增加用户账号的验证
touch /data/.htpasswd
[root@user10data]# htpasswd -c /data/.htpasswd user1 #新增第一个账号
[root@user10data]# htpasswd /data/.htpasswd user2 #新增第二个账号
编辑/usr/local/apache2/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
#
<VirtualHost*:80>
DocumentRoot"/tmp/111/" #默认虚拟主机,添加多一个不存在的服务器定义的域名来创建一个空目录/文件,限制不是服务器自定义域名的访问
ServerName www.i1111.com
</VirtualHost>
php_admin_valueopen_basedir "/usr/local/apache2/htdocs/:/tmp/" #(apapche和php二选一)配置php的网站程序的目录
<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot"/usr/local/apache2/htdocs/"
ServerName www.user10.com #默认虚拟主机,指定服务器自定义域名的访问
ServerAlias www.12g3a.com
ServerAlias www.12a.com
<Directory /usr/local/apache2/htdocs/>
# Options FollowSymLinks #禁止查看目录,+FollowSymLinks允许查看目录
AllowOverride None #apache访问控制,在主配置文件里复制过来的(控制语句)
Order allow,deny #看规则的先后
Allow from all #限制某个IP的访问
Deny from ip
</Directory>
<filesmatch"(.*)admin(.*)">
Order deny,allow #除了指定的ip能访问admin.php,其他无法访问
deny from all
allow from ip1 ip2
AllowOverrideAuthConfig
AuthName"abc" #双重验证
AuthType Basic
AuthUserFile /data/.htpasswd1 #apache用户认证
require valid-user
</filesmatch>
SetEnvIf Request_URI"."\.gif$" image-request
SetEnvIf Request_URI"."\.jpg$" image-request
SetEnvIf Request_URI"."\.png$" image-request
SetEnvIf Request_URI"."\.bmp$" image-request #apache不记录指定文件类型日志
SetEnvIf Request_URI"."\.swp$" image-request
SetEnvIf Request_URI "."\.js$"image-request
SetEnvIf Request_URI"."\.css$" image-request
ErrorLog "logs/user10.com-error_log"
CustomLog "|/usr/local/apache2/bin/rotatelogs-l /usr/local/apache2/logs/user10.com-access_%Y%m%d_log 86400" combined env=!image-request #apache日志切割 #env=!image-request #不去记录image-request指定的文件类型#apache不记录指定文件类型日志
<IfModulemod_expires.c>
ExpiresActive on
ExpiresByTypeimage/gif "access plus 1 days"
ExpiresByType image/jpeg "access plus 24 hours"
ExpiresByTypeimage/png "access plus 24hours" #配置静态缓存
ExpiresByTypetext/css "now plus 2 hourss"
ExpiresByTypeapplicantion/x-javascript "now plus2 hours"
ExpiresByTypeapplicantion/x-shockware-flash "nowplus 2 hours"
ExpiresDefault "now plus 0 min"
</IfModule>
SetEnvIfNoCase Referer "^http://.*\.user10\.com local_ref #将本机的域名放在白名单
SetEnvIfNoCase Referer ".*\.user11\.com" local_ref #将这个网址加入白名单
<filesmatch "\.(doc|mp3|zip|rar|jpg|gif|png|js|css|jpeg)"> #限制显示
Order Allow,Deny #配置apache防盗链
Allow from env=local_ref #允许定义local_ref,其他拒绝
Deny from all
</filesmatch>
<Directory /usr/local/apache2/htdocs/data/>
php_admin_flag engine off #虚拟主机中限定某个目录不解析php,关闭php解释引擎
<filesmatch "(.*)php">
Order deny,allow #配置apache禁止解释php
Deny from all #使其不能下载php文件
#allow from ip #去掉注释允许某个ip下载
</filesmatch>
</Directory>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.12g3a.com$ [OR] #定义的条件
RewriteCond %{HTTP_HOST}^www.12a.com$ #配置301跳转(域名重定向)
RewriteRule ^/(.*)$ http://www.user10.com/$1 [R=301,L]
RewriteCond %{HTTP_USER_AGENT} ^.*curl.* [NC,OR] #匹配,NC:不区分大小写
RewriteCond %{HTTP_USER_AGENT} ^.*chrome* [NC,OR] #加上注释#,不认为禁掉
RewriteCond %{HTTP_USER_AGENT} ^.*aeg* [NC] #禁用USER_AGENT,随意指定的必须,这样就可以使IE浏览器和第三方浏览器同时使用
RewriteRule .* - [F] #直接禁掉,[F]代表Forbidden
RewriteCond %{REQUEST_URI} ^.*/tmp/.* [NC] #通过rewrite来限制某个目录,禁止访问/tmp/下的文件
RewriteRule .* - [F]
</IfModule>
<Directory/usr/local/apache2/htdocs/abc/> #针对某个目录做认证登录
AllowOverride AuthConfig
AuthName "abc"
AuthType Basic
AuthUserFile /data/.htpasswd1 #apache用户认证
require valid-user
</Directory>
<Directory/usr/local/apache2/htdocs/bcd/> #针对某个目录做认证登录
AllowOverride AuthConfig
AuthName "abc"
AuthType Basic
AuthUserFile /data/.htpasswd #apache用户认证
require valid-user
</Directory>
</VirtualHost>
检测配置是否正确
curl -A “gaega”-x192.168.0.168:80{www.12a.com,www.123.com} –I #-A:模拟user_agent
HTTP/1.1 301 MovedPermanently
Date: Tue, 05 Jan 201615:51:43 GMT
Server: Apache/2.2.24 (Unix)mod_ssl/2.2.24 OpenSSL/0.9.8b DAV/2 PHP/5.5.30
Location:http://www.user10.com/
Content-Type: text/html;charset=iso-8859-1
HTTP/1.1 301 MovedPermanently
Date: Tue, 05 Jan 201615:51:43 GMT
