httpd高级配置
一、虚拟主机配置
1、基于ip
要求:通过192.168.32.31可以访问/var/www/html目录内容,通过192.168.32.32可以访 问/var/www/virt目录内容
[root@station1 ~]#vi /etc/httpd/conf/httpd.conf
<VirtualHost 192.168.32.31:80>
DocumentRoot /var/www/html
ServerName 192.168.32.31:80
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost 192.168.32.32:80>
DocumentRoot /var/www/virt
ServerName 192.168.32.32:80
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
2、基于端口
要求:通过192.168.32.31的80端口可以访问/var/www/html目录内容,通过192.168.32.31的8080端口可以访问/var/www/virt目录内容
[root@station1 ~]#vi /etc/httpd/conf/httpd.conf
Listen 80 #此端口配置文件默认就有
Listen 8080 #手动添加此端口
<VirtualHost 192.168.32.31:80>
DocumentRoot /var/www/html
ServerName 192.168.32.31:80
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost 192.168.32.31:8080>
DocumentRoot /var/www/virt
ServerName 192.168.32.31:8080
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
3、基于主机头
要求:通过station1.example.com可以访问/var/www/html目录内容,通过www.example.com可以访问/var/www/virt目录内容 (注意要求DNS服务器上有这两个网站解析)
[root@station1 ~]#vi /etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.32.31:80 #要求必须由此行,此行表示打开主机头虚拟主机
<VirtualHost 192.168.32.31:80>
DocumentRoot /var/www/html
ServerName station1.example.com
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost 192.168.32.31:80>
DocumentRoot /var/www/virt
ServerName www.example.com
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
二、多种用户认证方式配置
1、使用htpsswd工作生成的密码文件认证用户来源
[root@station1 conf.d]# htpasswd -cm /etc/httpd/.webusers netsword
[root@station1 conf.d]# htpasswd -m /etc/httpd/.webusers netswordster
[root@station1 conf.d]# htpasswd -m /etc/httpd/.webusers zhxy
[root@station1 conf.d]# htpasswd -m /etc/httpd/.webusers zxy
[root@station1 conf.d]# vi /etc/httpd/.webgroup #给用户分组
net:netsword netswordster
zh:zhxy zxy
# -c:表示创建密码文件
# -m:用md5方式加密认证信息
# -D:从密码文件中删除用户
[root@station1 conf.d]#
[root@station1 conf.d]# vi /etc/htttpd/conf/httpd.conf
<VirtualHost 192.168.32.31:80>
DocumentRoot /var/www/html
ServerName station1.example.com
<Directory /var/www/html>
AuthName TestAdmin #提示信息
AuthType basic #基本身份认证,即基于密码文件的身份认证
AuthUserFile /etc/httpd/.webusers
Require valid-user #所有授权用户均可访问;
AuthGroupFile /etc/httpd/.webgroup #可访问用户为net组中用户
Require Group net
#valid-user:表所有密码文件中的用户均可访问此目录,也可为Require netsword则表示只有密码文件中netsword账户可以访问此目录
</Directory>
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
2、使用MySQL数据库认证用户来源
安装mysql及httpd中mysql认证模块
[root@station1 ~]# yum install mysql-server.i386
[root@station1 ~]# yum install mysql-devel.i386
[root@station1 ~]# yum install mod_auth_mysql.i386
[root@station1 ~]# service mysqld start
[root@station1 ~]# chkconfig mysql on
创建认证用户和认证组
[root@station1 ~]# mysqladmin -u root password redhat
[root@station1 ~]# mysql -uroot -predhat
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 131
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database apacheusers;
mysql> use apacheusers;
mysql> create table user (name char(25),pwd char(25), primary key (name));
mysql> create table grp (uname char(25),gname char(25),primary key (uname,gname));
mysql> grant select on apacheusers.user to apacheuser@localhost identified by 'redhat';
mysql> grant select on apacheusers.grp to apacheuser@localhost identified by 'redhat';
mysql> insert into user (name,pwd) values ('netsword','111');
mysql> insert into user (name,pwd) values ('netswordster','111');
mysql> insert into user (name,pwd) values ('zhxy','222');
mysql> insert into user (name,pwd) values ('zxy','222');
mysql> insert into grp (uname,gname) values ('netsword','net');
mysql> insert into grp (uname,gname) values ('netswordster','net');
mysql> insert into grp (uname,gname) values ('zhxy','zh');
