• 关于

    secure_auth

    的搜索结果

问题

centos secure日志分析

大家好, 我是新手,我的阿里云ECS的Web服务器,发现在/var/log/secure日志有大量FAILED LOGIN 1 FROM localhost FOR XXX类似的记录,请localhost表示本机登陆失败的记录吗?可是...
百戰天龍 2019-12-01 20:00:19 3060 浏览量 回答数 4

问题

warm 集群 服务编排  简介

容器服务支持 Docker Compose 编排模板来描述多容器应用。 编排模板允许您描述一个完整的应用,该应用可以由许多个服务组成。例如:一个门户网站应用,由一个 Nginx 服务、一个 Web...
青蛙跳 2019-12-01 21:34:46 735 浏览量 回答数 0

问题

刚装的WAMP最新的 外网不能访问啊

apache 2.4 也按要求改了配置,本地访问正常 外网访问不行啊 ECS是WINDOWS SERVER 2016 apache报这个错误 网页访问是这样 怎么回事啊? httpd.conf内容&#...
nieky 2019-12-01 20:58:24 3743 浏览量 回答数 1

问题

nginx编译安装报错,不知什么原因?

进行configure是正常的 ./configure \ --prefix=/usr/local/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/n...
ydjy2009 2019-12-01 21:19:32 4286 浏览量 回答数 3

问题

Swarm mode 集群服务编排的概述

容器服务支持 Docker Compose 编排模板来描述多容器应用。 编排模板允许您描述一个完整的应用,该应用可以由许多个服务组成。例如:一个门户网站应用,由一个 Nginx 服务、一个 Web...
反向一觉 2019-12-01 21:22:03 1379 浏览量 回答数 0

回答

把配置贴全 <aclass="referer"target="_blank">@皮总 <preclass="brush:java;toolbar:true;auto-links:false;">##ThisisthemainApacheHTTPserverconfigurationfile.Itcontainsthe#configurationdirectivesthatgivetheserveritsinstructions.#See<URL:http://httpd.apache.org/docs/2.4/>fordetailedinformation.#Inparticular,see#<URL:http://httpd.apache.org/docs/2.4/mod/directives.html>#foradiscussionofeachconfigurationdirective.##DoNOTsimplyreadtheinstructionsinherewithoutunderstanding#whattheydo.They'rehereonlyashintsorreminders.Ifyouareunsure#consulttheonlinedocs.Youhavebeenwarned.##Configurationandlogfilenames:Ifthefilenamesyouspecifyformany#oftheserver'scontrolfilesbeginwith"/"(or"drive:/"forWin32),the#serverwillusethatexplicitpath.Ifthefilenamesdo notbegin#with"/",thevalueofServerRootisprepended--so"logs/access_log"#withServerRootsetto"/usr/local/apache2"willbeinterpretedbythe#serveras"/usr/local/apache2/logs/access_log",whereas"/logs/access_log"#willbeinterpretedas'/logs/access_log'.##ServerRoot:Thetopofthedirectorytreeunderwhichtheserver's#configuration,error,andlogfilesarekept.##Donotaddaslashattheendofthedirectorypath.Ifyoupoint#ServerRootatanon-localdisk,besuretospecifyalocaldiskonthe#Mutexdirective,iffile-basedmutexesareused.Ifyouwishtosharethe#sameServerRootformultiplehttpddaemons,youwillneedtochangeat#leastPidFile.#ServerRoot"/site01/program/apache"##Mutex:Allowsyoutosetthemutexmechanismandmutexfiledirectory#forindividualmutexes,orchangetheglobaldefaults##Uncommentandchangethedirectoryifmutexesarefile-basedandthedefault#mutexfiledirectoryisnotonalocaldiskorisnotappropriateforsome#otherreason.##Mutexdefault:logs##Listen:AllowsyoutobindApachetospecificIPaddressesand/or#ports,insteadofthedefault.Seealsothe<VirtualHost>#directive.##ChangethistoListenonspecificIPaddressesasshownbelowto#preventApachefromglommingontoallboundIPaddresses.##Listen12.34.56.78:80Listen80##DynamicSharedObject(DSO)Support##TobeabletousethefunctionalityofamodulewhichwasbuiltasaDSOyou#havetoplacecorresponding LoadModule'linesatthislocationsothe#directivescontainedinitareactuallyavailable_before_theyareused.#Staticallycompiledmodules(thoselistedbyhttpd-l')donotneed#tobeloadedhere.##Example:#LoadModulefoo_modulemodules/mod_foo.so#LoadModuleauthn_file_modulemodules/mod_authn_file.so#LoadModuleauthn_dbm_modulemodules/mod_authn_dbm.so#LoadModuleauthn_anon_modulemodules/mod_authn_anon.so#LoadModuleauthn_dbd_modulemodules/mod_authn_dbd.so#LoadModuleauthn_socache_modulemodules/mod_authn_socache.soLoadModuleauthn_core_modulemodules/mod_authn_core.soLoadModuleauthz_host_modulemodules/mod_authz_host.soLoadModuleauthz_groupfile_modulemodules/mod_authz_groupfile.soLoadModuleauthz_user_modulemodules/mod_authz_user.so#LoadModuleauthz_dbm_modulemodules/mod_authz_dbm.so#LoadModuleauthz_owner_modulemodules/mod_authz_owner.so#LoadModuleauthz_dbd_modulemodules/mod_authz_dbd.soLoadModuleauthz_core_modulemodules/mod_authz_core.soLoadModuleaccess_compat_modulemodules/mod_access_compat.soLoadModuleauth_basic_modulemodules/mod_auth_basic.so#LoadModuleauth_form_modulemodules/mod_auth_form.so#LoadModuleauth_digest_modulemodules/mod_auth_digest.so#LoadModuleallowmethods_modulemodules/mod_allowmethods.so#LoadModulefile_cache_modulemodules/mod_file_cache.so#LoadModulecache_modulemodules/mod_cache.so#LoadModulecache_disk_modulemodules/mod_cache_disk.so#LoadModulesocache_shmcb_modulemodules/mod_socache_shmcb.so#LoadModulesocache_dbm_modulemodules/mod_socache_dbm.so#LoadModulesocache_memcache_modulemodules/mod_socache_memcache.so#LoadModuledbd_modulemodules/mod_dbd.so#LoadModuledumpio_modulemodules/mod_dumpio.so#LoadModulebuffer_modulemodules/mod_buffer.so#LoadModuleratelimit_modulemodules/mod_ratelimit.soLoadModulereqtimeout_modulemodules/mod_reqtimeout.so#LoadModuleext_filter_modulemodules/mod_ext_filter.so#LoadModulerequest_modulemodules/mod_request.soLoadModuleinclude_modulemodules/mod_include.soLoadModulefilter_modulemodules/mod_filter.so#LoadModulesubstitute_modulemodules/mod_substitute.so#LoadModulesed_modulemodules/mod_sed.so#LoadModuledeflate_modulemodules/mod_deflate.soLoadModulemime_modulemodules/mod_mime.soLoadModulelog_config_modulemodules/mod_log_config.so#LoadModulelog_debug_modulemodules/mod_log_debug.so#LoadModulelogio_modulemodules/mod_logio.soLoadModuleenv_modulemodules/mod_env.so#LoadModuleexpires_modulemodules/mod_expires.soLoadModuleheaders_modulemodules/mod_headers.so#LoadModuleunique_id_modulemodules/mod_unique_id.soLoadModulesetenvif_modulemodules/mod_setenvif.soLoadModuleversion_modulemodules/mod_version.so#LoadModuleremoteip_modulemodules/mod_remoteip.so#LoadModuleproxy_modulemodules/mod_proxy.so#LoadModuleproxy_connect_modulemodules/mod_proxy_connect.so#LoadModuleproxy_ftp_modulemodules/mod_proxy_ftp.so#LoadModuleproxy_http_modulemodules/mod_proxy_http.so#LoadModuleproxy_fcgi_modulemodules/mod_proxy_fcgi.so#LoadModuleproxy_scgi_modulemodules/mod_proxy_scgi.so#LoadModuleproxy_ajp_modulemodules/mod_proxy_ajp.so#LoadModuleproxy_balancer_modulemodules/mod_proxy_balancer.so#LoadModuleproxy_express_modulemodules/mod_proxy_express.so#LoadModulesession_modulemodules/mod_session.so#LoadModulesession_cookie_modulemodules/mod_session_cookie.so#LoadModulesession_dbd_modulemodules/mod_session_dbd.so#LoadModuleslotmem_shm_modulemodules/mod_slotmem_shm.so#LoadModulessl_modulemodules/mod_ssl.so#LoadModulelbmethod_byrequests_modulemodules/mod_lbmethod_byrequests.so#LoadModulelbmethod_bytraffic_modulemodules/mod_lbmethod_bytraffic.so#LoadModulelbmethod_bybusyness_modulemodules/mod_lbmethod_bybusyness.so#LoadModulelbmethod_heartbeat_modulemodules/mod_lbmethod_heartbeat.soLoadModuleunixd_modulemodules/mod_unixd.so#LoadModuledav_modulemodules/mod_dav.soLoadModulestatus_modulemodules/mod_status.soLoadModuleautoindex_modulemodules/mod_autoindex.so#LoadModuleinfo_modulemodules/mod_info.so#LoadModulecgid_modulemodules/mod_cgid.so#LoadModuledav_fs_modulemodules/mod_dav_fs.so#LoadModulevhost_alias_modulemodules/mod_vhost_alias.so#LoadModulenegotiation_modulemodules/mod_negotiation.soLoadModuledir_modulemodules/mod_dir.so#LoadModuleactions_modulemodules/mod_actions.so#LoadModulespeling_modulemodules/mod_speling.so#LoadModuleuserdir_modulemodules/mod_userdir.soLoadModulealias_modulemodules/mod_alias.soLoadModulerewrite_modulemodules/mod_rewrite.so<IfModuleunixd_module>##Ifyouwishhttpdtorunasadifferentuserorgroup,youmustrun#httpdasrootinitiallyanditwillswitch.##User/Group:Thename(or#number)oftheuser/grouptorunhttpdas.#Itisusuallygoodpracticetocreateadedicateduserandgroupfor#runninghttpd,aswithmostsystemservices.#UserdaemonGroupdaemon</IfModule>#'Main'serverconfiguration##Thedirectivesinthissectionsetupthevaluesusedbythe'main'#server,whichrespondstoanyrequeststhataren'thandledbya#<VirtualHost>definition.Thesevaluesalsoprovidedefaultsfor#any<VirtualHost>containersyoumaydefinelaterinthefile.##Allofthesedirectivesmayappearinside<VirtualHost>containers,#inwhichcasethesedefaultsettingswillbeoverriddenforthe#virtualhostbeingdefined.###ServerAdmin:Youraddress,whereproblemswiththeservershouldbe#e-mailed.Thisaddressappearsonsomeserver-generatedpages,such#aserrordocuments.e.g.admin@your-domain.com#ServerAdminyou@example.com##ServerNamegivesthenameandportthattheserverusestoidentifyitself.#Thiscanoftenbedeterminedautomatically,butwerecommendyouspecify#itexplicitlytopreventproblemsduringstartup.##Ifyourhostdoesn'thavearegisteredDNSname,enteritsIPaddresshere.##ServerNamewww.example.com:80##Denyaccesstotheentiretyofyourserver'sfilesystem.Youmust#explicitlypermitaccesstowebcontentdirectoriesinother#<Directory>blocksbelow.#<Directory/>OptionsIndexesFollowSymLinksIncludesAllowOverrideNoneOrderallow,denyAllowfromallSatisfyall</Directory>##Notethatfromthispointforwardyoumustspecificallyallow#particularfeaturestobeenabled-soifsomething'snotworkingas#youmightexpect,makesurethatyouhavespecificallyenabledit#below.###DocumentRoot:Thedirectoryoutofwhichyouwillserveyour#documents.Bydefault,allrequestsaretakenfromthisdirectory,but#symboliclinksandaliasesmaybeusedtopointtootherlocations.#DocumentRoot"/site01/program/apache/htdocs"<Directory"/site01/program/apache/htdocs">##PossiblevaluesfortheOptionsdirectiveare"None","All",#oranycombinationof:#IndexesIncludesFollowSymLinksSymLinksifOwnerMatchExecCGIMultiViews##Notethat"MultiViews"mustbenamed explicitly---"OptionsAll"#doesn'tgiveittoyou.##TheOptionsdirectiveisbothcomplicatedandimportant.Pleasesee#http://httpd.apache.org/docs/2.4/mod/core.html#options#formoreinformation.#OptionsIndexesFollowSymLinks##AllowOverridecontrolswhatdirectivesmaybeplacedin.htaccessfiles.#Itcanbe"All","None",oranycombinationofthekeywords:#AllowOverrideFileInfoAuthConfigLimit#AllowOverrideNone##Controlswhocangetstufffromthisserver.#Requireallgranted</Directory>##DirectoryIndex:setsthefilethatApachewillserveifadirectory#isrequested.#<IfModuledir_module>DirectoryIndexindex.htmlindex.jsp</IfModule>##Thefollowinglinesprevent.htaccessand.htpasswdfilesfrombeing#viewedbyWebclients.#<Files".ht*">Requirealldenied</Files>##ErrorLog:Thelocationoftheerrorlogfile.#IfyoudonotspecifyanErrorLogdirectivewithina<VirtualHost>#container,errormessagesrelatingtothatvirtualhostwillbe#loggedhere.Ifyou dodefineanerrorlogfilefora<VirtualHost>#container,thathost'serrorswillbeloggedthereandnothere.#ErrorLog"logs/error_log"##LogLevel:Controlthenumberofmessagesloggedtotheerror_log.#Possiblevaluesinclude:debug,info,notice,warn,error,crit,#alert,emerg.#LogLevelwarn<IfModulelog_config_module>##Thefollowingdirectivesdefinesomeformatnicknamesforusewith#aCustomLogdirective(seebelow).#LogFormat"%h%l%u%t"%r"%>s%b"%{Referer}i""%{User-Agent}i""combinedLogFormat"%h%l%u%t"%r"%>s%b"common<IfModulelogio_module>#Youneedtoenablemod_logio.ctouse%Iand%OLogFormat"%h%l%u%t"%r"%>s%b"%{Referer}i""%{User-Agent}i"%I%O"combinedio</IfModule>##Thelocationandformatoftheaccesslogfile(CommonLogfileFormat).#Ifyoudonotdefineanyaccesslogfileswithina<VirtualHost>#container,theywillbeloggedhere.Contrariwise,ifyou do#defineper-<VirtualHost>accesslogfiles,transactionswillbe#loggedthereinand notinthisfile.#CustomLog"logs/access_log"common##Ifyoupreferalogfilewithaccess,agent,andrefererinformation#(CombinedLogfileFormat)youcanusethefollowingdirective.##CustomLog"logs/access_log"combined</IfModule><IfModulealias_module>##Redirect:Allowsyoutotellclientsaboutdocumentsthatusedto#existinyourserver'snamespace,butdonotanymore.Theclient#willmakeanewrequestforthedocumentatitsnewlocation.#Example:#Redirectpermanent/foohttp://www.example.com/bar##Alias:Mapswebpathsintofilesystempathsandisusedto#accesscontentthatdoesnotliveundertheDocumentRoot.#Example:#Alias/webpath/full/filesystem/path##Ifyouincludeatrailing/on/webpaththentheserverwill#requireittobepresentintheURL.Youwillalsolikely#needtoprovidea<Directory>sectiontoallowaccessto#thefilesystempath.##ScriptAlias:Thiscontrolswhichdirectoriescontainserverscripts.#ScriptAliasesareessentiallythesameasAliases,exceptthat#documentsinthetargetdirectoryaretreatedasapplicationsand#runbytheserverwhenrequestedratherthanasdocumentssenttothe#client.Thesamerulesabouttrailing"/"applytoScriptAlias#directivesastoAlias.#ScriptAlias/cgi-bin/"/site01/program/apache/cgi-bin/"</IfModule><IfModulecgid_module>##ScriptSock:Onthreadedservers,designatethepathtotheUNIX#socketusedtocommunicatewiththeCGIdaemonofmod_cgid.##Scriptsockcgisock</IfModule>##"/site01/program/apache/cgi-bin"shouldbechangedtowhateveryourScriptAliased#CGIdirectoryexists,ifyouhavethatconfigured.#<Directory"/site01/program/apache/cgi-bin">AllowOverrideNoneOptionsNoneRequireallgranted</Directory><IfModulemime_module>##TypesConfigpointstothefilecontainingthelistofmappingsfrom#filenameextensiontoMIME-type.#TypesConfigconf/mime.types##AddTypeallowsyoutoaddtooroverridetheMIMEconfiguration#filespecifiedinTypesConfigforspecificfiletypes.##AddTypeapplication/x-gzip.tgz##AddEncodingallowsyoutohavecertainbrowsersuncompress#informationonthefly.Note:Notallbrowserssupportthis.##AddEncodingx-compress.Z#AddEncodingx-gzip.gz.tgz##IftheAddEncodingdirectivesabovearecommented-out,thenyou#probablyshoulddefinethoseextensionstoindicatemediatypes:#AddTypeapplication/x-compress.ZAddTypeapplication/x-gzip.gz.tgz##AddHandlerallowsyoutomapcertainfileextensionsto"handlers":#actionsunrelatedtofiletype.Thesecanbeeitherbuiltintotheserver#oraddedwiththeActiondirective(seebelow)##TouseCGIscriptsoutsideofScriptAliaseddirectories:#(Youwillalsoneedtoadd"ExecCGI"tothe"Options"directive.)##AddHandlercgi-script.cgi#Fortypemaps(negotiatedresources):#AddHandlertype-mapvar##Filtersallowyoutoprocesscontentbeforeitissenttotheclient.##Toparse.shtmlfilesforserver-sideincludes(SSI):#(Youwillalsoneedtoadd"Includes"tothe"Options"directive.)#AddTypetext/html.htm.html.shtmAddOutputFilterINCLUDES.htm.html.shtm</IfModule>##Themod_mime_magicmoduleallowstheservertousevarioushintsfromthe#contentsofthefileitselftodetermineitstype.TheMIMEMagicFile#directivetellsthemodulewherethehintdefinitionsarelocated.##MIMEMagicFileconf/magic##Customizableerrorresponsescomeinthreeflavors:#1)plaintext2)localredirects3)externalredirects##Someexamples:#ErrorDocument500"Theservermadeabooboo."#ErrorDocument404/missing.html#ErrorDocument404"/cgi-bin/missing_handler.pl"#ErrorDocument402http://www.example.com/subscription_info.html###MaxRanges:MaximumnumberofRangesinarequestbefore#returningtheentireresource,oroneofthespecial#values'default','none'or'unlimited'.#Defaultsettingistoaccept200Ranges.#MaxRangesunlimited##EnableMMAPandEnableSendfile:Onsystemsthatsupportit,#memory-mappingorthesendfilesyscallmaybeusedtodeliver#files.Thisusuallyimprovesserverperformance,butmust#beturnedoffwhenservingfromnetworked-mounted#filesystemsorifsupportforthesefunctionsisotherwise#brokenonyoursystem.#Defaults:EnableMMAPOn,EnableSendfileOff##EnableMMAPoff#EnableSendfileon#Supplementalconfiguration##Theconfigurationfilesintheconf/extra/directorycanbe#includedtoaddextrafeaturesortomodifythedefaultconfigurationof#theserver,oryoumaysimplycopytheircontentshereandchangeas#necessary.#Server-poolmanagement(MPMspecific)#Includeconf/extra/httpd-mpm.conf#Multi-languageerrormessages#Includeconf/extra/httpd-multilang-errordoc.conf#Fancydirectorylistings#Includeconf/extra/httpd-autoindex.conf#Languagesettings#Includeconf/extra/httpd-languages.conf#Userhomedirectories#Includeconf/extra/httpd-userdir.conf#Real-timeinfoonrequestsandconfiguration#Includeconf/extra/httpd-info.conf#VirtualhostsIncludeconf/extra/httpd-vhosts.conf#LocalaccesstotheApacheHTTPServerManual#Includeconf/extra/httpd-manual.conf#Distributedauthoringandversioning(WebDAV)#Includeconf/extra/httpd-dav.conf#Variousdefaultsettings#Includeconf/extra/httpd-default.conf#Configuremod_proxy_htmltounderstandHTML4/XHTML1<IfModuleproxy_html_module>Includeconf/extra/proxy-html.conf</IfModule>#Secure(SSL/TLS)connections#Includeconf/extra/httpd-ssl.conf##Note:Thefollowingmustmustbepresenttosupport#startingwithoutSSLonplatformswithno/dev/randomequivalent#butastaticallycompiled-inmod_ssl.#<IfModulessl_module>SSLRandomSeedstartupbuiltinSSLRandomSeedconnectbuiltin</IfModule>##uncommentoutthebelowtodealwithuseragentsthatdeliberately#violateopenstandardsbymisusingDNT(DNT mustbeaspecific#end-userchoice)##<IfModulesetenvif_module>#BrowserMatch"MSIE10.0;"bad_DNT#</IfModule>#<IfModuleheaders_module>#RequestHeaderunsetDNTenv=bad_DNT#</IfModule>includeconf/mod_jk.conf 你apache2.4下面的那个重写咋写的啊http://www.oschina.net/question/77331_2143982--帮忙看看,啥地方没写好啊,我也是在原来IIS里面,可以使用,可是换了服务器就不行了回复<aclass='referer'target='_blank'>@皮总:谢谢皮总,搞定了,我正则在windows下好用,linux不好用,换了个方式就好了还不够全啊,你的Rewrite相关的没有出来
爱吃鱼的程序员 2020-06-22 19:46:06 0 浏览量 回答数 0

