一、基於用戶的訪問控制
1、控制類型
認證質詢:WWW-Authenticate:響應碼爲401,拒絕客戶端請求,並說明要求客戶端提供賬號和密碼
認證:Authorization:客戶端用戶填入賬號和密碼後再次發送請求報文;認證通過時,則服務器發送響應的資源
認證方式兩種:
basic:明文
digest:消息摘要認證,兼容性差安全域:需要用戶認證後方能訪問的路徑;應該通過名稱對其進行標識,以便於告知用戶認證的原因
用戶的賬號和密碼
虛擬賬號:僅用於訪問某服務時用到的認證標識
存儲方法:文本文件,SQL數據庫,ldap目錄存儲,nis等
2、basic認證配置
(1) 定義安全域
<Directory "/path">
Options None
AllowOverride None
AuthType Basic(驗證方法)
AuthName "String"(描述信息)
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"(賬戶文件存放位置)
Require user username1 username2 ...(允許用戶爲哪些)
</Directory>
允許賬號文件中的所有用戶登錄訪問:
Require valid-user
(2) 提供賬號和密碼存儲(文本文件)
使用專用命令完成此類文件的創建及用戶管理
htpasswd [options] /PATH/HTTPD_PASSWD_FILE username
-c:自動創建文件,僅應該在文件不存在時使用
-m:md5格式加密,默認方式
-s: sha格式加密
-D:刪除指定用戶
#實驗:創建加密的用戶及密碼 [[email protected]]#pwd /etc/httpd/conf.d [[email protected]]#ls -a . .. .httpusers [[email protected]]#htpasswd -c .httpusers http1 New password: Re-type new password: Adding password for user http1 [[email protected]]#htpasswd -s .httpusers http2 Adding password for user http2 [[email protected]]#htpasswd -m .httpusers http3 Adding password for user http3 [[email protected]]#cat .httpusers http1:b4QECtkC6VarQ http2:{SHA}s6VCX366xaGxnQ00QYzgpPZKelE= http3:$apr1$H31NOGIE$tafiBf6tKSZmId1VqUz1H0 [[email protected]]#mkdir /app/website/secret [[email protected]]#echo /app/website/secret/index.html > /app/website/secret/index.html [[email protected]]#vim auth.conf <Directory /app/website/secret> Authtype Basic AuthName "Admin dir" AuthUserFile "/etc/httpd/conf.d/.htusers" Require user http1 http2 </Directory> [[email protected]]#service httpd restart [root@centos7mini~]#curl -I HTTP/1.1 401 Authorization Required --->401提示 Date: Wed, 24 Jan 2018 07:19:41 GMT Server: Apache WWW-Authenticate: Basic realm="Admin dir" Connection: close Content-Type: text/html; charset=iso-8859-1
基於組賬號進行認證
(1) 定義安全域
<Directory “/path">
AuthType Basic
AuthName "String“
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"
AuthGroupFile "/PATH/HTTPD_GROUP_FILE"
Require group grpname1 grpname2 ...
</Directory>(2) 創建用戶賬號和組賬號文件;
組文件:每一行定義一個組
GRP_NAME: username1 username2 ...示例:
<Directory "/www/htdocs/admin">
Options None
AllowOverride None
AuthType Basic
AuthName "Administator private"
AuthUserFile "/etc/httpd/conf.d/.httpusers"
AuthGroupFile "/etc/httpd/conf.d/.httpgroups"Require group admins
</Directory>
vim /etc/httpd/conf.d/.httpgroupsadmins: http1 http3
users: http2
[[email protected]]#vim auth.conf <Directory /app/website/secret> Authtype Basic AuthName "Administator private" AuthUserFile "/etc/httpd/conf.d/.httpusers" AuthGroupFile "/etc/httpd/conf.d/.httpgroups" Require group admins </Directory> [[email protected]]#vim .httpgroups admins: http1 http3 users: http2
3、遠程客戶端和用戶驗證的控制
Satisfy ALL|Any
ALL 客戶機IP和用戶驗證都需要通過纔可以
Any 客戶機IP和用戶驗證,有一個滿足即可示例:
Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy Any
4、實現用戶家目錄的http共享
基於模塊mod_userdir.so實現
SELinux: http_enable_homedirs
相關設置:
vim /etc/httpd/conf/httpd.conf
<IfModule mod_userdir.c>
#UserDir disabled
UserDir public_html #指定共享目錄的名稱
</IfModule>
準備目錄
su – wang;mkdir ~/public_html
setfacl –m u:apache:x ~student
訪問
http://localhost/~wang/index.html注意:要修改共享文件夾的訪問權限
[[email protected]]#httpd -M | grep userdir userdir_module (shared) [[email protected]]#getenforce --->默認就把SELinux關閉了 Disabled [[email protected]]#vim /etc/httpd/conf/httpd.conf <IfModule mod_userdir.c> # UserDir disabled --->註釋掉或者改成enabled UserDir publicweb --->共享文件夾的名字 [[email protected]]#ll -d /home/L/ drwx------ 3 L L 4096 Jan 24 15:59 /home/L/ [[email protected]]#tail /var/log/httpd/error_log [Wed Jan 24 16:21:32 2018] [error] [client 192.168.1.5] (13)Permission denied: access to /~L/ denied [[email protected]]#setfacl -m u:apache:x /home/L/ [root@centos7mini~]#curl /home/L/publicweb/index.html [[email protected]]#mkdir /root/publicweb [[email protected]]#echo /root/publicweb/index.html > /root/publicweb/index.html [[email protected]]#setfacl -m u:apache:x /root/
5、錯誤頁面信息設置
ServerSignature On | Off | EMail
當客戶請求的網頁並不存在時,服務器將產生錯誤文檔,缺省情況下由於打開了 ServerSignature 選項
錯誤文檔的最後一行將包含服務器的名字、Apache的版本等信息
如果不對外顯示這些信息,就可以將這個參數設置爲Off
設置爲Email,將顯示 ServerAdmin 的Email提示。建議設置爲 Off
[[email protected]]#vim /etc/httpd/conf/httpd.conf ServerSignature Off
6、ServerType inetd | standalone.
