RHS333-10 httpd高级配置-阿里云开发者社区

httpd高级配置

一、虚拟主机配置

1、基于ip

要求：通过192.168.32.31可以访问/var/www/html目录内容，通过192.168.32.32可以访问/var/www/virt目录内容

[root@station1 ~]#vi /etc/httpd/conf/httpd.conf

ServerAdmin netsword@example.com

DocumentRoot /var/www/html

ServerName 192.168.32.31:80

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

</VirtualHost>

ServerAdmin netsword@example.com

DocumentRoot /var/www/virt

ServerName 192.168.32.32:80

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

</VirtualHost>

2、基于端口

要求：通过192.168.32.31的80端口可以访问/var/www/html目录内容，通过192.168.32.31的8080端口可以访问/var/www/virt目录内容

[root@station1 ~]#vi /etc/httpd/conf/httpd.conf

Listen 80 #此端口配置文件默认就有

Listen 8080 #手动添加此端口

ServerAdmin netsword@example.com

DocumentRoot /var/www/html

ServerName 192.168.32.31:80

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

</VirtualHost>

ServerAdmin netsword@example.com

DocumentRoot /var/www/virt

ServerName 192.168.32.31:8080

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

</VirtualHost>

3、基于主机头

要求：通过station1.example.com可以访问/var/www/html目录内容，通过www.example.com可以访问/var/www/virt目录内容（注意要求DNS服务器上有这两个网站解析）

[root@station1 ~]#vi /etc/httpd/conf/httpd.conf

NameVirtualHost 192.168.32.31:80 #要求必须由此行，此行表示打开主机头虚拟主机

ServerAdmin netsword@example.com

DocumentRoot /var/www/html

ServerName station1.example.com

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

</VirtualHost>

ServerAdmin netsword@example.com

DocumentRoot /var/www/virt

ServerName www.example.com

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

</VirtualHost>

二、多种用户认证方式配置

1、使用htpsswd工作生成的密码文件认证用户来源

[root@station1 conf.d]# htpasswd -cm /etc/httpd/.webusers netsword

[root@station1 conf.d]# htpasswd -m /etc/httpd/.webusers netswordster

[root@station1 conf.d]# htpasswd -m /etc/httpd/.webusers zhxy

[root@station1 conf.d]# htpasswd -m /etc/httpd/.webusers zxy

[root@station1 conf.d]# vi /etc/httpd/.webgroup #给用户分组

net:netsword netswordster

zh:zhxy zxy

# -c：表示创建密码文件

# -m：用md5方式加密认证信息

# -D：从密码文件中删除用户

[root@station1 conf.d]#

[root@station1 conf.d]# vi /etc/htttpd/conf/httpd.conf

ServerAdmin netsword@example.com

DocumentRoot /var/www/html

ServerName station1.example.com

AuthName TestAdmin #提示信息

AuthType basic #基本身份认证，即基于密码文件的身份认证

AuthUserFile /etc/httpd/.webusers

Require valid-user #所有授权用户均可访问；

AuthGroupFile /etc/httpd/.webgroup #可访问用户为net组中用户

Require Group net

#valid-user：表所有密码文件中的用户均可访问此目录，也可为Require netsword则表示只有密码文件中netsword账户可以访问此目录

</Directory>

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

</VirtualHost>

2、使用MySQL数据库认证用户来源

安装mysql及httpd中mysql认证模块

[root@station1 ~]# yum install mysql-server.i386

[root@station1 ~]# yum install mysql-devel.i386

[root@station1 ~]# yum install mod_auth_mysql.i386

[root@station1 ~]# service mysqld start

[root@station1 ~]# chkconfig mysql on

创建认证用户和认证组

[root@station1 ~]# mysqladmin -u root password redhat

[root@station1 ~]# mysql -uroot -predhat

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 131

Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database apacheusers;

mysql> use apacheusers;

mysql> create table user (name char(25),pwd char(25), primary key (name));

mysql> create table grp (uname char(25),gname char(25),primary key (uname,gname));

mysql> grant select on apacheusers.user to apacheuser@localhost identified by 'redhat';

mysql> grant select on apacheusers.grp to apacheuser@localhost identified by 'redhat';

mysql> insert into user (name,pwd) values ('netsword','111');

mysql> insert into user (name,pwd) values ('netswordster','111');

mysql> insert into user (name,pwd) values ('zhxy','222');

mysql> insert into user (name,pwd) values ('zxy','222');

mysql> insert into grp (uname,gname) values ('netsword','net');

mysql> insert into grp (uname,gname) values ('netswordster','net');

mysql> insert into grp (uname,gname) values ('zhxy','zh');

mysql> insert into grp (uname,gname) values ('zxy','zh');

