The preface is
in the first two articles "Explain the deployment of HTTPD service in Linux environment" and "How to deploy AWStats analysis system in Linux environment to monitor Web sites?" "In the article, we explained in detail the deployment and related configuration of the HTTPD service and AWStats analysis system in the Linux environment. When accessing the AWStats analysis system, you can access the Web site without an account and password, and this also brings some security to the server Hidden dangers.
In order to better control the access to website resources, you can add access authorization for specific website directories. This article will introduce you to the HTTPD service access control, mainly for: client-based address restrictions, user-based restrictions, domain-based Virtual host restrictions, virtual host restrictions based on IP address and port.
1. The
Deny from and Allow from configuration items are used to set specific restrictions based on the client address . When using the Deny from and Allow from configuration items, you need to set the client address to implement the restriction strategy. The address1 / 2 can be an IP address, Network address, host name and domain name. Under normal circumstances, the web server is open to all users, and there are no restrictions on the web document directory. Therefore, "all" can be used to deny or allow access to all arbitrary addresses, etc.;
Deny from address1 address2 ...
Allow from address1 address2 ...
The Order configuration item can be set to "allow, deny" or "deny, allow" to determine the order in which the host applies the "allow" or "deny" policy.
"Allow,deny": "allow" first and then "deny" by default deny all client addresses that are not explicitly allowed.
"Deny, allow": "deny" first and then "allow" by default allow all client addresses that are not explicitly denied.
<Directory "/usr/local/httpd/htdocs">
...... # 省略部分内容
Order allow,deny
Allow from all
</Directory>
When using the "allow only" restriction policy, change the processing order to "allow, deny" and explicitly set the allow policy to allow only some hosts to access. If you only want the terminal with the IP address: 192.168.3.123 to be able to access the AWStats analysis system, configure the following parts for the directory area of the AWStats analysis system;
<Directory "/usr/local/awstats/wwwroot">
Options None
AllowOverride None
Order allow,deny
Allow from 192.168.3.123 # 允许 192.168.3.123 地址访问
</Directory>
When using the "deny only" restriction policy, change the processing order to "deny, allow", and explicitly set the deny policy to only deny access to some hosts. If you only want terminals on the 192.168.3.0/24 network segment to be able to access the AWStats analysis system, but allow any other terminals to access, configure the following parts for the directory area of the AWStats analysis system;
<Directory "/usr/local/awstats/wwwroot">
Options None
AllowOverride None
Order deny,allow
deny from 192.168.3.0/24 # 拒绝 192.168.3.0/24 网站的地址访问
</Directory>After the above configuration is completed, the following error page will be displayed if you can access it through a browser.
2. Authorization restriction
based on user User-based access control includes authentication and authorization.
Authentication: refers to the process of user identity;
Authorization: Refers to allowing specific users to access specific directory areas;
The basic authentication of httpd is to determine whether the user is allowed to access by verifying the user name and password combination. The user account authorized to access needs to be established first and saved in a fixed data file.
You can use the tool: htpasswd to create authorized user data files and maintain user accounts in them. The location of the user data file must be specified, combined with the parameter "-c" option to indicate that this file is newly created.
Create a new data file /usr/local/httpd/conf/.awspwd, webjacktian and webjacktian1 are user information.
# cd /usr/local/httpd/
# bin/htpasswd -c /usr/local/httpd/conf/.awspwd webjacktian
New password: # 设置密码
Re-type new password:
Adding password for user webjacktian
# cat /usr/local/httpd/conf/.awspwd
webjacktian:u5Mq.qjrDfsvA
If the "-c" option is not used, the specified user data file already exists, and the user can add a new user or modify an existing user password.
# bin/htpasswd /usr/local/httpd/conf/.awspwd webjacktian1
New password:
Re-type new password:
Adding password for user webjacktian1
# cat /usr/local/httpd/conf/.awspwd # 确认用户数据文件
webjacktian:1.wTyxw9/pItY
webjacktian1:zG4sQXO/HveOc
After the user account is authorized, you need to modify the httpd.conf configuration file, add authorization configuration in a specific directory area, and enable basic authentication settings to allow access to which users.
vi /usr/local/httpd/conf/httpd.conf
...... # 省略部分内容
<Directory "/usr/local/awstats/wwwroot">
Options None
AllowOverride None
Order deny,allow
deny from 192.168.3.124
AuthName "http web" # 定义受保护的领域名称,将在浏览器弹出的认证对话框中显示。
AuthType Basic # 设置认证的类型,Basic表示基本认证。
AuthUserFile /usr/local/httpd/conf/.awspwd # 设置用于保存用户账号、密码的认证文件路径。
require valid-user # 只有认证文件中的合法用户才能访问,valid-user表示所有合法用户,若只授权单个用户,可改为指定的用户名。比如:webjacktian / webjacktian1
</Directory>
# /usr/local/httpd/bin/apachectl restart # 重启服务将新配置进行生效。Verify that the user is authorized to access AWStats analysis system, the browser will pop up the following dialog box, here you only need to enter the correct user name and password to log in to AWStats analysis system and view the corresponding analysis report. If the entered account password does not match, access to the AWStats analysis system will be denied. analysis system.