问题

ESC ubuntu14.04系统安装配置ldap-client后无法启动

以下是安装配置ldap-client的过程: apt-get install sudo-ldap libpam-ldap libnss-ldap sed -i "s/compat/files ldap/g" /...
aimeizhuyi 2019-12-01 21:45:17 6292 浏览量 回答数 1

问题

apache报错therequestedoperationhasfailed

安装apache后 重启服务器就提示the requested operation has failed 检查过80端口没被占用 用命令: httpd.exe -w -n "Apache2" -k star...
失望 2019-12-01 21:00:00 14097 浏览量 回答数 2

问题

MySQL 5.5 和 5.6 默认参数值的差异 400 请求报错 

作为 MySQL 5.5 和 5.6 性能比较的一部分,我研究了下两个版本默认参数的差异,为了了解差异内容,我使用如下的 SQL 语句分别在 MySQL 5.5 和 5.6 版本进行查询࿰...
kun坤 2020-05-30 15:15:15 0 浏览量 回答数 1

回答

回1楼梦丫头的帖子 apache  弄了一天了  没弄明白,各种问题....................才想换 不知道那个好! ------------------------- 回3楼梦丫头的帖子 配置好后,访问很慢,很慢,导致打不开,不知道什么问题, 以下是配置文件 # # This is the main Apache HTTP server configuration file.  It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information. # In particular, see # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html> # for a discussion of each configuration directive. # # Do NOT simply read the instructions in here without understanding # what they do.  They're here only as hints or reminders.  If you are unsure # consult the online docs. You have been warned.   # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path.  If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "logs/access_log" # with ServerRoot set to "/usr/local/apache2" will be interpreted by the # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" # will be interpreted as '/logs/access_log'. # # NOTE: Where filenames are specified, you must use forward slashes # instead of backslashes (e.g., "c:/apache" instead of "c:\apache"). # If a drive letter is omitted, the drive on which httpd.exe is located # will be used by default.  It is recommended that you always supply # an explicit drive letter in absolute paths to avoid confusion. # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # Do not add a slash at the end of the directory path.  If you point # ServerRoot at a non-local disk, be sure to specify a local disk on the # Mutex directive, if file-based mutexes are used.  If you wish to share the # same ServerRoot for multiple httpd daemons, you will need to change at # least PidFile. # Define SRVROOT "/Apache24" ServerRoot "D:/HJ/Apache24" # # Mutex: Allows you to set the mutex mechanism and mutex file directory # for individual mutexes, or change the global defaults # # Uncomment and change the directory if mutexes are file-based and the default # mutex file directory is not on a local disk or is not appropriate for some # other reason. # # Mutex default:logs # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 Listen 80 # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # have to place corresponding `LoadModule' lines at this location so the # directives contained in it are actually available _before_ they are used. # Statically compiled modules (those listed by `httpd -l') do not need # to be loaded here. # # Example: # LoadModule foo_module modules/mod_foo.so # #LoadModule access_compat_module modules/mod_access_compat.so LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule allowmethods_module modules/mod_allowmethods.so LoadModule asis_module modules/mod_asis.so LoadModule auth_basic_module modules/mod_auth_basic.so #LoadModule auth_digest_module modules/mod_auth_digest.so #LoadModule auth_form_module modules/mod_auth_form.so #LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_core_module modules/mod_authn_core.so #LoadModule authn_dbd_module modules/mod_authn_dbd.so #LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authn_socache_module modules/mod_authn_socache.so #LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule authz_core_module modules/mod_authz_core.so #LoadModule authz_dbd_module modules/mod_authz_dbd.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_host_module modules/mod_authz_host.so #LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule autoindex_module modules/mod_autoindex.so #LoadModule buffer_module modules/mod_buffer.so #LoadModule cache_module modules/mod_cache.so #LoadModule cache_disk_module modules/mod_cache_disk.so #LoadModule cache_socache_module modules/mod_cache_socache.so #LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule cgi_module modules/mod_cgi.so #LoadModule charset_lite_module modules/mod_charset_lite.so #LoadModule data_module modules/mod_data.so #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so #LoadModule dav_lock_module modules/mod_dav_lock.so #LoadModule dbd_module modules/mod_dbd.so #LoadModule deflate_module modules/mod_deflate.so LoadModule dir_module modules/mod_dir.so #LoadModule dumpio_module modules/mod_dumpio.so LoadModule env_module modules/mod_env.so #LoadModule expires_module modules/mod_expires.so #LoadModule ext_filter_module modules/mod_ext_filter.so #LoadModule file_cache_module modules/mod_file_cache.so #LoadModule filter_module modules/mod_filter.so #LoadModule headers_module modules/mod_headers.so #LoadModule heartbeat_module modules/mod_heartbeat.so #LoadModule heartmonitor_module modules/mod_heartmonitor.so #LoadModule ident_module modules/mod_ident.so #LoadModule imagemap_module modules/mod_imagemap.so LoadModule include_module modules/mod_include.so LoadModule info_module modules/mod_info.so LoadModule isapi_module modules/mod_isapi.so #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so #LoadModule ldap_module modules/mod_ldap.so #LoadModule logio_module modules/mod_logio.so LoadModule log_config_module modules/mod_log_config.so #LoadModule log_debug_module modules/mod_log_debug.so #LoadModule log_forensic_module modules/mod_log_forensic.so #LoadModule lua_module modules/mod_lua.so #LoadModule macro_module modules/mod_macro.so LoadModule mime_module modules/mod_mime.so #LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule negotiation_module modules/mod_negotiation.so #LoadModule proxy_module modules/mod_proxy.so #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_express_module modules/mod_proxy_express.so #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so #LoadModule proxy_html_module modules/mod_proxy_html.so #LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so #LoadModule ratelimit_module modules/mod_ratelimit.so #LoadModule reflector_module modules/mod_reflector.so #LoadModule remoteip_module modules/mod_remoteip.so #LoadModule request_module modules/mod_request.so #LoadModule reqtimeout_module modules/mod_reqtimeout.so #LoadModule rewrite_module modules/mod_rewrite.so #LoadModule sed_module modules/mod_sed.so #LoadModule session_module modules/mod_session.so #LoadModule session_cookie_module modules/mod_session_cookie.so #LoadModule session_crypto_module modules/mod_session_crypto.so #LoadModule session_dbd_module modules/mod_session_dbd.so LoadModule setenvif_module modules/mod_setenvif.so #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #LoadModule socache_dbm_module modules/mod_socache_dbm.so #LoadModule socache_memcache_module modules/mod_socache_memcache.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so #LoadModule speling_module modules/mod_speling.so LoadModule ssl_module modules/mod_ssl.so LoadModule status_module modules/mod_status.so #LoadModule substitute_module modules/mod_substitute.so #LoadModule unique_id_module modules/mod_unique_id.so #LoadModule userdir_module modules/mod_userdir.so #LoadModule usertrack_module modules/mod_usertrack.so #LoadModule version_module modules/mod_version.so LoadModule vhost_alias_module modules/mod_vhost_alias.so #LoadModule watchdog_module modules/mod_watchdog.so #LoadModule xml2enc_module modules/mod_xml2enc.so <IfModule unixd_module> # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch.   # # User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # User daemon Group daemon </IfModule> # 'Main' server configuration # # The directives in this section set up the values used by the 'main' # server, which responds to any requests that aren't handled by a # <VirtualHost> definition.  These values also provide defaults for # any <VirtualHost> containers you may define later in the file. # # All of these directives may appear inside <VirtualHost> containers, # in which case these default settings will be overridden for the # virtual host being defined. # # # ServerAdmin: Your address, where problems with the server should be # e-mailed.  This address appears on some server-generated pages, such # as error documents.  e.g. admin@your-domain.com # ServerAdmin admin@example.com # # ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify # it explicitly to prevent problems during startup. # # If your host doesn't have a registered DNS name, enter its IP address here. # ServerName localhost:80 # # Deny access to the entirety of your server's filesystem. You must # explicitly permit access to web content directories in other # <Directory> blocks below. # <Directory />     AllowOverride none     Require all denied </Directory> # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot "d:/wed" <Directory "d:/wed">     #     # Possible values for the Options directive are "None", "All",     # or any combination of:     #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews     #     # Note that "MultiViews" must be named *explicitly* --- "Options All"     # doesn't give it to you.     #     # The Options directive is both complicated and important.  Please see     # http://httpd.apache.org/docs/2.4/mod/core.html#options     # for more information.     #     Options Indexes FollowSymLinks     #     # AllowOverride controls what directives may be placed in .htaccess files.     # It can be "All", "None", or any combination of the keywords:     #   Options FileInfo AuthConfig Limit     #     AllowOverride FileInfo     #     # Controls who can get stuff from this server.     #     Require all granted </Directory> # # DirectoryIndex: sets the file that Apache will serve if a directory # is requested. # <IfModule dir_module>     DirectoryIndex index.php index.htm index.html </IfModule> # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <Files ".ht*">     Require all denied </Files> # # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here.  If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. # ErrorLog "logs/error.log" # # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. # LogLevel warn <IfModule log_config_module>     #     # The following directives define some format nicknames for use with     # a CustomLog directive (see below).     #     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined     LogFormat "%h %l %u %t \"%r\" %>s %b" common     <IfModule logio_module>       # You need to enable mod_logio.c to use %I and %O       LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio     </IfModule>     #     # The location and format of the access logfile (Common Logfile Format).     # If you do not define any access logfiles within a <VirtualHost>     # container, they will be logged here.  Contrariwise, if you *do*     # define per-<VirtualHost> access logfiles, transactions will be     # logged therein and *not* in this file.     #     CustomLog "logs/access.log" common     #     # If you prefer a logfile with access, agent, and referer information     # (Combined Logfile Format) you can use the following directive.     #     #CustomLog "logs/access.log" combined </IfModule> <IfModule alias_module>     #     # Redirect: Allows you to tell clients about documents that used to     # exist in your server's namespace, but do not anymore. The client     # will make a new request for the document at its new location.     # Example:     # Redirect permanent /foo http://www.example.com/bar     #     # Alias: Maps web paths into filesystem paths and is used to     # access content that does not live under the DocumentRoot.     # Example:     # Alias /webpath /full/filesystem/path     #     # If you include a trailing / on /webpath then the server will     # require it to be present in the URL.  You will also likely     # need to provide a <Directory> section to allow access to     # the filesystem path.     #     # ScriptAlias: This controls which directories contain server scripts.     # ScriptAliases are essentially the same as Aliases, except that     # documents in the target directory are treated as applications and     # run by the server when requested rather than as documents sent to the     # client.  The same rules about trailing "/" apply to ScriptAlias     # directives as to Alias.     #     ScriptAlias /cgi-bin/ "d:/Apache24/cgi-bin/" </IfModule> <IfModule cgid_module>     #     # ScriptSock: On threaded servers, designate the path to the UNIX     # socket used to communicate with the CGI daemon of mod_cgid.     #     #Scriptsock logs/cgisock </IfModule> # # "${SRVROOT}/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "d:/HJ/Apache24/cgi-bin">     AllowOverride None     Options None     Require all granted </Directory> <IfModule mime_module>     #     # TypesConfig points to the file containing the list of mappings from     # filename extension to MIME-type.     #     TypesConfig conf/mime.types     #     # AddType allows you to add to or override the MIME configuration     # file specified in TypesConfig for specific file types.     #     #AddType application/x-gzip .tgz     #     # AddEncoding allows you to have certain browsers uncompress     # information on the fly. Note: Not all browsers support this.     #     #AddEncoding x-compress .Z     #AddEncoding x-gzip .gz .tgz     #     # If the AddEncoding directives above are commented-out, then you     # probably should define those extensions to indicate media types:     #     AddType application/x-compress .Z     AddType application/x-gzip .gz .tgz     #     # AddHandler allows you to map certain file extensions to "handlers":     # actions unrelated to filetype. These can be either built into the server     # or added with the Action directive (see below)     #     # To use CGI scripts outside of ScriptAliased directories:     # (You will also need to add "ExecCGI" to the "Options" directive.)     #     #AddHandler cgi-script .cgi .pl     # For type maps (negotiated resources):     #AddHandler type-map var     #     # Filters allow you to process content before it is sent to the client.     #     # To parse .shtml files for server-side includes (SSI):     # (You will also need to add "Includes" to the "Options" directive.)     #     #AddType text/html .shtml     #AddOutputFilter INCLUDES .shtml </IfModule> # # The mod_mime_magic module allows the server to use various hints from the # contents of the file itself to determine its type.  The MIMEMagicFile # directive tells the module where the hint definitions are located. # #MIMEMagicFile conf/magic # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html # # # MaxRanges: Maximum number of Ranges in a request before # returning the entire resource, or one of the special # values 'default', 'none' or 'unlimited'. # Default setting is to accept 200 Ranges. #MaxRanges unlimited # # EnableMMAP and EnableSendfile: On systems that support it, # memory-mapping or the sendfile syscall may be used to deliver # files.  This usually improves server performance, but must # be turned off when serving from networked-mounted # filesystems or if support for these functions is otherwise # broken on your system. # Defaults: EnableMMAP On, EnableSendfile Off # #EnableMMAP off #EnableSendfile on #AcceptFilter http none #AcceptFilter https none # Supplemental configuration # # The configuration files in the conf/extra/ directory can be # included to add extra features or to modify the default configuration of # the server, or you may simply copy their contents here and change as # necessary. # Server-pool management (MPM specific) #Include conf/extra/httpd-mpm.conf # Multi-language error messages #Include conf/extra/httpd-multilang-errordoc.conf # Fancy directory listings Include conf/extra/httpd-autoindex.conf # Language settings #Include conf/extra/httpd-languages.conf # User home directories #Include conf/extra/httpd-userdir.conf # Real-time info on requests and configuration Include conf/extra/httpd-info.conf # Virtual hosts Include conf/extra/httpd-vhosts.conf # Local access to the Apache HTTP Server Manual #Include conf/extra/httpd-manual.conf # Distributed authoring and versioning (WebDAV) #Include conf/extra/httpd-dav.conf # Various default settings #Include conf/extra/httpd-default.conf # Configure mod_proxy_html to understand HTML4/XHTML1 <IfModule proxy_html_module> Include conf/extra/httpd-proxy-html.conf </IfModule> # Secure (SSL/TLS) connections # Note: The following must must be present to support #       starting without SSL on platforms with no /dev/random equivalent #       but a statically compiled-in mod_ssl. # <IfModule ssl_module> #Include conf/extra/httpd-ssl.conf Include conf/extra/httpd-ahssl.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> LoadModule php5_module "d:/HJ/php/php5apache2_4.dll" AddHandler application/x-httpd-php .php PHPIniDir "d:/HJ/php" ------------------------- 回5楼梦丫头的帖子 这个是apache的配置文件 httpd.conf
失望 2019-12-02 03:07:31 0 浏览量 回答数 0