mysql> insert into grp (uname,gname) values ('zxy','zh');
修改配置文件,开启mysql认证
[root@station1 ~]# vi /etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.32.31:80
<VirtualHost 192.168.32.31:80>
DocumentRoot /var/www/html
ServerName station1.example.com
<Directory /var/www/html>
AuthName TestAdmin
AuthType basic
AuthMySQLEnable on
AuthMySQLUser apacheuser
AuthMySQLPassword redhat
AuthMySQLDB apacheusers
AuthMySQLUserTable user
AuthMySQLNameField name
AuthMySQLPasswordField pwd
Require valid-user
AuthMySQLGroupTable grp
AuthMySQLGroupField gname
Require Group net
</Directory>
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
三、HTTPS配置
1、自颁发证书
[root@station1 ~]#yum install mod_ssl.i386
[root@station1 ~]#mkdir /etc/httpd/.sslkey
[root@station1 ~]#openssl genrsa -out /etc/httpd/.sslkey/server.key 1024
[root@station1 ~]#openssl req -new -x509 -key /etc/httpd/.sslkey/server.key -out /etc/httpd/.sslkey/server.cert #生成密钥对
[root@station1 ~]#chmod -R 400 /etc/httpd/.sslkey #保证证书安全
[root@station1 ~]#vi /etc/httpd/conf/httpd.conf
<VirtualHost 192.168.32.31:443>
DocumentRoot /var/www/virt
ServerName www.example.com
SSLEngine on #开启ssl认证
SSLCertificateFile /etc/httpd/.sslkey/server.crt #证书文件
SSLCertificateKeyFile /etc/httpd/.sslkey/server.key #密钥文件
</VirtualHost>
四、各种安全参数
1、目录访问控制
[root@station2 ~]# vi /etc/httpd/conf/httpd.conf
<Directory /var/www/virt1>
Order allow,deny
Allow from all
Deny from 192.168.32.33
</Directory>
#定义访问/var/www/virt1目录权限(含其下子目录)
Order allow,deny:除了明确定义允许的,默认拒绝所有,同时满足允许和拒绝定义的客户端则拒绝优先。即如无allow from all,则所有客户端均不可访问/var/www/virt1目录。
Orde deny,allow:除了明确定义拒绝的,默认允许所有,同时满足允许和拒绝定义的客户端则允许优先。
2、基于访问控制文件.htaccess(无需重启httpd)
[root@station2 ~]# vi /etc/httpd/conf/httpd.conf
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
#默认配置文件中含有以上行
<Directory /var/www/virt1/test>
Allowoverride all #该行定义http是否检查该目录下.htacess文件及如何检查
</Directory>
#Allowoverride后可接如下参数:
all:全部指令组
none:禁止使用所有指令?,禁止处理.htaccess文件
Authconfig:允许使用与认证授权相关给的指令(AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthType, AuthUserFile, Require, 等)
FileInfo:允许使用控制文档类型的指令(DefaultType, ErrorDocument, ForceType, LanguagePriority, SetHandler, SetInputFilter, SetOutputFilter, mod_mime中的 Add* 和 Remove* 指令等等) 、控制文档元数据的指令(Header, RequestHeader, SetEnvIf, SetEnvIfNoCase, BrowserMatch, CookieExpires, CookieDomain, CookieStyle, CookieTracking, CookieName)、mod_rewrite中的指令(RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule)和mod_actions中的Action指令。
Indexs:允许使用控制目录索引的指令(AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName, 等)。
Limit:允许使用控制主机访问的指令(Allow, Deny, Order)。
Options[=Option,...]:允许使用控制指定目录功能的指令(Options和XBitHack)。可以在等号后面附加一个逗号分隔的(无空格的)Options选项列表,用来控制允许Options指令使用哪些选项。
[root@station2 ~]# vi /var/www/virt1/test/.htaccess
Order allow,deny
Allow from all
Deny from 192.168.32.33
#禁止192.168.32.33访问test目录,.htaccess详解另述
3、options参数
options 参数如下:
Indexes :Creates a directory listing if no index file is present
ExecCGI: Allows the execution of CGI scripts
Includes: Enables Server Side Includes (SSI)
IncludesNoExec: Enables SSI without executing any commands
FollowSymLinks: Symbolic links are followed
SymLinksIfOwnerMatch: Only if the owner of the symlink is the same as the target file
MultiViews: If a document is available in multiple languages it is displayed according to the
Language: settings for the browser.
All :All options are turned on
None: All options are disabled
实例:
[root@station2 test]# vi /etc/httpd/conf/httpd.conf
<Directory /var/www/virt1/test>
Options Indexes –FollowSymLinks
</Directory>
#indexes显示文件列表,前加-则不显示,客户访问显示拒绝访问目录,建议关闭indexes
#FollowSymLinks:显示链接文件说链接的文件或目录,前加-则不显示,客户访问显示拒绝访问目录,建议关闭