RHCA教程:RHS333-10 httpd高级配置

 

httpd高级配置
一、虚拟主机配置
1、基于ip
要求：通过192.168.32.31可以访问/var/www/html目录内容，通过192.168.32.32可以访  问/var/www/virt目录内容
[root@station1 ~]#vi /etc/httpd/conf/httpd.conf
<VirtualHost 192.168.32.31:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    ServerName 192.168.32.31:80
    ErrorLog logs/dummy-host.example.com-error_log
    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
 
<VirtualHost 192.168.32.32:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/virt
    ServerName 192.168.32.32:80
    ErrorLog logs/dummy-host.example.com-error_log
    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
 
2、基于端口
要求：通过192.168.32.31的80端口可以访问/var/www/html目录内容，通过192.168.32.31的8080端口可以访问/var/www/virt目录内容
[root@station1 ~]#vi /etc/httpd/conf/httpd.conf
Listen 80            #此端口配置文件默认就有
Listen 8080          #手动添加此端口
<VirtualHost 192.168.32.31:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    ServerName 192.168.32.31:80
    ErrorLog logs/dummy-host.example.com-error_log
    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
 
<VirtualHost 192.168.32.31:8080>
    ServerAdmin [email protected]
    DocumentRoot /var/www/virt
    ServerName 192.168.32.31:8080
    ErrorLog logs/dummy-host.example.com-error_log
    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
 
3、基于主机头
要求：通过station1.example.com可以访问/var/www/html目录内容，通过www.example.com可以访问/var/www/virt目录内容  （注意要求DNS服务器上有这两个网站解析）
[root@station1 ~]#vi /etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.32.31:80   #要求必须由此行，此行表示打开主机头虚拟主机
<VirtualHost 192.168.32.31:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    ServerName station1.example.com
    ErrorLog logs/dummy-host.example.com-error_log
    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
 
<VirtualHost 192.168.32.31:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/virt
    ServerName www.example.com
    ErrorLog logs/dummy-host.example.com-error_log
    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
 
二、多种用户认证方式配置
1、使用htpsswd工作生成的密码文件认证用户来源
[root@station1 conf.d]# htpasswd -cm /etc/httpd/.webusers linuxidc
[root@station1 conf.d]# htpasswd -m /etc/httpd/.webusers linuxidcster
[root@station1 conf.d]# htpasswd -m /etc/httpd/.webusers zhxy
[root@station1 conf.d]# htpasswd -m /etc/httpd/.webusers zxy
[root@station1 conf.d]# vi /etc/httpd/.webgroup  #给用户分组
net:linuxidc linuxidcster
zh:zhxy zxy
  # -c：表示创建密码文件
  # -m：用md5方式加密认证信息
  # -D：从密码文件中删除用户
[root@station1 conf.d]#
[root@station1 conf.d]# vi /etc/htttpd/conf/httpd.conf
<VirtualHost 192.168.32.31:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    ServerName station1.example.com
 
  <Directory /var/www/html>
     AuthName TestAdmin    #提示信息
     AuthType basic        #基本身份认证，即基于密码文件的身份认证
     AuthUserFile /etc/httpd/.webusers
     Require valid-user                      #所有授权用户均可访问；
     AuthGroupFile /etc/httpd/.webgroup      #可访问用户为net组中用户
     Require Group net          
#valid-user：表所有密码文件中的用户均可访问此目录，也可为Require linuxidc则表示只有密码文件中linuxidc账户可以访问此目录
 </Directory>
 
    ErrorLog logs/dummy-host.example.com-error_log
    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
 
2、使用MySQL数据库认证用户来源
安装mysql及httpd中mysql认证模块
[root@station1 ~]# yum install mysql-server.i386
[root@station1 ~]# yum install mysql-devel.i386
[root@station1 ~]# yum install mod_auth_mysql.i386
[root@station1 ~]# service mysqld start
[root@station1 ~]# chkconfig mysql on
创建认证用户和认证组
   [root@station1 ~]# mysqladmin -u root password RedHat
   [root@station1 ~]# mysql -uroot -p RedHat
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 131
Server version: 5.0.77 Source distribution
 
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
 
mysql> create database apacheusers;
mysql> use apacheusers;
mysql> create table user (name char(25),pwd char(25), primary key (name));
mysql> create table grp (uname char(25),gname char(25),primary key (uname,gname));
mysql> grant select on apacheusers.user to apacheuser@localhost identified by ' RedHat';
mysql> grant select on apacheusers.grp to apacheuser@localhost identified by ' RedHat';
mysql> insert into user (name,pwd) values ('linuxidc','111');
mysql> insert into user (name,pwd) values ('linuxidcster','111');
mysql> insert into user (name,pwd) values ('zhxy','222');
    mysql> insert into user (name,pwd) values ('zxy','222');
    mysql> insert into grp (uname,gname) values ('linuxidc','net');
    mysql> insert into grp (uname,gname) values ('linuxidcster','net');
    mysql> insert into grp (uname,gname) values ('zhxy','zh');
    mysql> insert into grp (uname,gname) values ('zxy','zh');
修改配置文件，开启mysql认证
   [root@station1 ~]# vi /etc/httpd/conf/httpd.conf
       NameVirtualHost 192.168.32.31:80
<VirtualHost 192.168.32.31:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    ServerName station1.example.com
 