回答

回 1楼dongshan8的帖子 Apache我重装成2.4的版本  这个问题已经没有了    但是现在配置好以后用https访问却显示"此网站无法提供安全连接"  "使用了不受支持的协议" "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"        安全组配置了443端口     ------------------------- 回 3楼dongshan8的帖子 现在只能通过SSL2.0访问       但是配置里面协议我已经这 样子设置了"SSLProtocol all -SSLv2 -SSLv3"       怎么改都没效果      是一直使用的SSL2.0 ------------------------- 回 6楼dongshan8的帖子 openssl的版本是1.0.1u   我在服务器上wget了一下https的地址   结果显示 sslv3 alert handshake failure   用openssl s_client -connect 测试了一下地址     怎么最后说Verify return code: 20 (unable to get local issuer certificate) ------------------------- Re回 8楼dongshan8的帖子 # # This is the main Apache HTTP server configuration file.  It contains the # configuration directives that give the server its instructions. # In particular, see # for a discussion of each configuration directive. # # Do NOT simply read the instructions in here without understanding # what they do.  They're here only as hints or reminders.  If you are unsure # consult the online docs. You have been warned.   # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path.  If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "logs/access_log" # with ServerRoot set to "/usr/local/apache2" will be interpreted by the # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" # will be interpreted as '/logs/access_log'. # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # Do not add a slash at the end of the directory path.  If you point # ServerRoot at a non-local disk, be sure to specify a local disk on the # Mutex directive, if file-based mutexes are used.  If you wish to share the # same ServerRoot for multiple httpd daemons, you will need to change at # least PidFile. # ServerRoot "/usr/local/http-2.4.23" # # Mutex: Allows you to set the mutex mechanism and mutex file directory # for individual mutexes, or change the global defaults # # Uncomment and change the directory if mutexes are file-based and the default # mutex file directory is not on a local disk or is not appropriate for some # other reason. # # Mutex default:logs # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 Listen 80 # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # have to place corresponding `LoadModule' lines at this location so the # directives contained in it are actually available _before_ they are used. # Statically compiled modules (those listed by `httpd -l') do not need # to be loaded here. # # Example: # LoadModule foo_module modules/mod_foo.so # LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authn_dbm_module modules/mod_authn_dbm.so #LoadModule authn_anon_module modules/mod_authn_anon.so #LoadModule authn_dbd_module modules/mod_authn_dbd.so #LoadModule authn_socache_module modules/mod_authn_socache.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so #LoadModule authz_owner_module modules/mod_authz_owner.so #LoadModule authz_dbd_module modules/mod_authz_dbd.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so #LoadModule auth_form_module modules/mod_auth_form.so #LoadModule auth_digest_module modules/mod_auth_digest.so #LoadModule allowmethods_module modules/mod_allowmethods.so #LoadModule file_cache_module modules/mod_file_cache.so #LoadModule cache_module modules/mod_cache.so #LoadModule cache_disk_module modules/mod_cache_disk.so #LoadModule cache_socache_module modules/mod_cache_socache.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so #LoadModule socache_dbm_module modules/mod_socache_dbm.so #LoadModule socache_memcache_module modules/mod_socache_memcache.so #LoadModule watchdog_module modules/mod_watchdog.so #LoadModule macro_module modules/mod_macro.so #LoadModule dbd_module modules/mod_dbd.so #LoadModule dumpio_module modules/mod_dumpio.so #LoadModule buffer_module modules/mod_buffer.so #LoadModule ratelimit_module modules/mod_ratelimit.so LoadModule reqtimeout_module modules/mod_reqtimeout.so #LoadModule ext_filter_module modules/mod_ext_filter.so #LoadModule request_module modules/mod_request.so #LoadModule include_module modules/mod_include.so LoadModule filter_module modules/mod_filter.so #LoadModule substitute_module modules/mod_substitute.so #LoadModule sed_module modules/mod_sed.so #LoadModule deflate_module modules/mod_deflate.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so #LoadModule log_debug_module modules/mod_log_debug.so #LoadModule logio_module modules/mod_logio.so LoadModule env_module modules/mod_env.so #LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so #LoadModule unique_id_module modules/mod_unique_id.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so #LoadModule remoteip_module modules/mod_remoteip.so #LoadModule proxy_module modules/mod_proxy.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so #LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_express_module modules/mod_proxy_express.so #LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so #LoadModule session_module modules/mod_session.so #LoadModule session_cookie_module modules/mod_session_cookie.so #LoadModule session_dbd_module modules/mod_session_dbd.so #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule ssl_module modules/mod_ssl.so #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so LoadModule mpm_event_module modules/mod_mpm_event.so #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so #LoadModule mpm_worker_module modules/mod_mpm_worker.so LoadModule unixd_module modules/mod_unixd.so #LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so #LoadModule info_module modules/mod_info.so <IfModule !mpm_prefork_module>     #LoadModule cgid_module modules/mod_cgid.so </IfModule> <IfModule mpm_prefork_module>     #LoadModule cgi_module modules/mod_cgi.so </IfModule> #LoadModule dav_fs_module modules/mod_dav_fs.so #LoadModule vhost_alias_module modules/mod_vhost_alias.so #LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so #LoadModule actions_module modules/mod_actions.so #LoadModule speling_module modules/mod_speling.so #LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule php5_module        modules/libphp5.so <IfModule unixd_module> # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch.   # # User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # User daemon Group daemon </IfModule> # 'Main' server configuration # # The directives in this section set up the values used by the 'main' # server, which responds to any requests that aren't handled by a # <VirtualHost> definition.  These values also provide defaults for # any <VirtualHost> containers you may define later in the file. # # All of these directives may appear inside <VirtualHost> containers, # in which case these default settings will be overridden for the # virtual host being defined. # # # ServerAdmin: Your address, where problems with the server should be # e-mailed.  This address appears on some server-generated pages, such # as error documents.  e.g. admin@your-domain.com # ServerAdmin root@localhost # # ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify # it explicitly to prevent problems during startup. # # If your host doesn't have a registered DNS name, enter its IP address here. # ServerName localhost # # Deny access to the entirety of your server's filesystem. You must # explicitly permit access to web content directories in other # <Directory> blocks below. # <Directory />     AllowOverride All     Require all denied </Directory> # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # #DocumentRoot "/var/www/" <Directory "/var/www/">     #     # Possible values for the Options directive are "None", "All",     # or any combination of:     #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews     #     # Note that "MultiViews" must be named *explicitly* --- "Options All"     # doesn't give it to you.     #     # The Options directive is both complicated and important.  Please see     # for more information.     #     Options Indexes FollowSymLinks     #     # AllowOverride controls what directives may be placed in .htaccess files.     # It can be "All", "None", or any combination of the keywords:     #   AllowOverride FileInfo AuthConfig Limit     #     AllowOverride All     #     # Controls who can get stuff from this server.     #     Require all granted </Directory> # # DirectoryIndex: sets the file that Apache will serve if a directory # is requested. # <IfModule dir_module>     DirectoryIndex index.html index.php </IfModule> # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <Files ".ht*">     Require all denied </Files> # # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here.  If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. # ErrorLog "logs/error_log" # # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. # LogLevel warn <IfModule log_config_module>     #     # The following directives define some format nicknames for use with     # a CustomLog directive (see below).     #     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined     LogFormat "%h %l %u %t \"%r\" %>s %b" common     <IfModule logio_module>       # You need to enable mod_logio.c to use %I and %O       LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio     </IfModule>     #     # The location and format of the access logfile (Common Logfile Format).     # If you do not define any access logfiles within a <VirtualHost>     # container, they will be logged here.  Contrariwise, if you *do*     # define per-<VirtualHost> access logfiles, transactions will be     # logged therein and *not* in this file.     #     CustomLog "logs/access_log" common     #     # If you prefer a logfile with access, agent, and referer information     # (Combined Logfile Format) you can use the following directive.     #     #CustomLog "logs/access_log" combined </IfModule> <IfModule alias_module>     #     # Redirect: Allows you to tell clients about documents that used to     # exist in your server's namespace, but do not anymore. The client     # will make a new request for the document at its new location.     # Example:     # Redirect permanent /foo http://www.example.com/bar     #     # Alias: Maps web paths into filesystem paths and is used to     # access content that does not live under the DocumentRoot.     # Example:     # Alias /webpath /full/filesystem/path     #     # If you include a trailing / on /webpath then the server will     # require it to be present in the URL.  You will also likely     # need to provide a <Directory> section to allow access to     # the filesystem path.     #     # ScriptAlias: This controls which directories contain server scripts.     # ScriptAliases are essentially the same as Aliases, except that     # documents in the target directory are treated as applications and     # run by the server when requested rather than as documents sent to the     # client.  The same rules about trailing "/" apply to ScriptAlias     # directives as to Alias.     #     ScriptAlias /cgi-bin/ "/usr/local/http-2.4.23/cgi-bin/" </IfModule> <IfModule mod_php5.c>     AddType application/x-httpd-php .php     AddType application/x-httpd-php .php5     AddType application/x-httpd-php-source .phps     AddType application/x-httpd-php-source .php5s     DirectoryIndex index.php     DirectoryIndex index.php5     PHPIniDir "/usr/local/php/etc/" </IfModule> <IfModule cgid_module>     #     # ScriptSock: On threaded servers, designate the path to the UNIX     # socket used to communicate with the CGI daemon of mod_cgid.     #     #Scriptsock cgisock </IfModule> # # "/usr/local/http-2.4.23/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "/usr/local/http-2.4.23/cgi-bin">     AllowOverride None     Options None     Require all granted </Directory> <IfModule mime_module>     #     # TypesConfig points to the file containing the list of mappings from     # filename extension to MIME-type.     #     TypesConfig conf/mime.types     #     # AddType allows you to add to or override the MIME configuration     # file specified in TypesConfig for specific file types.     #     #AddType application/x-gzip .tgz     #     # AddEncoding allows you to have certain browsers uncompress     # information on the fly. Note: Not all browsers support this.     #     #AddEncoding x-compress .Z     #AddEncoding x-gzip .gz .tgz     #     # If the AddEncoding directives above are commented-out, then you     # probably should define those extensions to indicate media types:     #     AddType application/x-compress .Z     AddType application/x-gzip .gz .tgz     #     # AddHandler allows you to map certain file extensions to "handlers":     # actions unrelated to filetype. These can be either built into the server     # or added with the Action directive (see below)     #     # To use CGI scripts outside of ScriptAliased directories:     # (You will also need to add "ExecCGI" to the "Options" directive.)     #     #AddHandler cgi-script .cgi     # For type maps (negotiated resources):     #AddHandler type-map var     #     # Filters allow you to process content before it is sent to the client.     #     # To parse .shtml files for server-side includes (SSI):     # (You will also need to add "Includes" to the "Options" directive.)     #     #AddType text/html .shtml     #AddOutputFilter INCLUDES .shtml </IfModule> # # The mod_mime_magic module allows the server to use various hints from the # contents of the file itself to determine its type.  The MIMEMagicFile # directive tells the module where the hint definitions are located. # #MIMEMagicFile conf/magic # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" # # # MaxRanges: Maximum number of Ranges in a request before # returning the entire resource, or one of the special # values 'default', 'none' or 'unlimited'. # Default setting is to accept 200 Ranges. #MaxRanges unlimited # # EnableMMAP and EnableSendfile: On systems that support it, # memory-mapping or the sendfile syscall may be used to deliver # files.  This usually improves server performance, but must # be turned off when serving from networked-mounted # filesystems or if support for these functions is otherwise # broken on your system. # Defaults: EnableMMAP On, EnableSendfile Off # #EnableMMAP off #EnableSendfile on # Supplemental configuration # # The configuration files in the conf/extra/ directory can be # included to add extra features or to modify the default configuration of # the server, or you may simply copy their contents here and change as # necessary. # Server-pool management (MPM specific) #Include conf/extra/httpd-mpm.conf # Multi-language error messages #Include conf/extra/httpd-multilang-errordoc.conf # Fancy directory listings #Include conf/extra/httpd-autoindex.conf # Language settings #Include conf/extra/httpd-languages.conf # User home directories #Include conf/extra/httpd-userdir.conf # Real-time info on requests and configuration #Include conf/extra/httpd-info.conf # Virtual hosts Include conf/extra/httpd-vhosts.conf # Local access to the Apache HTTP Server Manual #Include conf/extra/httpd-manual.conf # Distributed authoring and versioning (WebDAV) #Include conf/extra/httpd-dav.conf # Various default settings #Include conf/extra/httpd-default.conf # Configure mod_proxy_html to understand HTML4/XHTML1 <IfModule proxy_html_module> Include conf/extra/proxy-html.conf </IfModule> # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support #       starting without SSL on platforms with no /dev/random equivalent #       but a statically compiled-in mod_ssl. # <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> ------------------------- Re回 8楼dongshan8的帖子 # Virtual Hosts # # Required modules: mod_log_config # If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at # <URL:http://httpd.apache.org/docs/2.4/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host # configuration. # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for all requests that do not # match a ServerName or ServerAlias in any <VirtualHost> block. # <VirtualHost *:80> ServerAdmin www.qipaifan.com DocumentRoot " ServerName www.qipaifan.com <Directory /> AllowOverride All Require all granted </Directory> </VirtualHost> <VirtualHost *:80> ServerAdmin bbs.qipaifan.com DocumentRoot "/ ServerName bbs.qipaifan.com <Directory /> AllowOverride all Require all granted </Directory> </VirtualHost> ------------------------- Re回 8楼dongshan8的帖子 ssl配置文件发不上来      发图片吧        我没发现有什么异常啊...
淘乐网络 2019-12-02 00:26:29 0 浏览量 回答数 0

