohua.store
ServerAlias  www.zhuohua.store ww.zhuohua.store
#ErrorLog "/home/wwwlogs/-error_log"
#CustomLog "/home/wwwlogs/-access_log" combined
<Directory "/www/zhuohua.store">
    SetOutputFilter DEFLATE
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    DirectoryIndex index.html index.php  #根目录的默认首页文件
</Directory>

<Directory "/www/zhuohua.store/webadmin">  #站点的后台目录
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    allow from all
        authname "Welcome to zhuohua"
        authtype  basic
        authuserfile  /usr/local/apache/conf/zhuohua_auth1
        require valid-user
        DirectoryIndex index.htm  #子目录的默认首页文件
</Directory>

</VirtualHost>



给站点 bbs.zhuohua.store 添加用户授权限制的配置代码:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf
<VirtualHost *:82>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
    SetOutputFilter DEFLATE
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    DirectoryIndex index.html index.php
</Directory>

<Directory "/www/bbs.zhuohua.store/webadmin">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    allow from all
        authname "webadmin directory"
        authtype  basic
        authuserfile  /usr/local/apache/conf/zhuohua_auth2
        require valid-user
        DirectoryIndex index.htm
</Directory>

</VirtualHost>


重启Apache:
[root@localhost ~]# service httpd restart
restart apache...  done



客户端远程测试:
http://zhuohua.store:81/webadmin/
图片4.png
2021-3-11 20:16


图片5.png
2021-3-11 20:16



http://bbs.zhuohua.store:82/webadmin/
图片6.png
2021-3-11 20:17


图片7.png
2021-3-11 20:17






############

给默认站点的子目录/home/wwwroot/default/phpmyadmin,也使用用户授权限制:
[root@localhost ~]# cat /usr/local/apache/conf/extra/httpd-vhosts.conf |grep -v "^#"
<VirtualHost *:82>
ServerAdmin webmaster@example.com
DocumentRoot "/home/wwwroot/default"
ServerName www.lnmp.org
ErrorLog "/home/wwwlogs/IP-error_log"
CustomLog "/home/wwwlogs/IP-access_log" combined
<Directory "/home/wwwroot/default">
    SetOutputFilter DEFLATE
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    DirectoryIndex index.html index.php
</Directory>

<Directory "/home/wwwroot/default/phpmyadmin">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    allow from all
        authname "Welcome to zhuohua"
        authtype  basic
        authuserfile  /usr/local/apache/conf/zhuohua_auth1
        require valid-user
        DirectoryIndex index.php  #子目录的默认首页文件
</Directory>

</VirtualHost>

笺注:同一个用户认证数据文件可以同时被不同站点重复使用。


重启Apache:
[root@localhost ~]# service httpd restart
restart apache...  done



客户端远程测试:
http://192.168.168.130:82/phpmyadmin/
图片8.png
2021-3-11 20:18


图片9.png
2021-3-11 20:18


图片10.png
2021-3-11 20:18















############
############

客户端地址限制(针对客户端的IP地址,对站点某些目录的访问权限进行设置)
Order allow,deny :先允许后拒绝,默认拒绝所有未明确允许的客户端IP地址
Order deny,allow :先拒绝后允许,默认允许所有未明确拒绝的客户端IP地址

例子一:仅仅允许客户端使用IP地址192.168.168.27、192.168.168.28访问站点bbs.zhuohua.store

站点 bbs.zhuohua.store 的客户端地址限制的配置代码:
[root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf
<VirtualHost *:82>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
    SetOutputFilter DEFLATE
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from 192.168.168.27 192.168.168.28

    DirectoryIndex index.html index.php
</Directory>

<Directory "/www/bbs.zhuohua.store/webadmin">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    allow from all
        authname "webadmin directory"
        authtype  basic
        authuserfile  /usr/local/apache/conf/zhuohua_auth2
        require valid-user
        DirectoryIndex index.htm
</Directory>

</VirtualHost>


重启Apache:
[root@localhost ~]# service httpd restart
restart apache...  done



测试:
客户端使用未被允许的IP地址,访问站点 bbs.zhuohua.store 的根目录里的文件时:
http://bbs.zhuohua.store:82/222.html
图片11.png
2021-3-11 20:20



但不会影响客户端使用未被允许的IP地址,访问站点 bbs.zhuohua.store 的子目录里的文件:
http://bbs.zhuohua.store:82/webadmin/
图片12.png
2021-3-11 20:20






############

例子二:仅仅不允许客户端使用IP网段192.168.167.0/24、192.168.168.0/24访问站点bbs.zhuohua.store的子目录/webadmin

[root@localhost ~]# cat /usr/local/apache/conf/vhost/bbs.zhuohua.store.conf
<VirtualHost *:82>
ServerAdmin webmaster@example.com
php_admin_value open_basedir "/www/bbs.zhuohua.store:/tmp/:/var/tmp/:/proc/"
DocumentRoot "/www/bbs.zhuohua.store"
ServerName bbs.zhuohua.store
ErrorLog "/home/wwwlogs/bbs.zhuohua.store-error_log"
CustomLog "/home/wwwlogs/bbs.zhuohua.store-access_log" combined
<Directory "/www/bbs.zhuohua.store">
    SetOutputFilter DEFLATE
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from 192.168.168.27 192.168.168.28
    DirectoryIndex index.html index.php
</Directory>

<Directory "/www/bbs.zhuohua.store/webadmin">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order deny,allow
    Deny from 192.168.167.0/24 192.168.168.0/24

        authname "webadmin directory"
        authtype  basic
        authuserfile  /usr/local/apache/conf/zhuohua_auth2
        require valid-user
        DirectoryIndex index.htm
</Directory>

</VirtualHost>


重启Apache:
[root@localhost ~]# service httpd restart
restart apache...  done



测试:
客户端使用未被允许的IP网段,访问站点 bbs.zhuohua.store 的子目录/webadmin里的文件时:
图片13.png
2021-3-11 20:21






相关文章:
Apache2.2基于域名的虚拟主机+用户授权限制+客户端地址限制
CentOS8_Apache2.4基于域名的虚拟主机+代理虚拟主机

Nginx用户验证
CentOS6_Tomcat基于域名的虚拟主机

Windows2008R2_UPUPW_AP5.6_用户授权限制+客户端地址限制+SSL
Windows2012R2_UPUPW_Nginx_域名重定向+用户验证+访问控制+SSL

返回列表