  <Directory /var/www/html>
     AuthName TestAdmin
     AuthType basic
     AuthMySQLEnable on
     AuthMySQLUser apacheuser
     AuthMySQLPassword RedHat
     AuthMySQLDB apacheusers
     AuthMySQLUserTable user
     AuthMySQLNameField name
     AuthMySQLPasswordField pwd
     Require valid-user
 
     AuthMySQLGroupTable grp
     AuthMySQLGroupField gname
     Require Group net
 
 </Directory>
 
    ErrorLog logs/dummy-host.example.com-error_log
    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

三、HTTPS配置
1、自颁发证书
[root@station1 ~]#yum install mod_ssl.i386
[root@station1 ~]#mkdir /etc/httpd/.sslkey
[root@station1 ~]#openssl genrsa -out /etc/httpd/.sslkey/server.key 1024
[root@station1 ~]#openssl req -new -x509 -key /etc/httpd/.sslkey/server.key -out /etc/httpd/.sslkey/server.cert #生成密钥对
[root@station1 ~]#chmod -R 400 /etc/httpd/.sslkey    #保证证书安全
[root@station1 ~]#vi /etc/httpd/conf/httpd.conf
 <VirtualHost 192.168.32.31:443>
    ServerAdmin [email protected]
    DocumentRoot /var/www/virt
    ServerName www.example.com
    SSLEngine on                                         #开启ssl认证
    SSLCertificateFile /etc/httpd/.sslkey/server.crt     #证书文件
    SSLCertificateKeyFile /etc/httpd/.sslkey/server.key  #密钥文件
</VirtualHost>
 
四、各种安全参数
1、目录访问控制
 [root@station2 ~]# vi /etc/httpd/conf/httpd.conf
   <Directory /var/www/virt1> 
    Order allow,deny
    Allow from all
    Deny from 192.168.32.33
   </Directory>
   #定义访问/var/www/virt1目录权限（含其下子目录）
  Order allow,deny：除了明确定义允许的，默认拒绝所有，同时满足允许和拒绝定义的客户端则拒绝优先。即如无allow from all，则所有客户端均不可访问/var/www/virt1目录。
  Orde deny，allow：除了明确定义拒绝的，默认允许所有，同时满足允许和拒绝定义的客户端则允许优先。
2、基于访问控制文件.htaccess(无需重启httpd)
[root@station2 ~]# vi /etc/httpd/conf/httpd.conf
AccessFileName .htaccess  
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>
#默认配置文件中含有以上行
<Directory /var/www/virt1/test> 
    Allowoverride all  #该行定义http是否检查该目录下.htacess文件及如何检查
   </Directory>
#Allowoverride后可接如下参数：
all：全部指令组
none：禁止使用所有指令?，禁止处理.htaccess文件
Authconfig：允许使用与认证授权相关给的指令(AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthType, AuthUserFile, Require, 等)
FileInfo：允许使用控制文档类型的指令(DefaultType, ErrorDocument, ForceType, LanguagePriority, SetHandler, SetInputFilter, SetOutputFilter, mod_mime中的 Add* 和 Remove* 指令等等) 、控制文档元数据的指令(Header, RequestHeader, SetEnvIf, SetEnvIfNoCase, BrowserMatch, CookieExpires, CookieDomain, CookieStyle, CookieTracking, CookieName)、mod_rewrite中的指令(RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule)和mod_actions中的Action指令。
Indexs：允许使用控制目录索引的指令(AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName, 等)。
Limit：允许使用控制主机访问的指令(Allow, Deny, Order)。
Options[=Option,...]：允许使用控制指定目录功能的指令(Options和XBitHack)。可以在等号后面附加一个逗号分隔的(无空格的)Options选项列表，用来控制允许Options指令使用哪些选项。
[root@station2 ~]# vi /var/www/virt1/test/.htaccess
Order allow,deny
Allow from all
Deny from 192.168.32.33
#禁止192.168.32.33访问test目录，.htaccess详解另述
 
3、options参数
options 参数如下：
  Indexes ：Creates a directory listing if no index file is present
  ExecCGI： Allows the execution of CGI scripts
  Includes： Enables Server Side Includes (SSI)
  IncludesNoExec： Enables SSI without executing any commands
  FollowSymLinks： Symbolic links are followed
  SymLinksIfOwnerMatch： Only if the owner of the symlink is the same as the target file
  MultiViews： If a document is available in multiple languages it is displayed according to the
  Language： settings for the browser.
  All ：All options are turned on
  None： All options are disabled
实例：
 [root@station2 test]# vi /etc/httpd/conf/httpd.conf
<Directory /var/www/virt1/test>
Options  Indexes –FollowSymLinks  
   </Directory>
#indexes显示文件列表，前加-则不显示，客户访问显示拒绝访问目录，建议关闭indexes
#FollowSymLinks：显示链接文件说链接的文件或目录，前加-则不显示，客户访问显示拒绝访问目录，建议关闭

转自:http://www.linuxidc.com/Linux/2011-04/34973p2.htm