回答

回 1楼dongshan8的帖子 Apache我重装成2.4的版本  这个问题已经没有了    但是现在配置好以后用https访问却显示"此网站无法提供安全连接"  "使用了不受支持的协议" "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"        安全组配置了443端口     ------------------------- 回 3楼dongshan8的帖子 现在只能通过SSL2.0访问       但是配置里面协议我已经这 样子设置了"SSLProtocol all -SSLv2 -SSLv3"       怎么改都没效果      是一直使用的SSL2.0 ------------------------- 回 6楼dongshan8的帖子 openssl的版本是1.0.1u   我在服务器上wget了一下https的地址   结果显示 sslv3 alert handshake failure   用openssl s_client -connect 测试了一下地址     怎么最后说Verify return code: 20 (unable to get local issuer certificate) ------------------------- Re回 8楼dongshan8的帖子 # # This is the main Apache HTTP server configuration file.  It contains the # configuration directives that give the server its instructions. # In particular, see # for a discussion of each configuration directive. # # Do NOT simply read the instructions in here without understanding # what they do.  They're here only as hints or reminders.  If you are unsure # consult the online docs. You have been warned.   # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path.  If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "logs/access_log" # with ServerRoot set to "/usr/local/apache2" will be interpreted by the # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" # will be interpreted as '/logs/access_log'. # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # Do not add a slash at the end of the directory path.  If you point # ServerRoot at a non-local disk, be sure to specify a local disk on the # Mutex directive, if file-based mutexes are used.  If you wish to share the # same ServerRoot for multiple httpd daemons, you will need to change at # least PidFile. # ServerRoot "/usr/local/http-2.4.23" # # Mutex: Allows you to set the mutex mechanism and mutex file directory # for individual mutexes, or change the global defaults # # Uncomment and change the directory if mutexes are file-based and the default # mutex file directory is not on a local disk or is not appropriate for some # other reason. # # Mutex default:logs # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 Listen 80 # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # have to place corresponding `LoadModule' lines at this location so the # directives contained in it are actually available _before_ they are used. # Statically compiled modules (those listed by `httpd -l') do not need # to be loaded here. # # Example: # LoadModule foo_module modules/mod_foo.so # LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authn_dbm_module modules/mod_authn_dbm.so #LoadModule authn_anon_module modules/mod_authn_anon.so #LoadModule authn_dbd_module modules/mod_authn_dbd.so #LoadModule authn_socache_module modules/mod_authn_socache.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so #LoadModule authz_owner_module modules/mod_authz_owner.so #LoadModule authz_dbd_module modules/mod_authz_dbd.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so #LoadModule auth_form_module modules/mod_auth_form.so #LoadModule auth_digest_module modules/mod_auth_digest.so #LoadModule allowmethods_module modules/mod_allowmethods.so #LoadModule file_cache_module modules/mod_file_cache.so #LoadModule cache_module modules/mod_cache.so #LoadModule cache_disk_module modules/mod_cache_disk.so #LoadModule cache_socache_module modules/mod_cache_socache.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so #LoadModule socache_dbm_module modules/mod_socache_dbm.so #LoadModule socache_memcache_module modules/mod_socache_memcache.so #LoadModule watchdog_module modules/mod_watchdog.so #LoadModule macro_module modules/mod_macro.so #LoadModule dbd_module modules/mod_dbd.so #LoadModule dumpio_module modules/mod_dumpio.so #LoadModule buffer_module modules/mod_buffer.so #LoadModule ratelimit_module modules/mod_ratelimit.so LoadModule reqtimeout_module modules/mod_reqtimeout.so #LoadModule ext_filter_module modules/mod_ext_filter.so #LoadModule request_module modules/mod_request.so #LoadModule include_module modules/mod_include.so LoadModule filter_module modules/mod_filter.so #LoadModule substitute_module modules/mod_substitute.so #LoadModule sed_module modules/mod_sed.so #LoadModule deflate_module modules/mod_deflate.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so #LoadModule log_debug_module modules/mod_log_debug.so #LoadModule logio_module modules/mod_logio.so LoadModule env_module modules/mod_env.so #LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so #LoadModule unique_id_module modules/mod_unique_id.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so #LoadModule remoteip_module modules/mod_remoteip.so #LoadModule proxy_module modules/mod_proxy.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so #LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_express_module modules/mod_proxy_express.so #LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so #LoadModule session_module modules/mod_session.so #LoadModule session_cookie_module modules/mod_session_cookie.so #LoadModule session_dbd_module modules/mod_session_dbd.so #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule ssl_module modules/mod_ssl.so #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so LoadModule mpm_event_module modules/mod_mpm_event.so #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so #LoadModule mpm_worker_module modules/mod_mpm_worker.so LoadModule unixd_module modules/mod_unixd.so #LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so #LoadModule info_module modules/mod_info.so <IfModule !mpm_prefork_module>     #LoadModule cgid_module modules/mod_cgid.so </IfModule> <IfModule mpm_prefork_module>     #LoadModule cgi_module modules/mod_cgi.so </IfModule> #LoadModule dav_fs_module modules/mod_dav_fs.so #LoadModule vhost_alias_module modules/mod_vhost_alias.so #LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so #LoadModule actions_module modules/mod_actions.so #LoadModule speling_module modules/mod_speling.so #LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule php5_module        modules/libphp5.so <IfModule unixd_module> # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch.   # # User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # User daemon Group daemon </IfModule> # 'Main' server configuration # # The directives in this section set up the values used by the 'main' # server, which responds to any requests that aren't handled by a # <VirtualHost> definition.  These values also provide defaults for # any <VirtualHost> containers you may define later in the file. # # All of these directives may appear inside <VirtualHost> containers, # in which case these default settings will be overridden for the # virtual host being defined. # # # ServerAdmin: Your address, where problems with the server should be # e-mailed.  This address appears on some server-generated pages, such # as error documents.  e.g. admin@your-domain.com # ServerAdmin root@localhost # # ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify # it explicitly to prevent problems during startup. # # If your host doesn't have a registered DNS name, enter its IP address here. # ServerName localhost # # Deny access to the entirety of your server's filesystem. You must # explicitly permit access to web content directories in other # <Directory> blocks below. # <Directory />     AllowOverride All     Require all denied </Directory> # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # #DocumentRoot "/var/www/" <Directory "/var/www/">     #     # Possible values for the Options directive are "None", "All",     # or any combination of:     #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews     #     # Note that "MultiViews" must be named *explicitly* --- "Options All"     # doesn't give it to you.     #     # The Options directive is both complicated and important.  Please see     # for more information.     #     Options Indexes FollowSymLinks     #     # AllowOverride controls what directives may be placed in .htaccess files.     # It can be "All", "None", or any combination of the keywords:     #   AllowOverride FileInfo AuthConfig Limit     #     AllowOverride All     #     # Controls who can get stuff from this server.     #     Require all granted </Directory> # # DirectoryIndex: sets the file that Apache will serve if a directory # is requested. # <IfModule dir_module>     DirectoryIndex index.html index.php </IfModule> # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <Files ".ht*">     Require all denied </Files> # # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here.  If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. # ErrorLog "logs/error_log" # # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. # LogLevel warn <IfModule log_config_module>     #     # The following directives define some format nicknames for use with     # a CustomLog directive (see below).     #     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined     LogFormat "%h %l %u %t \"%r\" %>s %b" common     <IfModule logio_module>       # You need to enable mod_logio.c to use %I and %O       LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio     </IfModule>     #     # The location and format of the access logfile (Common Logfile Format).     # If you do not define any access logfiles within a <VirtualHost>     # container, they will be logged here.  Contrariwise, if you *do*     # define per-<VirtualHost> access logfiles, transactions will be     # logged therein and *not* in this file.     #     CustomLog "logs/access_log" common     #     # If you prefer a logfile with access, agent, and referer information     # (Combined Logfile Format) you can use the following directive.     #     #CustomLog "logs/access_log" combined </IfModule> <IfModule alias_module>     #     # Redirect: Allows you to tell clients about documents that used to     # exist in your server's namespace, but do not anymore. The client     # will make a new request for the document at its new location.     # Example:     # Redirect permanent /foo http://www.example.com/bar     #     # Alias: Maps web paths into filesystem paths and is used to     # access content that does not live under the DocumentRoot.     # Example:     # Alias /webpath /full/filesystem/path     #     # If you include a trailing / on /webpath then the server will     # require it to be present in the URL.  You will also likely     # need to provide a <Directory> section to allow access to     # the filesystem path.     #     # ScriptAlias: This controls which directories contain server scripts.     # ScriptAliases are essentially the same as Aliases, except that     # documents in the target directory are treated as applications and     # run by the server when requested rather than as documents sent to the     # client.  The same rules about trailing "/" apply to ScriptAlias     # directives as to Alias.     #     ScriptAlias /cgi-bin/ "/usr/local/http-2.4.23/cgi-bin/" </IfModule> <IfModule mod_php5.c>     AddType application/x-httpd-php .php     AddType application/x-httpd-php .php5     AddType application/x-httpd-php-source .phps     AddType application/x-httpd-php-source .php5s     DirectoryIndex index.php     DirectoryIndex index.php5     PHPIniDir "/usr/local/php/etc/" </IfModule> <IfModule cgid_module>     #     # ScriptSock: On threaded servers, designate the path to the UNIX     # socket used to communicate with the CGI daemon of mod_cgid.     #     #Scriptsock cgisock </IfModule> # # "/usr/local/http-2.4.23/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "/usr/local/http-2.4.23/cgi-bin">     AllowOverride None     Options None     Require all granted </Directory> <IfModule mime_module>     #     # TypesConfig points to the file containing the list of mappings from     # filename extension to MIME-type.     #     TypesConfig conf/mime.types     #     # AddType allows you to add to or override the MIME configuration     # file specified in TypesConfig for specific file types.     #     #AddType application/x-gzip .tgz     #     # AddEncoding allows you to have certain browsers uncompress     # information on the fly. Note: Not all browsers support this.     #     #AddEncoding x-compress .Z     #AddEncoding x-gzip .gz .tgz     #     # If the AddEncoding directives above are commented-out, then you     # probably should define those extensions to indicate media types:     #     AddType application/x-compress .Z     AddType application/x-gzip .gz .tgz     #     # AddHandler allows you to map certain file extensions to "handlers":     # actions unrelated to filetype. These can be either built into the server     # or added with the Action directive (see below)     #     # To use CGI scripts outside of ScriptAliased directories:     # (You will also need to add "ExecCGI" to the "Options" directive.)     #     #AddHandler cgi-script .cgi     # For type maps (negotiated resources):     #AddHandler type-map var     #     # Filters allow you to process content before it is sent to the client.     #     # To parse .shtml files for server-side includes (SSI):     # (You will also need to add "Includes" to the "Options" directive.)     #     #AddType text/html .shtml     #AddOutputFilter INCLUDES .shtml </IfModule> # # The mod_mime_magic module allows the server to use various hints from the # contents of the file itself to determine its type.  The MIMEMagicFile # directive tells the module where the hint definitions are located. # #MIMEMagicFile conf/magic # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" # # # MaxRanges: Maximum number of Ranges in a request before # returning the entire resource, or one of the special # values 'default', 'none' or 'unlimited'. # Default setting is to accept 200 Ranges. #MaxRanges unlimited # # EnableMMAP and EnableSendfile: On systems that support it, # memory-mapping or the sendfile syscall may be used to deliver # files.  This usually improves server performance, but must # be turned off when serving from networked-mounted # filesystems or if support for these functions is otherwise # broken on your system. # Defaults: EnableMMAP On, EnableSendfile Off # #EnableMMAP off #EnableSendfile on # Supplemental configuration # # The configuration files in the conf/extra/ directory can be # included to add extra features or to modify the default configuration of # the server, or you may simply copy their contents here and change as # necessary. # Server-pool management (MPM specific) #Include conf/extra/httpd-mpm.conf # Multi-language error messages #Include conf/extra/httpd-multilang-errordoc.conf # Fancy directory listings #Include conf/extra/httpd-autoindex.conf # Language settings #Include conf/extra/httpd-languages.conf # User home directories #Include conf/extra/httpd-userdir.conf # Real-time info on requests and configuration #Include conf/extra/httpd-info.conf # Virtual hosts Include conf/extra/httpd-vhosts.conf # Local access to the Apache HTTP Server Manual #Include conf/extra/httpd-manual.conf # Distributed authoring and versioning (WebDAV) #Include conf/extra/httpd-dav.conf # Various default settings #Include conf/extra/httpd-default.conf # Configure mod_proxy_html to understand HTML4/XHTML1 <IfModule proxy_html_module> Include conf/extra/proxy-html.conf </IfModule> # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support #       starting without SSL on platforms with no /dev/random equivalent #       but a statically compiled-in mod_ssl. # <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> ------------------------- Re回 8楼dongshan8的帖子 # Virtual Hosts # # Required modules: mod_log_config # If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at # <URL:http://httpd.apache.org/docs/2.4/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host # configuration. # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for all requests that do not # match a ServerName or ServerAlias in any <VirtualHost> block. # <VirtualHost *:80> ServerAdmin www.qipaifan.com DocumentRoot " ServerName www.qipaifan.com <Directory /> AllowOverride All Require all granted </Directory> </VirtualHost> <VirtualHost *:80> ServerAdmin bbs.qipaifan.com DocumentRoot "/ ServerName bbs.qipaifan.com <Directory /> AllowOverride all Require all granted </Directory> </VirtualHost> ------------------------- Re回 8楼dongshan8的帖子 ssl配置文件发不上来      发图片吧        我没发现有什么异常啊...
淘乐网络 2019-12-02 00:26:30 0 浏览量 回答数 0

问题

为什么此API请求在Postman中工作,但在Django测试中引发错误?