Presentation rendering
3. Access to virtual host
based on domain name is based on domain name: use a different domain name for each virtual host, but the corresponding IP address is the same.
For example, the IP addresses of www.baidu.com and www.taobao.com are both 192.168.3.123, which is the most common type of web host. Domain-based access needs to build a DNS service to provide web site access. For the deployment of DNS service, please refer to: "DNS Domain Name Resolution Service in Linux Environment" After the successful establishment, you need to add baidu.com to the main configuration file named.conf The configuration of the two areas of taobao.com and taobao.com is shown in the figure below.
Modify baidu's file
Modify the file group, copy the baidu.jack file under /var/named/, and modify the name to taobao.jack
# chgrp named /var/named/baidu.jack # 修改文件的所在组
# cp -v /var/named/baidu.jack /var/named/taobao.jack # 复制 baidu.jack文 件的 /var/named/ 下,名字修改为 taobao.jack,-p:保留文件原有权限
# ll /var/named/ # 查看 baidu.jack 和 taobao.jack 文件是否都已经创建成功
总用量 40
-rw-r--r--. 1 root named 149 7月 28 16:10 baidu.jack
drwxr-x---. 6 root named 4096 7月 28 03:42 chroot
drwxrwx---. 2 named named 4096 7月 28 07:04 data
drwxrwx---. 2 named named 4096 7月 28 16:10 dynamic
-rw-r-----. 1 root named 1892 2月 18 2008 named.ca
-rw-r-----. 1 root named 152 12月 15 2009 named.empty
-rw-r-----. 1 root named 152 6月 21 2007 named.localhost
-rw-r-----. 1 root named 168 12月 15 2009 named.loopback
drwxrwx---. 2 named named 4096 8月 27 2013 slaves
-rw-r--r--. 1 root root 307 7月 28 06:56 taobao.jack
Enter the taobao.jack file to modify its configuration;
Restart the named service.
# service named stop
停止 named:. [确定]
# service named start
启动 named: [确定]Modify the nameserver configuration item to point to the DNS server address;
Use the nslookup command to resolve the two domain names configured successfully;
[root@Mr-tian named]# nslookup www.baidu.com # 使用 nslookup 进行验证域名是否成功
Server: 192.168.3.123
Address: 192.168.3.123#53
Name: www.baidu.com
Address: 192.168.3.123
[root@Mr-tian named]# nslookup www.taobao.com
Server: 192.168.3.123
Address: 192.168.3.123#53
Name: www.taobao.com
Address: 192.168.3.123
Prepare website directories and web documents for each virtual web host, and provide home files with different content for each virtual web host. Create two subfolders baidu and taobao under the /usr/local/httpd/htdocs directory, which are used as the website root directories of www.baidu.com and www.taobao.com to test webpage files.
# mkdir /usr/local/httpd/htdocs/baidu # 在虚拟主机下准备网页文档
# mkdir /usr/local/httpd/htdocs/taobao
# ls /usr/local/httpd/htdocs/ # 查看刚建立的 baidu 和 taobao 目录是否已建立好
abc.html baidu index.html taobao
# echo "<h1>www.baidu.com</h1>" > /usr/local/httpd/htdocs/baidu/index.html # 分别在 baidu 和 taobao 目录下创建 index.html 文件
# echo "<h1>www.taobao.com</h1>" > /usr/local/httpd/htdocs/taobao/index.html
# cat /usr/local/httpd/htdocs/baidu/index.html # 验证是否已经创建成功
<h1>www.baidu.com</h1>
# cat /usr/local/httpd/htdocs/taobao/index.html
<h1>www.taobao.com</h1>
To add virtual host configuration, you need to enable domain-based virtual web host in the main configuration file of the httpd server.
Use <Directory "Directory Location"> + Zone Configuration</Directory> to set access permissions for each web host's website directory.