standalone 獨立服務模式
inetd 非獨立服務模式
只適用於Unix平臺
7、status頁面
LoadModule status_module modules/mod_status.so
<Location /server-status>
SetHandler server-status
Order allow,deny
Allow from 172.16
</Location>ExtendedStatus On 顯示擴展信息
[[email protected]]#vim /etc/httpd/conf/httpd.conf <Location /status> SetHandler server-status Order deny,allow # Deny from all Allow from .example.com </Location> #正常打開網頁所顯示的內容 Apache Server Status for 192.168.1.100 Server Version: Apache/2.2.15 (Unix) DAV/2 #軟件版本信息 Server Built: Mar 22 2017 06:52:55 #軟件編譯時間 Current Time: Wednesday, 24-Jan-2018 16:42:14 CST #當前時間 Restart Time: Wednesday, 24-Jan-2018 16:41:49 CST #上次重啓服務時間 Parent Server Generation: 0 #父代服務器生成:0 Server uptime: 24 seconds 1 requests currently being processed, 7 idle workers #1個工作中,7個空閒狀態 W_______........................................................ ................................................................ ................................................................ ................................................................ Scoreboard Key: "_" Waiting for Connection, "S" Starting up, "R" Reading Request, "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup, "C" Closing connection, "L" Logging, "G" Gracefully finishing, "I" Idle cleanup of worker, "." Open slot with no current process PID Key: #子進程pid編號 48392 in state: W , 48393 in state: _ , 48394 in state: _ 48395 in state: _ , 48396 in state: _ , 48397 in state: _ 48398 in state: _ , 48399 in state: _ , To obtain a full report with current status information you need to use the ExtendedStatus On directive. # “_”等待連接 “S”啓動 “R”讀取請求時 “W”發送回覆 “K”保持連接(讀) “D” DNS查找 “C”關閉連接 “L”日誌 “G”優雅地完成 “I”空閒清理工作人員 “,.”打開沒有當前進程的插槽
二、虛擬主機
1、實現方法及注意事項
基於ip:爲每個虛擬主機準備至少一個ip地址
基於port:爲每個虛擬主機使用至少一個獨立的port
基於FQDN:爲每個虛擬主機使用至少一個FQDN
注意:一般虛擬機不要與main主機混用;因此,要使用虛擬主機,一般先禁用main主機
禁用方法:註釋中心主機的DocumentRoot指令即可
站點標識: socket
IP相同,但端口不同
IP不同,但端口均爲默認端口
FQDN不同:
請求報文中首部
Host: www.magedu.com虛擬主機的配置方法
<VirtualHost IP:PORT>
ServerName FQDN
DocumentRoot “/path"
</VirtualHost>建議:上述配置存放在獨立的配置文件中
2、基於IP的虛擬主機示例
<VirtualHost 172.16.100.6:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.7:80>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.8:80>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
#實驗:基於IP地址的虛擬主機 [root@Centos6-serverapp]#ls website [root@Centos6-serverapp]#cp website/ website2 -r [root@Centos6-serverapp]#cp website/ website3 -r [root@Centos6-serverapp]#vim website2/index.html /app/website2 [root@Centos6-serverapp]#vim website3/index.html /app/website3 [[email protected]]#pwd /etc/httpd/conf.d [[email protected]]#vim vhost.conf documentroot /app/website <Virtualhost 192.168.1.251:80 <Virtualhost 192.168.1.100:80> DocumentRoot /app/website ErrorLog logs/website1-error_log CustomLog logs/website1-access_log common </Virtualhost> <Virtualhost 192.168.1.250:80> DocumentRoot /app/website2 ErrorLog logs/website2-error_log CustomLog logs/website2-access_log common </Virtualhost> <Virtualhost 192.168.1.251:80> DocumentRoot /app/website3 ErrorLog logs/website3-error_log CustomLog logs/website3-access_log common </Virtualhost> [root@centos7mini~]#curl 192.168.1.100 /app/website [root@centos7mini~]#curl 192.168.1.250 /app/website2 [root@centos7mini~]#curl 192.168.1.251 /app/website3 [[email protected]]#ll /var/log/httpd/ -rw-r--r-- 1 root root 71 Jan 28 19:46 website1-access_log -rw-r--r-- 1 root root 0 Jan 28 19:45 website1-error_log -rw-r--r-- 1 root root 71 Jan 28 19:46 website2-access_log -rw-r--r-- 1 root root 0 Jan 28 19:45 website2-error_log -rw-r--r-- 1 root root 71 Jan 28 19:46 website3-access_log -rw-r--r-- 1 root root 0 Jan 28 19:45 website3-error_log