我发布到我的API以通过Postman创建帐户 { "email": "snifter@gmail.com", "display_name": "outrag...
is大龙 2020-03-23 17:20:53 0 浏览量 回答数 1

问题

为什么SSH 登录时出现如下错误:Maximum amount of failed attempts was reached

注意:本文相关配置及说明已在 CentOS 6.5 64 位操作系统中进行过测试。其它类型及版本操作系统配置可能有所差异,具体情况请参阅相应操作系统官方文档。 问题描述 登录云服务器 ECS &#x...
boxti 2019-12-01 21:59:27 1705 浏览量 回答数 0

回答

问题描述 登录Linux系统的ECS实例时,输入正确的用户名和密码后,也无法正常登录。该问题出现时,管理终端或SSH客户端其中一种方式可以正常登录,或者两种方式均无法正常登录,查看secure日志提示如下错误信息。 pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root". 问题原因 PAM相关模块的策略配置,禁止了UID小于1000的用户进行登录。 解决方案 阿里云提醒您: 如果您对实例或数据有修改、变更等风险操作,务必注意实例的容灾、容错能力,确保数据安全。 如果您对实例(包括但不限于ECS、RDS)等进行配置与数据修改,建议提前创建快照或开启RDS日志备份等功能。 如果您在阿里云平台授权或者提交过登录账号、密码等安全信息,建议您及时修改。 本文相关配置及说明已在CentOS 6.5 64位操作系统中进行过测试。其它类型及版本操作系统配置可能有所差异,具体情况请参阅相应操作系统的官方文档。 通过SSH客户端或管理终端登录服务器。 通过cat命令查看异常登录模式,对应的PAM配置文件,请参考如下信息。 文件 功能说明 /etc/pam.d/login 控制台(管理终端)对应配置文件 /etc/pam.d/sshd 登录对应配置文件 /etc/pam.d/system-auth 系统全局配置文件 注:每个启用PAM的应用程序,在/etc/pam.d目录中都有对应的同名配置文件。例如,login命令的配置文件是/etc/pam.d/login,可以在相应配置文件中配置具体的策略。检查前述配置文件中,是否有类似如下配置信息。 auth required pam_succeed_if.so uid >= 1000 使用vi编辑器,修改相应配置文件中的配置,整行删除或在段落前添加#号注释,请参考如下信息。 注:修改相关的策略配置之前,建议先将文件备份。 auth required pam_succeed_if.so uid <= 1000 # 修改策略 auth required pam_succeed_if.so uid >= 1000 #取消相关配置 尝试重新登录服务器。 相关文档 若还有问题,请参考如下文档,做进一步的排查和分析。 云服务器 ECS Linux SSH 无法登录问题排查指引
1934890530796658 2020-03-25 23:12:55 0 浏览量 回答数 0

问题

Centos7手工配置lnmp环境之一:Nginx篇

继上一教程已相当久远了,本不打算更新了,因为手工配置实在麻烦,但自己刨了个坑,没有办法。所以还是继续更新吧! 上篇地址:Centos7手工配置lnmp环境...
鬼才神兵 2019-12-01 21:07:56 4245 浏览量 回答数 4

问题

为什么SSH 登录时出现如下错误:requirement &quot;uid &gt;= 1000&quot; not met by user &quot;root&quot;

注意:本文相关配置及说明已在 CentOS 6.5 64 位操作系统中进行过测试。其它类型及版本操作系统配置可能有所差异,具体情况请参阅相应操作系统官方文档。 问题描述 登录云服务器 ECS &#x...
boxti 2019-12-01 21:59:29 2092 浏览量 回答数 0

问题

服务编排的简介

容器服务支持 Docker Compose 编排模板来描述多容器应用。 编排模板允许您描述一个完整的应用,该应用可以由许多个服务组成。例如:一个门户网站应用,由一个 Nginx 服务、一个 Web...
反向一觉 2019-12-01 21:18:00 1716 浏览量 回答数 0

回答

有没哪位能帮忙看下? ------------------------- Re:回 2楼(dongshan8) 的帖子 centos 7.2 64位系统。 一、准备工作 1.安装一些组件和库 yum -y install gcc wget automake autoconf libtool libxml2-devel libxslt-devel perl-devel perl-ExtUtils-Embed pcre-devel openssl-devel zlib 2.下载nginx cd /root/lnamp wget http://nginx.org/download/nginx-1.10.1.tar.gz 二、安装nginx 1.先创建用户和用户组 groupadd www useradd -g www www -s /bin/false 2.创建一个nginx目录用来存放运行的临时文件夹 mkdir -p /var/cache/nginx 3.开始安装nginx 解压nginx tar zxvf nginx-1.10.1.tar.gz cd nginx-1.10.1 2.进行configure ./configure \ --prefix=/usr/local/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --http-client-body-temp-path=/var/cache/nginx/client_temp \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --user=nobody \ --group=nobody \ --with-pcre \ --with-http_v2_module \ --with-http_ssl_module \ --with-http_realip_module \ --with-http_addition_module \ --with-http_sub_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_mp4_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_random_index_module \ --with-http_secure_link_module \ --with-http_stub_status_module \ --with-http_auth_request_module \ --with-mail \ --with-mail_ssl_module \ --with-file-aio \ --with-ipv6 \ --with-http_v2_module \ --with-threads \ --with-stream \ --with-stream_ssl_module 3.make && make install make && make install 4.启动nginx /usr/sbin/nginx 5.用ps aux来查看nginx是否启动 ps aux|grep nginx 6.然后配置服务 vi /usr/lib/systemd/system/nginx.service 按"i"输入以下内容 [Unit] Description=nginx - high performance web server Documentation=http://nginx.org/en/docs/ After=network.target remote-fs.target nss-lookup.target [Service]Type=forking PIDFile=/var/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s QUIT $MAINPIDPrivateTmp=true [Install] WantedBy=multi-user.target 编辑好后保存 :wq! (注) [Unit]部分主要是对这个服务的说明,内容包括Description和After,Description用于描述服务,After用于描述服务类别 [Service]部分是服务的关键,是服务的一些具体运行参数的设置,这里Type=forking是后台运行的形式,PIDFile为存放PID的文件路径,ExecStart为服务的具体运行命令,ExecReload为重启命令,ExecStop为停止命令,PrivateTmp=True表示给服务分配独立的临时空间,注意:[Service]部分的启动、重启、停止命令全部要求使用绝对路径,使用相对路径则会报错! [Install]部分是服务安装的相关设置,可设置为多用户的 7.开启开机启动 systemctl enable nginx.service 8.测试配置文件 用命令关掉nginx pkill -9 nginx 后面可以用systemctl来操作nginx.service systemctl start nginx.service 可以看到已启动成功 访问ip会看到nginx的启动画面 ------------------------- 以上是安装过程,有错误吗? ------------------------- 回 5楼(龙吟风) 的帖子 .进行configure 通过,只是make出错
ydjy2009 2019-12-02 02:06:27 0 浏览量 回答数 0

回答

Relocalhost和127.0.0.1都无法正常访问 引用第2楼dongshan8于2016-04-19 10:05发表的  : 楼主您好, 能贴出您的 apache 配置文件内容吗? 您是如何布置的 apache + php + mysql 的呢?是手工安装,还是用自动安装脚本来安装的? ....... [url=https://bbs.aliyun.com/job.php?action=topost&tid=277757&pid=779671][/url] 版主来了, 太感动了, 多谢!!!    httpd.conf ## This is the main Apache HTTP server configuration file.  It contains the# configuration directives that give the server its instructions.# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.# In particular, see # <URL:http://httpd.apache.org/docs/2.2/mod/directives.html># for a discussion of each configuration directive.## Do NOT simply read the instructions in here without understanding# what they do.  They're here only as hints or reminders.  If you are unsure# consult the online docs. You have been warned.  ## Configuration and logfile names: If the filenames you specify for many# of the server's control files begin with "/" (or "drive:/" for Win32), the# server will use that explicit path.  If the filenames do *not* begin# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"# with ServerRoot set to "D:/WAMP/apache" will be interpreted by the# server as "D:/WAMP/apache/logs/foo.log".## NOTE: Where filenames are specified, you must use forward slashes# instead of backslashes (e.g., "c:/apache" instead of "c:\apache").# If a drive letter is omitted, the drive on which httpd.exe is located# will be used by default.  It is recommended that you always supply# an explicit drive letter in absolute paths to avoid confusion.## ServerRoot: The top of the directory tree under which the server's# configuration, error, and log files are kept.## Do not add a slash at the end of the directory path.  If you point# ServerRoot at a non-local disk, be sure to point the LockFile directive# at a local disk.  If you wish to share the same ServerRoot for multiple# httpd daemons, you will need to change at least LockFile and PidFile.#ServerRoot "D:/WAMP/apache"## Listen: Allows you to bind Apache to specific IP addresses and/or# ports, instead of the default. See also the <VirtualHost># directive.## Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses.##Listen 12.34.56.78:80Listen 80## Dynamic Shared Object (DSO) Support## To be able to use the functionality of a module which was built as a DSO you# have to place corresponding `LoadModule' lines at this location so the# directives contained in it are actually available _before_ they are used.# Statically compiled modules (those listed by `httpd -l') do not need# to be loaded here.## Example:# LoadModule foo_module modules/mod_foo.so#LoadModule actions_module modules/mod_actions.soLoadModule alias_module modules/mod_alias.soLoadModule asis_module modules/mod_asis.soLoadModule auth_basic_module modules/mod_auth_basic.so#LoadModule auth_digest_module modules/mod_auth_digest.so#LoadModule authn_alias_module modules/mod_authn_alias.so#LoadModule authn_anon_module modules/mod_authn_anon.so#LoadModule authn_dbd_module modules/mod_authn_dbd.so#LoadModule authn_dbm_module modules/mod_authn_dbm.soLoadModule authn_default_module modules/mod_authn_default.soLoadModule authn_file_module modules/mod_authn_file.so#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so#LoadModule authz_dbm_module modules/mod_authz_dbm.soLoadModule authz_default_module modules/mod_authz_default.soLoadModule authz_groupfile_module modules/mod_authz_groupfile.soLoadModule authz_host_module modules/mod_authz_host.so#LoadModule authz_owner_module modules/mod_authz_owner.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule autoindex_module modules/mod_autoindex.so#LoadModule cache_module modules/mod_cache.so#LoadModule cern_meta_module modules/mod_cern_meta.soLoadModule cgi_module modules/mod_cgi.so#LoadModule charset_lite_module modules/mod_charset_lite.so#LoadModule dav_module modules/mod_dav.so#LoadModule dav_fs_module modules/mod_dav_fs.so#LoadModule dav_lock_module modules/mod_dav_lock.so#LoadModule dbd_module modules/mod_dbd.soLoadModule deflate_module modules/mod_deflate.soLoadModule dir_module modules/mod_dir.so#LoadModule disk_cache_module modules/mod_disk_cache.so#LoadModule dumpio_module modules/mod_dumpio.soLoadModule env_module modules/mod_env.soLoadModule expires_module modules/mod_expires.so#LoadModule ext_filter_module modules/mod_ext_filter.so#LoadModule file_cache_module modules/mod_file_cache.soLoadModule filter_module modules/mod_filter.soLoadModule headers_module modules/mod_headers.so#LoadModule ident_module modules/mod_ident.so#LoadModule imagemap_module modules/mod_imagemap.soLoadModule include_module modules/mod_include.so#LoadModule info_module modules/mod_info.soLoadModule isapi_module modules/mod_isapi.so#LoadModule ldap_module modules/mod_ldap.so#LoadModule logio_module modules/mod_logio.soLoadModule log_config_module modules/mod_log_config.so#LoadModule log_forensic_module modules/mod_log_forensic.so#LoadModule mem_cache_module modules/mod_mem_cache.soLoadModule mime_module modules/mod_mime.so#LoadModule mime_magic_module modules/mod_mime_magic.soLoadModule negotiation_module modules/mod_negotiation.so#LoadModule proxy_module modules/mod_proxy.so#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so#LoadModule proxy_connect_module modules/mod_proxy_connect.so#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so#LoadModule proxy_http_module modules/mod_proxy_http.so#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so#LoadModule reqtimeout_module modules/mod_reqtimeout.soLoadModule rewrite_module modules/mod_rewrite.soLoadModule setenvif_module modules/mod_setenvif.so#LoadModule speling_module modules/mod_speling.soLoadModule ssl_module modules/mod_ssl.so#LoadModule status_module modules/mod_status.so#LoadModule substitute_module modules/mod_substitute.so#LoadModule unique_id_module modules/mod_unique_id.so#LoadModule userdir_module modules/mod_userdir.so#LoadModule usertrack_module modules/mod_usertrack.so#LoadModule version_module modules/mod_version.so#LoadModule vhost_alias_module modules/mod_vhost_alias.so<IfModule !mpm_netware_module><IfModule !mpm_winnt_module>## If you wish httpd to run as a different user or group, you must run# httpd as root initially and it will switch.  ## User/Group: The name (or #number) of the user/group to run httpd as.# It is usually good practice to create a dedicated user and group for# running httpd, as with most system services.#User daemonGroup daemon</IfModule></IfModule># 'Main' server configuration## The directives in this section set up the values used by the 'main'# server, which responds to any requests that aren't handled by a# <VirtualHost> definition.  These values also provide defaults for# any <VirtualHost> containers you may define later in the file.## All of these directives may appear inside <VirtualHost> containers,# in which case these default settings will be overridden for the# virtual host being defined.### ServerAdmin: Your address, where problems with the server should be# e-mailed.  This address appears on some server-generated pages, such# as error documents.  e.g. admin@your-domain.com#ServerAdmin scp1688@163.com## ServerName gives the name and port that the server uses to identify itself.# This can often be determined automatically, but we recommend you specify# it explicitly to prevent problems during startup.## If your host doesn't have a registered DNS name, enter its IP address here.#ServerName www.phpStudy.net:80## DocumentRoot: The directory out of which you will serve your# documents. By default, all requests are taken from this directory, but# symbolic links and aliases may be used to point to other locations.#DocumentRoot  "D:\WAMP\WWW"## Each directory to which Apache has access can be configured with respect# to which services and features are allowed and/or disabled in that# directory (and its subdirectories). ## First, we configure the "default" to be a very restrictive set of # features.  #<Directory />  Options FollowSymLinks    AllowOverride All    Order deny,allow    Allow from all</Directory>## Note that from this point forward you must specifically allow# particular features to be enabled - so if something's not working as# you might expect, make sure that you have specifically enabled it# below.### This should be changed to whatever you set DocumentRoot to.#<Directory "D:\WAMP\WWW">    #    # Possible values for the Options directive are "None", "All",    # or any combination of:    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews    #    # Note that "MultiViews" must be named *explicitly* --- "Options All"    # doesn't give it to you.    #    # The Options directive is both complicated and important.  Please see    # http://httpd.apache.org/docs/2.2/mod/core.html#options    # for more information.    #    Options FollowSymLinks    #    # AllowOverride controls what directives may be placed in .htaccess files.    # It can be "All", "None", or any combination of the keywords:    #   Options FileInfo AuthConfig Limit    #    AllowOverride All    #    # Controls who can get stuff from this server.    #    Order allow,deny    Allow from all</Directory>## DirectoryIndex: sets the file that Apache will serve if a directory# is requested.#<IfModule dir_module>    DirectoryIndex index.html index.php index.htm</IfModule>## The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. #<FilesMatch "^\.ht">    Order allow,deny    Deny from all    Satisfy All</FilesMatch>## ErrorLog: The location of the error log file.# If you do not specify an ErrorLog directive within a <VirtualHost># container, error messages relating to that virtual host will be# logged here.  If you *do* define an error logfile for a <VirtualHost># container, that host's errors will be logged there and not here.#ErrorLog "logs/error.log"## LogLevel: Control the number of messages logged to the error_log.# Possible values include: debug, info, notice, warn, error, crit,# alert, emerg.#LogLevel warn<IfModule log_config_module>    #    # The following directives define some format nicknames for use with    # a CustomLog directive (see below).    #    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined    LogFormat "%h %l %u %t \"%r\" %>s %b" common    <IfModule logio_module>      # You need to enable mod_logio.c to use %I and %O      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio    </IfModule>    #    # The location and format of the access logfile (Common Logfile Format).    # If you do not define any access logfiles within a <VirtualHost>    # container, they will be logged here.  Contrariwise, if you *do*    # define per-<VirtualHost> access logfiles, transactions will be    # logged therein and *not* in this file.    #    CustomLog "logs/access.log" common    #    # If you prefer a logfile with access, agent, and referer information    # (Combined Logfile Format) you can use the following directive.    #    #CustomLog "logs/access.log" combined</IfModule><IfModule alias_module>    #    # Redirect: Allows you to tell clients about documents that used to     # exist in your server's namespace, but do not anymore. The client     # will make a new request for the document at its new location.    # Example:    # Redirect permanent /foo http://www.phpStudy.net/bar    #    # Alias: Maps web paths into filesystem paths and is used to    # access content that does not live under the DocumentRoot.    # Example:    # Alias /webpath /full/filesystem/path    #    # If you include a trailing / on /webpath then the server will    # require it to be present in the URL.  You will also likely    # need to provide a <Directory> section to allow access to    # the filesystem path.    #    # ScriptAlias: This controls which directories contain server scripts.     # ScriptAliases are essentially the same as Aliases, except that    # documents in the target directory are treated as applications and    # run by the server when requested rather than as documents sent to the    # client.  The same rules about trailing "/" apply to ScriptAlias    # directives as to Alias.    #    ScriptAlias /cgi-bin/ "D:/WAMP/apache/cgi-bin/"</IfModule><IfModule cgid_module>    #    # ScriptSock: On threaded servers, designate the path to the UNIX    # socket used to communicate with the CGI daemon of mod_cgid.    #    #Scriptsock logs/cgisock</IfModule>## "D:/WAMP/apache/cgi-bin" should be changed to whatever your ScriptAliased# CGI directory exists, if you have that configured.#<Directory "D:/WAMP/apache/cgi-bin">    AllowOverride All    Options None    Order allow,deny    Allow from all</Directory>## DefaultType: the default MIME type the server will use for a document# if it cannot otherwise determine one, such as from filename extensions.# If your server contains mostly text or HTML documents, "text/plain" is# a good value.  If most of your content is binary, such as applications# or images, you may want to use "application/octet-stream" instead to# keep browsers from trying to display binary files as though they are# text.#DefaultType text/plain<IfModule mime_module>    #    # TypesConfig points to the file containing the list of mappings from    # filename extension to MIME-type.    #    TypesConfig conf/mime.types    #    # AddType allows you to add to or override the MIME configuration    # file specified in TypesConfig for specific file types.    #    #AddType application/x-gzip .tgz    #    # AddEncoding allows you to have certain browsers uncompress    # information on the fly. Note: Not all browsers support this.    #    #AddEncoding x-compress .Z    #AddEncoding x-gzip .gz .tgz    #    # If the AddEncoding directives above are commented-out, then you    # probably should define those extensions to indicate media types:    #    AddType application/x-compress .Z    AddType application/x-gzip .gz .tgz    #    # AddHandler allows you to map certain file extensions to "handlers":    # actions unrelated to filetype. These can be either built into the server    # or added with the Action directive (see below)    #    # To use CGI scripts outside of ScriptAliased directories:    # (You will also need to add "ExecCGI" to the "Options" directive.)    #    #AddHandler cgi-script .cgi    # For type maps (negotiated resources):    #AddHandler type-map var    #    # Filters allow you to process content before it is sent to the client.    #    # To parse .shtml files for server-side includes (SSI):    # (You will also need to add "Includes" to the "Options" directive.)    #    #AddType text/html .shtml    #AddOutputFilter INCLUDES .shtml</IfModule>## The mod_mime_magic module allows the server to use various hints from the# contents of the file itself to determine its type.  The MIMEMagicFile# directive tells the module where the hint definitions are located.##MIMEMagicFile conf/magic## Customizable error responses come in three flavors:# 1) plain text 2) local redirects 3) external redirects## Some examples:#ErrorDocument 500 "The server made a boo boo."#ErrorDocument 404 /missing.html#ErrorDocument 404 "/cgi-bin/missing_handler.pl"#ErrorDocument 402 http://www.phpStudy.net/subscription_info.html### MaxRanges: Maximum number of Ranges in a request before# returning the entire resource, or 0 for unlimited# Default setting is to accept 200 Ranges#MaxRanges 0## EnableMMAP and EnableSendfile: On systems that support it, # memory-mapping or the sendfile syscall is used to deliver# files.  This usually improves server performance, but must# be turned off when serving from networked-mounted # filesystems or if support for these functions is otherwise# broken on your system.##EnableMMAP off#EnableSendfile off# Supplemental configuration## The configuration files in the conf/extra/ directory can be # included to add extra features or to modify the default configuration of # the server, or you may simply copy their contents here and change as # necessary.# Server-pool management (MPM specific)Include conf/extra/httpd-mpm.conf# Multi-language error messages#Include conf/extra/httpd-multilang-errordoc.conf# Fancy directory listings#Include conf/extra/httpd-autoindex.conf# Language settings#Include conf/extra/httpd-languages.conf# User home directories#Include conf/extra/httpd-userdir.conf# Real-time info on requests and configuration#Include conf/extra/httpd-info.conf# Virtual hostsInclude conf/extra/httpd-vhosts.conf# Local access to the Apache HTTP Server Manual#Include conf/extra/httpd-manual.conf# Distributed authoring and versioning (WebDAV)#Include conf/extra/httpd-dav.conf# Various default settings#Include conf/extra/httpd-default.confInclude conf/phpmyadmin.confInclude conf/vhosts.conf# Secure (SSL/TLS) connections#Include conf/extra/httpd-ssl.conf## Note: The following must must be present to support#       starting without SSL on platforms with no /dev/random equivalent#       but a statically compiled-in mod_ssl.#LoadFile "D:/WAMP/PHP/php5ts.dll"LoadModule php5_module "D:/WAMP/PHP/php5apache2_2.dll"<IfModule php5_module>    PHPIniDir "D:/WAMP/PHP/"    AddType application/x-httpd-php .php .phtml</IfModule>LoadFile "D:/WAMP/PHP/libmysql.dll"LoadFile "D:/WAMP/PHP/libmcrypt.dll"<IfModule ssl_module>SSLRandomSeed startup builtinSSLRandomSeed connect builtin</IfModule><IfModule mod_Rewrite.c>RewriteEngine OnRewriteRule ^(.*)/archiver/((fid|tid)-[\w\-]+\.html)$ $1/archiver/index.php?$2RewriteRule ^(.*)/forum-([0-9]+)-([0-9]+)\.html$ $1/forumdisplay.php?fid=$2&page=$3RewriteRule ^(.*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/viewthread.php?tid=$2&extra=page\%3D$4&page=$3RewriteRule ^(.*)/space-(username|uid)-(.+)\.html$ $1/space.php?$2=$3RewriteRule ^(.*)/tag-(.+)\.html$ $1/tag.php?name=$2</IfModule><ifmodule mod_deflate.c>AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript</ifmodule>TraceEnable off<IfModule deflate_module>SetOutputFilter DEFLATE# Don’t compress images and otherSetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-varySetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-varySetEnvIfNoCase Request_URI .(?:pdf|doc)$ no-gzip dont-varyAddOutputFilterByType DEFLATE text/html text/plain text/xml text/cssAddOutputFilterByType DEFLATE application/x-javascript</IfModule> ------------------------- Relocalhost和127.0.0.1都无法正常访问 哦, 我找到了, 默认目录修改之后这里没有跟上, 感谢版主的帮助, 谢谢!
tunawt 2019-12-02 02:35:55 0 浏览量 回答数 0