Use the NameVirtualHost configuration item to specify the IP address that provides virtual host services;
use <VirtualHost listening address> + regional configuration</VirtualHost> to establish independent configuration content for each virtual web host, including: the path of the root directory of the web page, the virtual host's Website name, access log and other related configuration items;
# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf # 创建独立的配置文件
# <Directory "/var/www/html"> # 设置目录访问权限
# Order allow,deny
# Allow from all
# </Directory>
NameVirtualHost 192.168.3.123:80 # 设置虚拟主机监听地址
<VirtualHost 192.168.3.123:80> # 设置 baidu 虚拟站点区域
DocumentRoot "/usr/local/httpd/htdocs/baidu"
ServerName www.baidu.com
ErrorLog "logs/www.baidu.com-error_log"
CustomLog "logs/www.baidu.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.3.123:80> # 设置 taobao 虚拟站点区域
DocumentRoot "/usr/local/httpd/htdocs/taobao"
ServerName www.taobao.com
ErrorLog "logs/www.taobao.com-error_log"
CustomLog "logs/www.taobao.com-access_log" common
</VirtualHost>
When the number of virtual web hosts is large, you can use a separate virtual host configuration file, add Include conf/extra/httpd-vhosts.conf to httpd.conf to load the configuration.
# vim /usr/local/httpd/conf/httpd.conf
<Directory "/usr/local/awstats/wwwroot">
Options None
AllowOverride None
Order deny,allow
deny from 192.168.3.124
AuthName "http web"
AuthType Basic
AuthUserFile /usr/local/httpd/conf/.awspwd
require valid-user
</Directory>
Include conf/extra/httpd-vhosts.conf # 在文末添加此行配置来加载独立的配置文件
Restart HTTPD service
# service httpd restart # 重启 httpd 服务Match the IP address of the same network segment on the client and point DNS to the httpd server.
Test connectivity;
In the client browser, use the website name to visit different virtual web hosts to confirm whether the pages you see are different. If you cannot view the results displayed on the page, you need to check the home page files of the two sites or according to other configurations Troubleshoot.
Presentation rendering
4. For the virtual host based on the IP address,
add a new virtual interface to the httpd server and configure the IP address;
For IP address-based virtual hosts, each virtual web host will use a different IP address, and will provide services to the outside through the same httpd server. When configuring an IP address-based virtual web host, do not use the NameVirtualHost configuration item to specify the monitoring The IP address of the service only needs to specify the IP address corresponding to each domain name in the VirtualHost configuration item of each virtual web host.
The IP address of site: www.baidu.com is: 192.168.3.123, and the IP address of site: www.taobao.com is: 192.168.3.126. To realize a virtual web host based on IP address, configure the following configuration items on the httpd server Just go.
# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf
...... # 省略部分内容
NameVirtualHost 192.168.3.123:80 # 此 www.baidu.com 区域的配置保持不变
<VirtualHost 192.168.3.123:80>
DocumentRoot "/usr/local/httpd/htdocs/baidu"
ServerName www.baidu.com
ErrorLog "logs/www.baidu.com-error_log"
CustomLog "logs/www.baidu.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.3.126:80> # 将 www.taobao.com 区域的配置将 VirtualHost IP:端口号,IP 改为添加的虚拟接口 eth1:0 的 IP 地址
DocumentRoot "/usr/local/httpd/htdocs/taobao"
ServerName www.taobao.com
ErrorLog "logs/www.taobao.com-error_log"
CustomLog "logs/www.taobao.com-access_log" common
</VirtualHost>
Configure to load an independent configuration file;
# vi /usr/local/httpd/conf/httpd.conf
Include conf/extra/httpd-vhosts.conf # 加载独立的配置文件Restart the httpd service;
# service httpd restart # 重启 httpd 服务Entering http://192.168.3.123 in the address bar of the client browser will display the page of www.baidu.com, and entering http://192.168.3.126 will display the page of www.taobao.com, which means it is correct.
Presentation rendering
5. Port-based virtual host
Port-based virtual host only needs the same web site, and its website name and IP address can be unchanged. The only difference is that the TCP port accesses different web content. Therefore, when we visit a web server with a port other than 80 in the browser, we need to clearly indicate the server's port number. For example: http://www.taobao.com : 81/ When configuring a port-based virtual web host, you don’t need to use the NameVirtualHost configuration item. You only need to specify the TCP port number through multiple monitoring configuration items. Each virtual web The IP address and port number should be specified in the VirtualHost configuration item of the host.
If the www.baidu.com site is accessed through port 80, the displayed result will be the content of the baidu site. When the www.taobao.com site is accessed through port 81, the displayed result will be the content of the taobao site.
# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf
NameVirtualHost 192.168.3.123:80
<VirtualHost 192.168.3.123:80> # www.baidu.com 虚拟站点区域的配置保持不变
DocumentRoot "/usr/local/httpd/htdocs/baidu"
ServerName www.baidu.com
ErrorLog "logs/www.baidu.com-error_log"
CustomLog "logs/www.baidu.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.3.123:81> # 设置 www.taobao.com 虚拟站点区域的端口号为:81
DocumentRoot "/usr/local/httpd/htdocs/taobao"
ServerName www.taobao.com
ErrorLog "logs/www.taobao.com-error_log"
CustomLog "logs/www.taobao.com-access_log" common
</VirtualHost>
The original loaded independent configuration file and port 80 remain unchanged, and a new virtual site port that monitors www.taobao.com needs to be added.
# vi /usr/local/httpd/conf/httpd.conf
...... # 省略部分内容
40 Listen 80 # 原有的 80 端口不变
41 Listen 81 # 新添加一条监听端口
# service httpd restart # 重启 httpd 服务Verification result: input in the client browser: http://192.168.3.123 will display the content of the baidu site, input http://192.168.3.123:81 will display the content of the taobao site, which means it is correct.
Presentation rendering
For the directory, set up baidu to do access control based on the customer address, modify the virtual host configuration file and configure the configuration items about the Directory section. After the configuration is correct, check the syntax and restart the service.
# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf
NameVirtualHost 192.168.3.123:80
<VirtualHost 192.168.3.123:80> # 对 baidu 来做访问控制(基于客户地址的访问控制)修改虚拟主机配置文件
DocumentRoot "/usr/local/httpd/htdocs/baidu"
ServerName www.baidu.com
ErrorLog "logs/www.baidu.com-error_log"
CustomLog "logs/www.baidu.com-access_log" common
<Directory "/usr/local/httpd/htdocs/baidu"> # 在www.baidu.com里添加
order allow,deny
allow from 192.168.3.125 # 访问端 IP 地址
</Directory>
</VirtualHost>
<VirtualHost 192.168.3.123:81>
DocumentRoot "/usr/local/httpd/htdocs/taobao"
ServerName www.taobao.com
ErrorLog "logs/www.taobao.com-error_log"
CustomLog "logs/www.taobao.com-access_log" common
</VirtualHost>
# httpd -t # 检查语法
Syntax OK
# service httpd restart # 重启 httpd 服务
According to the above configuration items, only the host with the IP address: 192.168.3.125 is allowed to access, so when you access the client with the non-IP address: 192.168.3.125, the following denial display will be displayed.
If you set the allow from 192.168.3.0/24 network segment configuration in the httpd-vhosts.conf configuration file, it means that all hosts under this network segment can be accessed;
# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf
...... # 省略部分内容
<Directory "/usr/local/httpd/htdocs/baidu">
order allow,deny
allow from 192.168.3.0/24
</Directory>
# service httpd restart # 重启 httpd 服务The verification results are as follows.
User authorization to restrict access
Create user-c: use when creating a user for the first time, and do not need to add it for the second time, and view the user's files
# htpasswd -c /usr/local/httpd/conf/.user jacktian # 创建用户
New password: # 设置密码
Re-type new password:
Adding password for user jacktian
You have new mail in /var/spool/mail/root
# cat /usr/local/httpd/conf/.user # 查看用户文件
jacktian:Kga/Hy/OZ2Bnw
To modify the virtual machine host configuration file, you need to add the AuthName configuration section in www.baidu.com;
# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf # 修改虚拟机主机配置文件
NameVirtualHost 192.168.3.123:80
<VirtualHost 192.168.3.123:80>
DocumentRoot "/usr/local/httpd/htdocs/baidu"
ServerName www.baidu.com
ErrorLog "logs/www.baidu.com-error_log"
CustomLog "logs/www.baidu.com-access_log" common
<Directory "/usr/local/httpd/htdocs/baidu">
order allow,deny
allow from 192.168.3.0/24
AuthName "baidu login" # 在 www.baidu.com 里添加用户授权设置配置项
AuthType Basic
AuthUserFile /usr/local/httpd/conf/.user
Require valid-user
</Directory>
</VirtualHost>
<VirtualHost 192.168.3.123:81>
DocumentRoot "/usr/local/httpd/htdocs/taobao"
ServerName www.taobao.com
ErrorLog "logs/www.taobao.com-error_log"
CustomLog "logs/www.taobao.com-access_log" common
</VirtualHost>
# httpd -t # 检查语法
Syntax OK
# service httpd restart # 重启 httpd 服务
Verification result: When you enter http://www.baidu.com in the client browser , the following dialog box will pop up to log in by entering your username and password;
The access results when the user name and password are correct are as follows.
Presentation rendering
The access results when the user name and password are incorrect are as follows.
Presentation rendering
▲
END
Recommended reading
1. Explain the deployment of HTTPD service in Linux environment in detail