Server: Apache/2.2.24 (Unix)mod_ssl/2.2.24 OpenSSL/0.9.8b DAV/2 PHP/5.5.30
Location: http://www.user10.com/
Content-Type: text/html;charset=iso-8859-1
在主配置文件/usr/local/apache2/conf/httpd.conf找到includeconf/extra/httpd-vhosts.conf这一行的注释去除掉,不然用户验证不成功
vim/etc/profile.d/path.sh
#!/bin/bash
exportPATH=$PATH:/usr/local/mysql/bin:/usr/local/apache2/bin
apachectl -M #查看apache安装了什么支持的模块
[root@user10~]# apachectl -M
Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
authn_file_module (shared)
authn_dbm_module (shared)
authn_anon_module (shared)
authn_dbd_module (shared)
authn_default_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_user_module (shared)
authz_dbm_module (shared)
authz_owner_module (shared)
authz_default_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
dbd_module (shared)
dumpio_module (shared)
reqtimeout_module (shared)
ext_filter_module (shared)
include_module (shared)
filter_module (shared)
substitute_module (shared)
deflate_module (shared)
log_config_module (shared)
logio_module (shared)
env_module (shared)
expires_module (shared)
headers_module (shared)
ident_module (shared)
setenvif_module (shared)
version_module (shared)
ssl_module (shared)
mime_module (shared)
dav_module (shared)
status_module (shared)
autoindex_module (shared)
asis_module (shared)
info_module (shared)
cgi_module (shared)
dav_fs_module (shared)
vhost_alias_module (shared)
negotiation_module (shared)
dir_module (shared)
imagemap_module (shared)
actions_module (shared)
speling_module (shared)
userdir_module (shared)
alias_module (shared)
rewrite_module (shared)
php5_module (shared)
Syntax OK
apachectl -l #查看apache已安装的模块,不指定模式是默认prefork
[root@user10 ~]# apachectl -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
OR #或者,如果不设置,会被认为两个条件同时存在
(.*) #代表不包含HOST
/ # 代表将域名省掉
301 #永久重定向
302 #临时重定向
L #代表最后,结束
401 #请求未经授权,需要身份验证返回状态码
403
404
500 #php的错误
概念:
Apache防盗链:防止网站的东西被盗用
referer:%{Referer}指的是启动浏览器访问第一个的网址就是referer,即使是访问自定义域名(www.12a.com)做了跳转到真正的网址(www.user10.com),真正的网址就是%{Referer}
点击下一个网址的连接前,当前浏览器的网址就是referer
指的是,它从哪里跳过来的。 比如你访问的一个网页地址是http://123.com/1.html 这个页面中有一个网址http://234.com/2.html 你直接点这个链接进入到了 234.com/2.html 那这时候,日志中会记录一条日志 2.html 它的referer是 http://123.com/1.html
访问控制:
发现攻击,可以封IP,从主配置里配置的一个模板复制到虚拟主机的配置里
静态缓存:设置一些图片,css文件的缓存保存时间,当时间一过(即过期以后)那浏览器就会将这些缓存文件进行删除。当再重新打开此网页时,那些文件又会再被重新缓存。
可缓存几个小时或者几天时间,时间过后可重新请求,但不会在服务端请求,从而节省带宽。
[root@user10 ~]#curl -x192.168.0.168:80'http://www.user10.com/static/image/common/logo_88_31.gif' -I
HTTP/1.1 200 OK
Date: Thu, 07Jan 2016 02:49:38 GMT
Server:Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8b DAV/2 PHP/5.5.30
Last-Modified:Mon, 04 Jan 2016 14:51:47 GMT
ETag:"d9087-9e0-52883429d86c0"
Accept-Ranges:bytes
Content-Length:2528
Cache-Control:max-age=86400
Expires: Fri,08 Jan 2016 02:49:38 GMT
Content-Type:image/gif
User_agent的概念:浏览器的版本,搜索引擎的爬虫
apache运行的用户就是daemon
apache防盗链的概念:只要不是服务器上白名单定义的域名,其他网站都是插入该网站的资源就拒绝访问
apache日志切割概念:
CustomLog"|/usr/local/apache2/bin/rotatelogs -l /usr/local/apache2/logs/user10.com-access_%Y%m%d_logi86400/5M" combined
| #管道,把日志交给后面的rotatelogs工具处理
86400/5M #单位秒,一天一个日志/一个日志为5M
/usr/local/apache2/conf/httpd.conf
<IfModulelog_config_module>
# The following directives define someformat nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t\"%r\" %>s %b \"%{Referer}i\"\"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t\"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use%I and %O,自定义
LogFormat "%h %l %u %t\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"%I %O" combinedio
</IfModule>
%h #来源IP
-- #空的,所以这样表示
%u #user,用户
%t #当前时间
%r #动作
%{Referer} #网址
%{User-Agent} #使用浏览器的相关信息
可限制来源ip使用的user-agent类
curl -A "ggaweagew" -xip:80 网址 –I #-A:模仿user_agent
apachectl graceful #重新加载配置
apachectl -S #查询虚拟机的域名配置所在的行数
apache调用了php的libphp5.so文件
加入启动:
vi /etc/profile.d/path.sh
#!/bin/bash
exportPATH=$PATH:/usr/local/mysql/bin:/usr/local/apache2/bin
chmod 755 /etc/profile.d/path.sh