回答

Nginx是一个轻量级的,高性能的Web服务器以及反向代理和邮箱 (IMAP/POP3)代理服务器。它运行在UNIX,GNU /linux,BSD 各种版本,Mac OS X,Solaris和Windows。根据调查统计,6%的网站使用Nginx Web服务器。Nginx是少数能处理C10K问题的服务器之一。跟传统的服务器不同,Nginx不依赖线程来处理请求。相反,它使用了更多的可扩展的事 件驱动(异步)架构。Nginx为一些高流量的网站提供动力,比如WordPress,人人网,腾讯,网易等。这篇文章主要是介绍如何提高运行在 Linux或UNIX系统的Nginx Web服务器的安全性。 默认配置文件和Nginx端口 /usr/local/nginx/conf/ – Nginx配置文件目录,/usr/local/nginx/conf/nginx.conf是主配置文件 /usr/local/nginx/html/ – 默认网站文件位置 /usr/local/nginx/logs/ – 默认日志文件位置 Nginx HTTP默认端口 : TCP 80 Nginx HTTPS默认端口: TCP 443 你可以使用以下命令来测试Nginx配置文件准确性。 /usr/local/nginx/sbin/nginx -t 将会输出: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok configuration file /usr/local/nginx/conf/nginx.conf test is successful 执行以下命令来重新加载配置文件。 /usr/local/nginx/sbin/nginx -s reload 执行以下命令来停止服务器。 /usr/local/nginx/sbin/nginx -s stop 一、配置SELinux 注意:对于云服务器 ECS,参阅 ECS 使用须知 ,基于兼容性、稳定性考虑,请勿开启 SELinux。 安全增强型 Linux(SELinux)是一个Linux内核的功能,它提供支持访问控制的安全政策保护机制。它可以防御大部分攻击。下面我们来看如何启动基于centos/RHEL系统的SELinux。 安装SELinux rpm -qa | grep selinux libselinux-1.23.10-2 selinux-policy-targeted-1.23.16-6 如果没有返回任何结果,代表没有安装 SELinux,如果返回了类似上面的结果,则说明系统安装了 SELinux。 布什值锁定 运行命令getsebool -a来锁定系统。 getsebool -a | less getsebool -a | grep off getsebool -a | grep o 二、通过分区挂载允许最少特权 服务器上的网页/html/php文件单独分区。例如,新建一个分区/dev/sda5(第一逻辑分区),并且挂载在/nginx。确保 /nginx是以noexec, nodev and nosetuid的权限挂载。以下是我的/etc/fstab的挂载/nginx的信息: LABEL=/nginx /nginx ext3 defaults,nosuid,noexec,nodev 1 2 注意:你需要使用fdisk和mkfs.ext3命令创建一个新分区。 三、配置/etc/sysctl.conf强化Linux安全 你可以通过编辑/etc/sysctl.conf来控制和配置Linux内核、网络设置。 Avoid a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1 Turn on protection for bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1 Turn on syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1 Turn on and log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 No source routed packets here net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 Turn on reverse path filtering net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 Make sure no one can alter the routing tables net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Don’t act as a router net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Turn on execshild kernel.exec-shield = 1 kernel.randomize_va_space = 1 Tuen IPv6 net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1 Optimization for port usefor LBs Increase system file descriptor limit fs.file-max = 65535 Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 Increase TCP max buffer size setable using setsockopt() net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 Increase Linux auto tuning TCP buffer limits min, default, and max number of bytes to use set max to at least 4MB, or higher if you use very high BDP paths Tcp Windows etc net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 四、删除所有不需要的Nginx模块 你需要直接通过编译Nginx源代码使模块数量最少化。通过限制只允许web服务器访问模块把风险降到最低。你可以只配置安装nginx你所需要的模块。例如,禁用SSL和autoindex模块你可以执行以下命令: ./configure –without-http_autoindex_module –without-http_ssi_module make make install 通过以下命令来查看当编译nginx服务器时哪个模块能开户或关闭: ./configure –help | less 禁用你用不到的nginx模块。 (可选项)更改nginx版本名称。 编辑文件/http/ngx_http_header_filter_module.c: vi +48 src/http/ngx_http_header_filter_module.c 找到行: static char ngx_http_server_string[] = “Server: nginx” CRLF; static char ngx_http_server_full_string[] = “Server: ” NGINX_VER CRLF; 按照以下行修改: static char ngx_http_server_string[] = “Server: Ninja Web Server” CRLF; static char ngx_http_server_full_string[] = “Server: Ninja Web Server” CRLF; 保存并关闭文件。现在你可以编辑服务器了。增加以下代码到nginx.conf文件来关闭nginx版本号的显示。 server_tokens off 五、使用mod_security(只适合后端Apache服务器) mod_security为Apache提供一个应用程序级的防火墙。为后端Apache Web服务器安装mod_security,这会阻止很多注入式攻击。 六、安装SELinux策略以强化Nginx Web服务器 默认的SELinux不会保护Nginx Web服务器,但是你可以安装和编译保护软件。 1、安装编译SELinux所需环境支持 yum -y install selinux-policy-targeted selinux-policy-devel 2、下载SELinux策略以强化Nginx Web服务器。 cd /opt wget ‘http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc’ 3、解压文件 tar -zxvf se-ngix_1_0_10.tar.gz 4、编译文件 cd se-ngix_1_0_10/nginx make 将会输出如下: Compiling targeted nginx module /usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx.mod Creating targeted nginx.pp policy package rm tmp/nginx.mod.fc tmp/nginx.mod 5、安装生成的nginx.pp SELinux模块: /usr/sbin/semodule -i nginx.pp 七、基于Iptables防火墙的限制 下面的防火墙脚本阻止任何除了允许: 来自HTTP(TCP端口80)的请求 来自ICMP ping的请求 ntp(端口123)的请求输出 smtp(TCP端口25)的请求输出 #!/bin/bash IPT=”/sbin/iptables” IPS Get server public ip SERVER_IP=$(ifconfig eth0 | grep ‘inet addr:’ | awk -F’inet addr:’ ‘{ print $2}’ | awk ‘{ print $1}’) LB1_IP=”204.54.1.1″ LB2_IP=”204.54.1.2″ Do some smart logic so that we can use damm script on LB2 too OTHER_LB=”" SERVER_IP=”" [[ "$SERVER_IP" == "$LB1_IP" ]] && OTHER_LB=”$LB2_IP” || OTHER_LB=”$LB1_IP” [[ "$OTHER_LB" == "$LB2_IP" ]] && OPP_LB=”$LB1_IP” || OPP_LB=”$LB2_IP” IPs PUB_SSH_ONLY=”122.xx.yy.zz/29″ FILES BLOCKED_IP_TDB=/root/.fw/blocked.ip.txt SPOOFIP=”127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24″ BADIPS=$( [[ -f ${BLOCKED_IP_TDB} ]] && egrep -v “^#|^$” ${BLOCKED_IP_TDB}) Interfaces PUB_IF=”eth0″ # public interface LO_IF=”lo” # loopback VPN_IF=”eth1″ # vpn / private net start firewall echo “Setting LB1 $(hostname) Firewall…” DROP and close everything $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP Unlimited lo access $IPT -A INPUT -i ${LO_IF} -j ACCEPT $IPT -A OUTPUT -o ${LO_IF} -j ACCEPT Unlimited vpn / pnet access $IPT -A INPUT -i ${VPN_IF} -j ACCEPT $IPT -A OUTPUT -o ${VPN_IF} -j ACCEPT Drop sync $IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -j DROP Drop Fragments $IPT -A INPUT -i ${PUB_IF} -f -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL ALL -j DROP Drop NULL packets $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -m limit –limit 5/m –limit-burst 7 -j LOG –log-prefix ” NULL Packets “ $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,RST SYN,RST -j DROP Drop XMAS $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-prefix ” XMAS Packets “ $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP Drop FIN packet scans $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-prefix ” Fin Packets Scan “ $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP Log and get rid of broadcast / multicast and invalid $IPT -A INPUT -i ${PUB_IF} -m pkttype –pkt-type broadcast -j LOG –log-prefix ” Broadcast “ $IPT -A INPUT -i ${PUB_IF} -m pkttype –pkt-type broadcast -j DROP $IPT -A INPUT -i ${PUB_IF} -m pkttype –pkt-type multicast -j LOG –log-prefix ” Multicast “ $IPT -A INPUT -i ${PUB_IF} -m pkttype –pkt-type multicast -j DROP $IPT -A INPUT -i ${PUB_IF} -m state –state INVALID -j LOG –log-prefix ” Invalid “ $IPT -A INPUT -i ${PUB_IF} -m state –state INVALID -j DROP Log and block spoofed ips $IPT -N spooflist for ipblock in $SPOOFIP do $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG –log-prefix ” SPOOF List Block “ $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP done $IPT -I INPUT -j spooflist $IPT -I OUTPUT -j spooflist $IPT -I FORWARD -j spooflist Allow ssh only from selected public ips for ip in ${PUB_SSH_ONLY} do $IPT -A INPUT -i ${PUB_IF} -s ${ip} -p tcp -d ${SERVER_IP} –destination-port 22 -j ACCEPT $IPT -A OUTPUT -o ${PUB_IF} -d ${ip} -p tcp -s ${SERVER_IP} –sport 22 -j ACCEPT done allow incoming ICMP ping pong stuff $IPT -A INPUT -i ${PUB_IF} -p icmp –icmp-type 8 -s 0/0 -m state –state NEW,ESTABLISHED,RELATED -m limit –limit 30/sec -j ACCEPT $IPT -A OUTPUT -o ${PUB_IF} -p icmp –icmp-type 0 -d 0/0 -m state –state ESTABLISHED,RELATED -j ACCEPT allow incoming HTTP port 80 $IPT -A INPUT -i ${PUB_IF} -p tcp -s 0/0 –sport 1024:65535 –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o ${PUB_IF} -p tcp –sport 80 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT allow outgoing ntp $IPT -A OUTPUT -o ${PUB_IF} -p udp –dport 123 -m state –state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i ${PUB_IF} -p udp –sport 123 -m state –state ESTABLISHED -j ACCEPT allow outgoing smtp $IPT -A OUTPUT -o ${PUB_IF} -p tcp –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i ${PUB_IF} -p tcp –sport 25 -m state –state ESTABLISHED -j ACCEPT add your other rules here ####################### drop and log everything else $IPT -A INPUT -m limit –limit 5/m –limit-burst 7 -j LOG –log-prefix ” DEFAULT DROP “ $IPT -A INPUT -j DROP exit 0 八、控制缓冲区溢出攻击 编辑nginx.conf,为所有客户端设置缓冲区的大小限制。 vi /usr/local/nginx/conf/nginx.conf 编辑和设置所有客户端缓冲区的大小限制如下: Start: Size Limits & Buffer Overflows client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k; END: Size Limits & Buffer Overflows 解释: 1、client_body_buffer_size 1k-(默认8k或16k)这个指令可以指定连接请求实体的缓冲区大小。如果连接请求超过缓存区指定的值,那么这些请求实体的整体或部分将尝试写入一个临时文件。 2、client_header_buffer_size 1k-指令指定客户端请求头部的缓冲区大小。绝大多数情况下一个请求头不会大于1k,不过如果有来自于wap客户端的较大的cookie它可能会大于 1k,Nginx将分配给它一个更大的缓冲区,这个值可以在large_client_header_buffers里面设置。 3、client_max_body_size 1k-指令指定允许客户端连接的最大请求实体大小,它出现在请求头部的Content-Length字段。 如果请求大于指定的值,客户端将收到一个”Request Entity Too Large” (413)错误。记住,浏览器并不知道怎样显示这个错误。 4、large_client_header_buffers-指定客户端一些比较大的请求头使用的缓冲区数量和大小。请求字段不能大于一个缓冲区大小,如果客户端发送一个比较大的头,nginx将返回”Request URI too large” (414) 同样,请求的头部最长字段不能大于一个缓冲区,否则服务器将返回”Bad request” (400)。缓冲区只在需求时分开。默认一个缓冲区大小为操作系统中分页文件大小,通常是4k或8k,如果一个连接请求最终将状态转换为keep- alive,它所占用的缓冲区将被释放。 你还需要控制超时来提高服务器性能并与客户端断开连接。按照如下编辑: Start: Timeouts client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10; End: Timeouts 1、client_body_timeout 10;-指令指定读取请求实体的超时时间。这里的超时是指一个请求实体没有进入读取步骤,如果连接超过这个时间而客户端没有任何响应,Nginx将返回一个”Request time out” (408)错误。 2、client_header_timeout 10;-指令指定读取客户端请求头标题的超时时间。这里的超时是指一个请求头没有进入读取步骤,如果连接超过这个时间而客户端没有任何响应,Nginx将返回一个”Request time out” (408)错误。 3、keepalive_timeout 5 5; – 参数的第一个值指定了客户端与服务器长连接的超时时间,超过这个时间,服务器将关闭连接。参数的第二个值(可选)指定了应答头中Keep-Alive: timeout=time的time值,这个值可以使一些浏览器知道什么时候关闭连接,以便服务器不用重复关闭,如果不指定这个参数,nginx不会在应 答头中发送Keep-Alive信息。(但这并不是指怎样将一个连接“Keep-Alive”)参数的这两个值可以不相同。 4、send_timeout 10; 指令指定了发送给客户端应答后的超时时间,Timeout是指没有进入完整established状态,只完成了两次握手,如果超过这个时间客户端没有任何响应,nginx将关闭连接。 九、控制并发连接 你可以使用NginxHttpLimitZone模块来限制指定的会话或者一个IP地址的特殊情况下的并发连接。编辑nginx.conf: Directive describes the zone, in which the session states are stored i.e. store in slimits. 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session limit_zone slimits $binary_remote_addr 5m; Control maximum number of simultaneous connections for one session i.e. restricts the amount of connections from a single ip address limit_conn slimits 5; 上面表示限制每个远程IP地址的客户端同时打开连接不能超过5个。 十、只允许我们的域名的访问 如果机器人只是随机扫描服务器的所有域名,那拒绝这个请求。你必须允许配置的虚拟域或反向代理请求。你不必使用IP地址来拒绝。 Only requests to our Host are allowed i.e. nixcraft.in, images.nixcraft.in and www.nixcraft.in if ($host !~ ^(nixcraft.in|www.nixcraft.in|images.nixcraft.in)$ ) { return 444; } 十一、限制可用的请求方法 GET和POST是互联网上最常用的方法。 Web服务器的方法被定义在RFC 2616。如果Web服务器不要求启用所有可用的方法,它们应该被禁用。下面的指令将过滤只允许GET,HEAD和POST方法: Only allow these request methods if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } Do not accept DELETE, SEARCH and other methods 更多关于HTTP方法的介绍 GET方法是用来请求,如文件http://www.moqifei.com/index.php。 HEAD方法是一样的,除非该服务器的GET请求无法返回消息体。 POST方法可能涉及到很多东西,如储存或更新数据,或订购产品,或通过提交表单发送电子邮件。这通常是使用服务器端处理,如PHP,Perl和Python等脚本。如果你要上传的文件和在服务器处理数据,你必须使用这个方法。 十二、如何拒绝一些User-Agents? 你可以很容易地阻止User-Agents,如扫描器,机器人以及滥用你服务器的垃圾邮件发送者。 Block download agents if ($http_user_agent ~* LWP::Simple|BBBike|wget) { return 403; } 阻止Soso和有道的机器人: Block some robots if ($http_user_agent ~* Sosospider|YodaoBot) { return 403; } 十三、如何防止图片盗链 图片或HTML盗链的意思是有人直接用你网站的图片地址来显示在他的网站上。最终的结果,你需要支付额外的宽带费用。这通常是在论坛和博客。我强烈建议您封锁,并阻止盗链行为。 Stop deep linking or hot linking location /images/ { valid_referers none blocked www.example.com example.com; if ($invalid_referer) { return 403; } } 例如:重定向并显示指定图片 valid_referers blocked www.example.com example.com; if ($invalid_referer) { rewrite ^/images/uploads.*.(gif|jpg|jpeg|png)$ http://www.examples.com/banned.jpg last } 十四、目录限制 你可以对指定的目录设置访问权限。所有的网站目录应该一一的配置,只允许必须的目录访问权限。 通过IP地址限制访问 你可以通过IP地址来限制访问目录/admin/: location /docs/ { block one workstation deny 192.168.1.1; allow anyone in 192.168.1.0/24 allow 192.168.1.0/24; drop rest of the world deny all; } 通过密码保护目录 首先创建密码文件并增加“user”用户: mkdir /usr/local/nginx/conf/.htpasswd/ htpasswd -c /usr/local/nginx/conf/.htpasswd/passwd user 编辑nginx.conf,加入需要保护的目录: Password Protect /personal-images/ and /delta/ directories location ~ /(personal-images/.|delta/.) { auth_basic “Restricted”; auth_basic_user_file /usr/local/nginx/conf/.htpasswd/passwd; } 一旦密码文件已经生成,你也可以用以下的命令来增加允许访问的用户: htpasswd -s /usr/local/nginx/conf/.htpasswd/passwd userName 十五、Nginx SSL配置 HTTP是一个纯文本协议,它是开放的被动监测。你应该使用SSL来加密你的用户内容。 创建SSL证书 执行以下命令: cd /usr/local/nginx/conf openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr cp server.key server.key.org openssl rsa -in server.key.org -out server.key openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 编辑nginx.conf并按如下来更新: server { server_name example.com; listen 443; ssl on; ssl_certificate /usr/local/nginx/conf/server.crt; ssl_certificate_key /usr/local/nginx/conf/server.key; access_log /usr/local/nginx/logs/ssl.access.log; error_log /usr/local/nginx/logs/ssl.error.log; } 重启nginx: /usr/local/nginx/sbin/nginx -s reload 十六、Nginx与PHP安全建议 PHP是流行的服务器端脚本语言之一。如下编辑/etc/php.ini文件: Disallow dangerous functions disable_functions = phpinfo, system, mail, exec Try to limit resources Maximum execution time of each script, in seconds max_execution_time = 30 Maximum amount of time each script may spend parsing request data max_input_time = 60 Maximum amount of memory a script may consume (8MB) memory_limit = 8M Maximum size of POST data that PHP will accept. post_max_size = 8M Whether to allow HTTP file uploads. file_uploads = Off Maximum allowed size for uploaded files. upload_max_filesize = 2M Do not expose PHP error messages to external users display_errors = Off Turn on safe mode safe_mode = On Only allow access to executables in isolated directory safe_mode_exec_dir = php-required-executables-path Limit external access to PHP environment safemode_allowed_env_vars = PHP Restrict PHP information leakage expose_php = Off Log all errors log_errors = On Do not register globals for input data register_globals = Off Minimize allowable PHP post size post_max_size = 1K Ensure PHP redirects appropriately cgi.force_redirect = 0 Disallow uploading unless necessary file_uploads = Off Enable SQL safe mode sql.safe_mode = On Avoid Opening remote files allow_url_fopen = Off 十七、如果可能让Nginx运行在一个chroot监狱 把nginx放在一个chroot监狱以减小潜在的非法进入其它目录。你可以使用传统的与nginx一起安装的chroot。如果可能,那使用FreeBSD jails,Xen,OpenVZ虚拟化的容器概念。 十八、在防火墙级限制每个IP的连接数 网络服务器必须监视连接和每秒连接限制。PF和Iptales都能够在进入你的nginx服务器之前阻止最终用户的访问。 Linux Iptables:限制每次Nginx连接数 下面的例子会阻止来自一个IP的60秒钟内超过15个连接端口80的连接数。 /sbin/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –set /sbin/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 15 -j DROP service iptables save 请根据你的具体情况来设置限制的连接数。 十九:配置操作系统保护Web服务器 像以上介绍的启动SELinux.正确设置/nginx文档根目录的权限。Nginx以用户nginx运行。但是根目录(/nginx或者/usr /local/nginx/html)不应该设置属于用户nginx或对用户nginx可写。找出错误权限的文件可以使用如下命令: find /nginx -user nginx find /usr/local/nginx/html -user nginx 确保你更所有权为root或其它用户,一个典型的权限设置 /usr/local/nginx/html/ ls -l /usr/local/nginx/html/ 示例输出: -rw-r–r– 1 root root 925 Jan 3 00:50 error4xx.html -rw-r–r– 1 root root 52 Jan 3 10:00 error5xx.html -rw-r–r– 1 root root 134 Jan 3 00:52 index.html 你必须删除由vi或其它文本编辑器创建的备份文件: find /nginx -name ‘.?’ -not -name .ht -or -name ‘~’ -or -name ‘.bak’ -or -name ‘.old*’ find /usr/local/nginx/html/ -name ‘.?’ -not -name .ht -or -name ‘~’ -or -name ‘.bak’ -or -name ‘.old*’ 通过find命令的-delete选项来删除这些文件。 二十、限制Nginx连接传出 黑客会使用工具如wget下载你服务器本地的文件。使用Iptables从nginx用户来阻止传出连接。ipt_owner模块试图匹配本地产生的数据包的创建者。下面的例子中只允许user用户在外面使用80连接。 /sbin/iptables -A OUTPUT -o eth0 -m owner –uid-owner vivek -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT 通过以上的配置,你的nginx服务器已经非常安全了并可以发布网页。可是,你还应该根据你网站程序查找更多的安全设置资料。例如,wordpress或者第三方程序。
KB小秘书 2019-12-02 02:06:56 0 浏览量 回答数 0