修改配置文件，开启mysql认证

[root@station1 ~]# vi /etc/httpd/conf/httpd.conf

NameVirtualHost 192.168.32.31:80

ServerAdmin netsword@example.com

DocumentRoot /var/www/html

ServerName station1.example.com

AuthName TestAdmin

AuthType basic

AuthMySQLEnable on

AuthMySQLUser apacheuser

AuthMySQLPassword redhat

AuthMySQLDB apacheusers

AuthMySQLUserTable user

AuthMySQLNameField name

AuthMySQLPasswordField pwd

Require valid-user

AuthMySQLGroupTable grp

AuthMySQLGroupField gname

Require Group net

</Directory>

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

</VirtualHost>

三、HTTPS配置

1、自颁发证书

[root@station1 ~]#yum install mod_ssl.i386

[root@station1 ~]#mkdir /etc/httpd/.sslkey

[root@station1 ~]#openssl genrsa -out /etc/httpd/.sslkey/server.key 1024

[root@station1 ~]#openssl req -new -x509 -key /etc/httpd/.sslkey/server.key -out /etc/httpd/.sslkey/server.cert #生成密钥对

[root@station1 ~]#chmod -R 400 /etc/httpd/.sslkey #保证证书安全

[root@station1 ~]#vi /etc/httpd/conf/httpd.conf

ServerAdmin webmaster@dummy-host.example.com

DocumentRoot /var/www/virt

ServerName www.example.com

SSLEngine on #开启ssl认证

SSLCertificateFile /etc/httpd/.sslkey/server.crt #证书文件

SSLCertificateKeyFile /etc/httpd/.sslkey/server.key #密钥文件

</VirtualHost>

四、各种安全参数

1、目录访问控制

[root@station2 ~]# vi /etc/httpd/conf/httpd.conf

Order allow,deny

Allow from all

Deny from 192.168.32.33

</Directory>

#定义访问/var/www/virt1目录权限（含其下子目录）

Order allow,deny：除了明确定义允许的，默认拒绝所有，同时满足允许和拒绝定义的客户端则拒绝优先。即如无allow from all，则所有客户端均不可访问/var/www/virt1目录。

Orde deny，allow：除了明确定义拒绝的，默认允许所有，同时满足允许和拒绝定义的客户端则允许优先。

2、基于访问控制文件.htaccess(无需重启httpd)

[root@station2 ~]# vi /etc/httpd/conf/httpd.conf

AccessFileName .htaccess

Order allow,deny

Deny from all

</Files>

#默认配置文件中含有以上行

Allowoverride all #该行定义http是否检查该目录下.htacess文件及如何检查

</Directory>

#Allowoverride后可接如下参数：

all：全部指令组

none：禁止使用所有指令?，禁止处理.htaccess文件

Authconfig：允许使用与认证授权相关给的指令(AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthType, AuthUserFile, Require, 等)

FileInfo：允许使用控制文档类型的指令(DefaultType, ErrorDocument, ForceType, LanguagePriority, SetHandler, SetInputFilter, SetOutputFilter, mod_mime中的 Add* 和 Remove* 指令等等) 、控制文档元数据的指令(Header, RequestHeader, SetEnvIf, SetEnvIfNoCase, BrowserMatch, CookieExpires, CookieDomain, CookieStyle, CookieTracking, CookieName)、mod_rewrite中的指令(RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule)和mod_actions中的Action指令。

Indexs：允许使用控制目录索引的指令(AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName, 等)。

Limit：允许使用控制主机访问的指令(Allow, Deny, Order)。

Options[=Option,...]：允许使用控制指定目录功能的指令(Options和XBitHack)。可以在等号后面附加一个逗号分隔的(无空格的)Options选项列表，用来控制允许Options指令使用哪些选项。

[root@station2 ~]# vi /var/www/virt1/test/.htaccess

Order allow,deny

Allow from all

Deny from 192.168.32.33

#禁止192.168.32.33访问test目录，.htaccess详解另述

3、options参数

options 参数如下：

Indexes ：Creates a directory listing if no index file is present

ExecCGI： Allows the execution of CGI scripts

Includes： Enables Server Side Includes (SSI)

IncludesNoExec： Enables SSI without executing any commands

FollowSymLinks： Symbolic links are followed

SymLinksIfOwnerMatch： Only if the owner of the symlink is the same as the target file

MultiViews： If a document is available in multiple languages it is displayed according to the

Language： settings for the browser.

All ：All options are turned on

None： All options are disabled

实例：

[root@station2 test]# vi /etc/httpd/conf/httpd.conf

Options Indexes –FollowSymLinks

</Directory>

#indexes显示文件列表，前加-则不显示，客户访问显示拒绝访问目录，建议关闭indexes

#FollowSymLinks：显示链接文件说链接的文件或目录，前加-则不显示，客户访问显示拒绝访问目录，建议关闭

本文转自netsword 51CTO博客，原文链接:http://blog.51cto.com/netsword/504044

RHS333-10 httpd高级配置

热门文章

最新文章

相关电子书