3、基於端口的虛擬主機
可和基於IP的虛擬主機混和使用
listen 808
listen 8080
<VirtualHost 172.16.100.6:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.6:808>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.6:8080>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
#實驗:基於端口的虛擬主機 [[email protected]]#vim vhost.conf listen 8001 listen 8002 listen 8003 <Virtualhost *:8001> DocumentRoot /app/website ErrorLog logs/website1-error_log CustomLog logs/website1-access_log common </Virtualhost> <Virtualhost *:8002> DocumentRoot /app/website2 ErrorLog logs/website2-error_log CustomLog logs/website2-access_log common </Virtualhost> <Virtualhost *:8003> DocumentRoot /app/website3 ErrorLog logs/website3-error_log CustomLog logs/website3-access_log common </Virtualhost> [[email protected]]#ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 :::8001 :::* LISTEN 0 128 :::8002 :::* LISTEN 0 128 :::8003 :::* LISTEN 0 128 :::80 :::* [root@centos7mini~]#curl 192.168.1.100:8001 /app/website [root@centos7mini~]#curl 192.168.1.100:8002 /app/website2 [root@centos7mini~]#curl 192.168.1.100:8003 /app/website3
4、基於FQDN的虛擬主機
NameVirtualHost *:80 httpd2.4不需要此指令
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost *:80>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost *:80>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
#實驗:基於FQDN的虛擬主機 [[email protected]]#vim vhost.conf NameVirtualHost *:80 <Virtualhost *:80> DocumentRoot /app/website ServerName www.a.com ErrorLog logs/website1-error_log CustomLog logs/website1-access_log common </Virtualhost> <Virtualhost *:80> DocumentRoot /app/website2 ServerName www.b.com ErrorLog logs/website2-error_log CustomLog logs/website2-access_log common </Virtualhost> <Virtualhost *:80> DocumentRoot /app/website3 ServerName www.c.com ErrorLog logs/website3-error_log CustomLog logs/website3-access_log common </Virtualhost> #注意:如果通過IP來訪問,而不是通過FQDN訪問,第一個爲IP默認要訪問的地址!!! [root@centos7mini~]#vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.100 [root@centos7mini~]#curl www.a.com /app/website [root@centos7mini~]#curl www.b.com /app/website2 [root@centos7mini~]#curl www.c.com /app/website3 [root@centos7mini~]#telnet www.b.com 80 ---> 這的FQDN無所謂 Trying 192.168.1.100... Connected to www.b.com. Escape character is '^]'. GET / http/1.1 HOST: ---> 這的主機頭纔是要訪問的地址 HTTP/1.1 200 OK Date: Sun, 28 Jan 2018 12:06:33 GMT Server: Apache Last-Modified: Sun, 28 Jan 2018 11:34:22 GMT ETag: "12000d-e-563d482c9ad21" Accept-Ranges: bytes Content-Length: 14 Connection: close Content-Type: text/html; charset=UTF-8 /app/website3 Connection closed by foreign host. #注意:一般虛擬機不要與main主機混用;因此,要使用虛擬主機,一般先禁用main主機 #注意:如果通過IP來訪問,而不是通過FQDN訪問,第一個爲IP默認要訪問的地址!!! [root@centos7mini~]#curl 192.168.1.100 /app/website [root@centos7mini~]#vim /etc/hosts 192.168.1.100 [root@centos7mini~]#curl /app/website [root@centos7mini~]#curl /app/website [root@centos7mini~]#curl /app/website