问题

appcomb.com的网站日记安装部署vsftpd

租用了服务器,挂接了硬盘,头几天还在自己有台不断电的网络电脑的新奇和兴奋中,这种感觉不亚于自己第一次拥有一台苹果笔记本时的感觉。 没有有事没事就登陆操作一下,其实主要是ls一下...
wang 2019-12-01 21:59:36 9192 浏览量 回答数 1

回答

详细解答可以参考官方帮助文档 Outlook Express 完整报错代码对照常规错误--------------错误代码    错误类型      说明----------   ------------------------       ------------------------------0x800CCC00   LOAD_SICILY_FAILED             未加载身份验证。0x800CCC01   INVALID_CERT_CN                证书内容无效。0x800CCC02   INVALID_CERT_DATE              证书日期无效。0x800CCC03   ALREADY_CONNECTED              用户已连接。0x800CCC04   CONN0x800CCC05   NOT_CONNECTED                  未连接到服务器。0x800CCC06   CONN_SEND0x800CCC07   WOULD_BLOCK0x800CCC08   INVALID_STATE0x800CCC09   CONN_RECV0x800CCC0A   INCOMPLETE                     邮件下载未完成。0x800CCC0B   BUSY                           服务器或邮箱忙。0x800CCC0C   NOT_INIT0x800CCC0D   CANT_FIND_HOST                 找不到服务器。0x800CCC0E   FAILED_TO_CONNECT              无法连接到服务器。0x800CCC0F   CONNECTION_DROPPED             连接已关闭。0x800CCC10   INVALID_ADDRESS                服务器上的未知地址。0x800CCC11   INVALID_ADDRESS_LIST           服务器上的未知邮件列表。0x800CCC12   SOCKET_READ_ERROR              无法发送 WINSOCK 请求。0x800CCC13   SOCKET_WRITE_ERROR             无法读取 Winsock 答复。0x800CCC14   SOCKET_INIT_ERROR              无法初始化 Winsock。0x800CCC15   SOCKET_CONNECT_ERROR           无法打开 Windows 套接字。0x800CCC16   INVALID_ACCOUNT                用户帐户未识别。0x800CCC17   USER_CANCEL                    用户取消了操作。0x800CCC18   SICILY_LOGON_FAILED            登录尝试失败。0x800CCC19   TIMEOUT0x800CCC1A   SECURE_CONNECT_FAILED          无法使用安全套接字层 (SSL) 连接。WINSOCK 错误--------------错误代码    错误类型      说明----------   ------------------------       ------------------------------0x800CCC40   WINSOCK_WSASYSNOTREADY         网络子系统不可用。0x800CCC41   WINSOCK_WSAVERNOTSUPPORTED     Windows 套接字无法支持此应用程序。0x800CCC42   WINSOCK_WSAEPROCLIM0x800CCC43   WINSOCK_WSAEFAULT              错误地址。0x800CCC44   WINSOCK_FAILED_WSASTARTUP      无法加载 Windows 套接字。0x800CCC45   WINSOCK_WSAEINPROGRESS         操作正在进行中。如果在阻塞函数执行过程中调用 Windows 套接字 API,则会出现此错误。简单邮件传输协议 (SMTP) 错误--------------------------------------------错误代码    错误类型      说明----------   ------------------------       --------------------------------0x800CCC60   SMTP_RESPONSE_ERROR            无效的响应。0x800CCC61   SMTP_UNKNOWN_RESPONSE_CODE     未知的错误代码。0x800CCC62   SMTP_500_SYNTAX_ERROR          返回语法错误。0x800CCC63   SMTP_501_PARAM_SYNTAX          参数语法不正确。0x800CCC64   SMTP_502_COMMAND_NOTIMPL       命令未执行。0x800CCC65   SMTP_503_COMMAND_SEQ           错误的命令序列。0x800CCC66   SMTP_504_COMMAND_PARAM_NOTIMPL 命令未执行。0x800CCC67   SMTP_421_NOT_AVAILABLE         命令不可用。0x800CCC68   SMTP_450_MAILBOX_BUSY          邮箱被锁定和邮箱忙。0x800CCC69   SMTP_550_MAILBOX_NOT_FOUND     找不到邮箱。0x800CCC6A   SMTP_451_ERROR_PROCESSING      处理请求时出错。0x800CCC6B   SMTP_551_USER_NOT_LOCAL        用户邮箱是已知的,但邮箱不在此服务器上。0x800CCC6C   SMTP_452_NO_SYSTEM_STORAGE     没有存储邮件的空间。0x800CCC6D   SMTP_552_STORAGE_OVERFLOW      超出存储限制。0x800CCC6E   SMTP_553_MAILBOX_NAME_SYNTAX   无效的邮箱名语法。0x800CCC6F   SMTP_554_TRANSACT_FAILED       事务失败。0x800CCC78   SMTP_REJECTED_SENDER           未知的发件人。当“回复”字段中有不正确的电子邮件地址时,会导致此错误。0x800CCC79   SMTP_REJECTED_RECIPIENTS       服务器拒绝收件人。0x800CCC7A   SMTP_NO_SENDER                 未指定发件人地址。0x800CCC7B   SMTP_NO_RECIPIENTS             未指定收件人地址。邮局协议版本 3 (POP3) 错误--------------------------------------------错误代码    错误类型      说明----------   ------------------------       -----------------------------0x800420CB   POP3_NO_STORE                  邮件无法存储在服务器上。0x800CCC90   POP3_RESPONSE_ERROR            客户端响应无效。0x800CCC91   POP3_INVALID_USER_NAME         无效的用户名或未找到用户。0x800CCC92   POP3_INVALID_PASSWORD          帐户的密码无效。0x800CCC93   POP3_PARSE_FAILURE             无法解释响应。0x800CCC94   POP3_NEED_STAT                 需要 STAT 命令。0x800CCC95   POP3_NO_MESSAGES               服务器上无邮件。0x800CCC96   POP3_NO_MARKED_MESSAGES        未标记要检索的邮件。0x800CCC97   POP3_POPID_OUT_OF_RANGE        邮件标识号超出范围。HTTPMail 错误--------------错误代码    错误类型      说明----------   --------------------      ---------------------------0x800CCC31                            错误的请求配置,错误的或含有恶意代码的请求。网络新闻传输协议 (NNTP) 错误---------------------------------------------错误代码    错误类型      说明----------   ------------------------   ---------------------------0x800CCCA0   NNTP_RESPONSE_ERROR        新闻服务器响应错误。0x800CCCA1   NNTP_NEWGROUPS_FAILED      新闻组访问失败。0x800CCCA2   NNTP_LIST_FAILED           发往服务器的 LIST 命令失败。0x800CCCA3   NNTP_LISTGROUP_FAILED      无法显示列表。0x800CCCA4   NNTP_GROUP_FAILED          无法打开组。0x800CCCA5   NNTP_GROUP_NOTFOUND        组不在服务器上。0x800CCCA6   NNTP_ARTICLE_FAILED        邮件不在服务器上。0x800CCCA7   NNTP_HEAD_FAILED           未找到邮件标题。0x800CCCA8   NNTP_BODY_FAILED           未找到邮件正文。0x800CCCA9   NNTP_POST_FAILED           无法投递到服务器。0x800CCCAA   NNTP_NEXT_FAILED           无法打开下一个邮件。0x800CCCAB   NNTP_DATE_FAILED           无法显示日期。0x800CCCAC   NNTP_HEADERS_FAILED        无法显示标题。0x800CCCAD   NNTP_XHDR_FAILED           无法显示 MIME 标题。0x800CCCAE   NNTP_INVALID_USERPASS      用户或密码无效。远程访问服务 (RAS) 错误----------------------------------错误代码    错误类型               说明----------   -----------------------   ------------------------------0x800CCCC2   RAS_NOT_INSTALLED          RAS/DUN 未安装。0x800CCCC3   RAS_PROCS_NOT_FOUND        未找到 RAS/DUN 进程。0x800CCCC4   RAS_ERROR                  返回 RAS/DUN 错误。0x800CCCC5   RAS_INVALID_CONNECTOID     Connectoid 被损坏或丢失。0x800CCCC6   RAS_GET_DIAL_PARAMS        获取拨号设置时出错。Internet 邮件访问协议 (IMAP) 错误----------------------------------------------错误代码    错误类型      说明----------   ------------------------       -----------------------------0x800CCCD1   IMAP_LOGINFAILURE              登录失败。0x800CCCD2   IMAP_TAGGED_NO_RESPONSE        邮件已标记。0x800CCCD3   IMAP_BAD_RESPONSE              对请求的响应无效。0x800CCCD4   IMAP_SVR_SYNTAXERR             语法错误。0x800CCCD5   IMAP_NOTIMAPSERVER             不是 IMAP 服务器。0x800CCCD6   IMAP_BUFFER_OVERFLOW           超出缓冲区限制。0x800CCCD7   IMAP_RECVR_ERROR               恢复错误。0x800CCCD8   IMAP_INCOMPLETE_LINE           数据不完整。0x800CCCD9   IMAP_CONNECTION_REFUSED        连接不允许。0x800CCCDA   IMAP_UNRECOGNIZED_RESP         未知的响应。0x800CCCDB   IMAP_CHANGEDUID                用户 ID 已更改。0x800CCCDC   IMAP_UIDORDER                  用户 ID 命令失败。0x800CCCDD   IMAP_UNSOLICITED_BYE           连接意外断开。0x800CCCDE   IMAP_IMPROPER_SVRSTATE         服务器状态无效。0x800CCCDF   IMAP_AUTH_NOT_POSSIBLE         无法授权客户端。0x800CCCE0   IMAP_OUT_OF_AUTH_METHODS       没有其他授权类型。
2019-12-01 23:24:28 0 浏览量 回答数 0

问题

FTP新增用户后无法登陆

我新增FTP登陆用户后,登陆时报530 Login incorrect vsftpd.conf  配置信息如下 cat /etc/vsftpd/vsftpd.conf # Example config fil...
harryguo 2019-12-01 19:27:52 65 浏览量 回答数 0

问题

为什么Linux 实例远程连接登录失败报错:login: Module is unknown

本文相关配置及说明是在 CentOS 6.8 64 bit 实例中测试。其它类型及版本 Linux 系统配置可能有所差异,具体情况请参阅相应 Linux 系统官方文档。如果需要修改相关策略配置,建议提前备份文件&...
boxti 2019-12-01 21:59:31 1771 浏览量 回答数 0

问题

容器服务使用 OSSFS 数据卷实现 WordPress 附件共享

本文档介绍如何通过在阿里云容器服务上创建 OSSFS 数据卷来实现 WordPress 的附件在不同容器之间的共享。 场景 Docker 容器的兴起使得 WordPress 的部署变得很简单。通过 阿里云容器服务,...
反向一觉 2019-12-01 21:23:20 1621 浏览量 回答数 0

问题

MySQL5.7 root帐户本地访问报错问题解决

MySQL5.7 root帐户本地访问报错问题解决 ## 问题说明 MySQL5.7之后版本使用新的授权插件auth_socket 系统普通用户使用mysql root帐户登录, 会一直报错: " Access denied...
晓之意 2019-12-01 21:50:48 637 浏览量 回答数 0

回答

在Linux服务器之间建立信任关系,是很多线上服务系统的基础性工作,这样能便于程序在多台服务器之间自动传输数据,或者方便用户不输入密码就可以在不同的主机间完成登录或者各种操作。 网上关于建立Linux信任关系(ssh trust)的中文文章有一些,但是写得都不太详细,这里汇总了方方面面的资料,把多机信任关系建立方法说说清楚(文/陈运文) 一 建立信任关系的基本操作 基本场景是想从一台Server服务器直接登录另一台,或者将Server服务器的数据不需密码验证直接拷贝至Client服务器,以下我们简称Server服务器为S(待发送的数据文件在这台服务器上),Client服务为C,信任关系的最简单操作方法如下: 1 在S服务器上,进入当前用户根目录下的隐藏目录 .ssh,命令如下: cd ~/.ssh (注:目录名前的点好”.”表示该文件夹是一个特殊的隐藏文件夹,ls命令下默认是看不到的,通过 ls –a 命令观察到) 2 生成S服务器的私钥和公钥: ssh-keygen -t rsa (注:rsa是一种加密算法的名称,此处也可以使用dsa,关于rsa和dsa算法的介绍可见本文后半章节) ssh-keygen生成密钥用于信任关系生成 -此时会显示Generating public/private key pair. 并提示生成的公钥私钥文件的存放路径和文件名,默认是放在 /home/username/.ssh/id_rsa 这样的文件里的,通常不用改,回车就可以 然后Enter passphrase(empty for no passphrase): 通常直接回车,默认不需要口令 Enter same passphrase again: 也直接回车 然后会显式密钥fingerprint生成好的提示,并给出一个RSA加密协议的方框图形。此时在.ssh目录下ls,就可以看到生成好的私钥文件id_rsa和公钥文件id_rsa.pub了 以下是各种补充说明: 注1:如果此时提示 id_rsaalready exists,Overwrite(y/n) 则说明之前已经有人建好了密钥,此时选择n 忽略本次操作就行,可以直接用之前生成好的文件;当然选y覆盖一下也无妨 注2:公钥用于加密,它是向所有人公开的(pub是公开的单词public的缩写);私钥用于解密,只有密文的接收者持有。 3 在Server服务器上加载私钥文件 仍然在.ssh目录下,执行命令: ssh-add id_rsa 系统如果提示:Identity added: id_rsa (id_rsa) 就表明加载成功了 下面有几个异常情况处理: –如果系统提示:could not open a connection to your authentication agent 则需要执行一下命令: ssh-agent bash 然后再执行上述的ssh-add id_rsa命令 –如果系统提示id_rsa: No such file or directory 这是系统无法找到私钥文件id_rsa,需要看看当前路径是不是不在.ssh目录,或者私钥文件改了名字,例如如果建立的时候改成 aa_rsa,则这边命令中也需要相应改一下 -如果系统提示 command not found,那肯定是你命令敲错字符了J -提示Agent admitted failure to sign using the key,私钥没有加载成功,重试ssh-add -注意id_rsa/id_rsa.pub文件不要删除,存放在.ssh目录下 4 把公钥拷贝至Client服务器上 很简单,例如 scp id_rsa.pub user@10.11.xx.xx:~ 5 ssh登录到Client服务器上,然后在Client服务器上,把公钥的内容追加到authorized_keys文件末尾(这个文件也在隐藏文件夹.ssh下,没有的话可以建立,没有关系) cat id_rsa.pub >> ~/.ssh/authorized_keys 以下是各种补充说明,遇到问题时可以参考: 注1:这里不推荐用文件覆盖的方式,有些教程直接scp id_rsa.pub 到Client服务器的authorized_keys文件,会导致之前建的其他信任关系的数据被破坏,追加到末尾是更稳妥的方式; 注2: cat 完以后,Client服务器上刚才拷贝过来的id_rsa.pub文件就不需要了,可以删除或移动到其它地方) 注3:ssh-keygen 命令通过-b参数可以指定生成的密钥文件的长度,如果不指定则默认为1024,如果ssh-keygen –b 4096(最长4096),则加密程度提高,但是生成和验证时间会增加。对一般的应用来说,默认长度已经足够胜任了。如果是rsa加密方式,那么最短长度为768 byte 注4:authorized_keys文件的权限问题。如果按上述步骤建立关系后,仍然要验证密码,并且没有其他报错,那么需要检查一下authorized_keys文件的权限,需要作下修改: chmod g-w authorized_keys OK,现在试试在Server端拷贝一个文件到Client服务器,应该无需交互直接就传过去了。 但是此时从Client传数据到Server服务器,仍然是需要密码验证的。如果需要两台服务器间能直接互传数据,则反过来按上述步骤操作一下就可以了 二 删除服务器间信任关系的方法 如果想取消两台服务器之间的信任关系,直接删除公钥或私钥是没有用的,需要在Client服务器上,打开 ~/.ssh/ authorized_keys 文件,找到对应的服务器的公钥字段并删除 每个段落的开头是ssh-rsa字样,段尾是Server服务器的帐号和ip(如下图红框),需要细心的找一下后删除整段 密钥文件内容和删除Linux服务器间信任关系的方法 三 各种可能遇到的情况和处理方法 –提示 port 22: Connection refused 可能的原因:没有正确安装最新的openssh-server,安装方法如下 sudo apt-get install openssh-server 不支持apt安装的,可以手工下载: wget ftp.ssh.com/pub/ssh/ssh-3.2.9.1.tar.gz –关于目录和文件的权限设置 .ssh目录的权限必须是700,同时本机的私钥的权限必须设置成600: chmod 600 id_rsa 否则ssh服务器会拒绝登录 四 关于RSA和DSA加密算法 在ssh-keygen命令中,-t参数后指定的是加密算法,可以选择rsa或者dsa RSA 取名自算法的三位提出者Ron Rivest, Adi Shamir, and Leonard Adleman的姓名首字母,作为一种非对称加密算法,RSA的安全性基于及其困难的大整数分解(两个素数的乘积的还原问题)。关于RSA算法原理的文章很多,感兴趣的朋友可以找来读一读。 DSA = Digital Signature Algorithm,基于有限域离散对数难题,是Schnorr和ElGamal签名算法的变种,一般用于数字签名和认证,被美国标准局(NIST)采纳为数字签名标准DSS(Digital Signature Standard),based on discrete logarithms computation. DES = Digital Encryption Standard. Obsolete standard. RSA算法好在网络容易实现密钥管理,便进行数字签名,算法复杂,加/解速度慢,采用非对称加密。在实际用于信任关系建立中,这两种方法的差异很微小,可以挑选其一使用。 五 关于SSH协议的介绍 SSH全称Secure SHell,顾名思义就是非常安全的shell的意思,SSH协议是IETF(Internet Engineering Task Force)的Network Working Group所制定的一种协议。SSH的主要目的是用来取代传统的telnet和R系列命令(rlogin,rsh,rexec等)远程登陆和远程执行命令的工具,实现对远程登陆和远程执行命令加密。防止由于网络监听而出现的密码泄漏,对系统构成威胁。 ssh协议目前有SSH1和SSH2,SSH2协议兼容SSH1。目前实现SSH1和SSH2协议的主要软件有OpenSSH和SSH Communications Security Corporation 公司的SSH Communications 软件。前者是OpenBSD组织开发的一款免费的SSH软件,后者是商业软件,因此在linux、FreeBSD、OpenBSD、NetBSD等免费类UNIX系统种,通畅都使用OpenSSH作为SSH协议的实现软件。因此,本文重点介绍一下OpenSSH的使用。需要注意的是OpenSSH和SSH Communications的登陆公钥/私钥的格式是不同的,如果想用SSH Communications产生的私钥/公钥对来登入到使用OpenSSH的linux系统需要对公钥/私钥进行格式转换。 第一次登陆后,ssh就会把登陆的ssh指纹存放在用户home目录的.ssh目录的know_hosts文件中,如果远程系统重装过系统,ssh指纹已经改变,你需要把 .ssh 目录下的know_hosts中的相应指纹删除,再登陆回答yes,方可登陆。请注意.ssh目录是开头是”.”的隐藏目录,需要ls –a参数才能看到。而且这个目录的权限必须是700,并且用户的home目录也不能给其他用户写权限,否则ssh服务器会拒绝登陆。如果发生不能登陆的问题,请察看服务器上的日志文件/var/log/secure。通常能很快找到不能登陆的原因。 六 关于ssh_config和sshd_config文件配置的说明 /etc/ssh/ssh_config: Host * 选项“Host”只对能够匹配后面字串的计算机有效。“*”表示所有的计算机。 ForwardAgent no “ForwardAgent”设置连接是否经过验证代理(如果存在)转发给远程计算机。 ForwardX11 no “ForwardX11”设置X11连接是否被自动重定向到安全的通道和显示集(DISPLAY set)。 RhostsAuthentication no “RhostsAuthentication”设置是否使用基于rhosts的安全验证。 RhostsRSAAuthentication no “RhostsRSAAuthentication”设置是否使用用RSA算法的基于rhosts的安全验证。 RSAAuthentication yes “RSAAuthentication”设置是否使用RSA算法进行安全验证。 PasswordAuthentication yes “PasswordAuthentication”设置是否使用口令验证。 FallBackToRsh no “FallBackToRsh”设置如果用ssh连接出现错误是否自动使用rsh。 UseRsh no “UseRsh”设置是否在这台计算机上使用“rlogin/rsh”。 BatchMode no “BatchMode”如果设为“yes”,passphrase/password(交互式输入口令)的提示将被禁止。当不能交互式输入口令的时候,这个选项对脚本文件和批处理任务十分有用。 CheckHostIP yes “CheckHostIP”设置ssh是否查看连接到服务器的主机的IP地址以防止DNS欺骗。建议设置为“yes”。 StrictHostKeyChecking no “StrictHostKeyChecking”如果设置成“yes”,ssh就不会自动把计算机的密匙加入“$HOME/.ssh/known_hosts”文件,并且一旦计算机的密匙发生了变化,就拒绝连接。 IdentityFile ~/.ssh/identity “IdentityFile”设置从哪个文件读取用户的RSA安全验证标识。 Port 22 “Port”设置连接到远程主机的端口。 Cipher blowfish “Cipher”设置加密用的密码。 EscapeChar ~ “EscapeChar”设置escape字符。 /etc/ssh/sshd_config: Port 22 “Port”设置sshd监听的端口号。 ListenAddress 192.168.1.1 “ListenAddress”设置sshd服务器绑定的IP地址。 HostKey /etc/ssh/ssh_host_key “HostKey”设置包含计算机私人密匙的文件。 ServerKeyBits 1024 “ServerKeyBits”定义服务器密匙的位数。 LoginGraceTime 600 “LoginGraceTime”设置如果用户不能成功登录,在切断连接之前服务器需要等待的时间(以秒为单位)。 KeyRegenerationInterval 3600 “KeyRegenerationInterval”设置在多少秒之后自动重新生成服务器的密匙(如果使用密匙)。重新生成密匙是为了防止用盗用的密匙解密被截获的信息。 PermitRootLogin no “PermitRootLogin”设置root能不能用ssh登录。这个选项一定不要设成“yes”。 IgnoreRhosts yes “IgnoreRhosts”设置验证的时候是否使用“rhosts”和“shosts”文件。 IgnoreUserKnownHosts yes “IgnoreUserKnownHosts”设置ssh daemon是否在进行RhostsRSAAuthentication安全验证的时候忽略用户的“$HOME/.ssh/known_hosts” StrictModes yes “StrictModes”设置ssh在接收登录请求之前是否检查用户家目录和rhosts文件的权限和所有权。这通常是必要的,因为新手经常会把自己的目录和文件设成任何人都有写权限。 X11Forwarding no “X11Forwarding”设置是否允许X11转发。 PrintMotd yes “PrintMotd”设置sshd是否在用户登录的时候显示“/etc/motd”中的信息。 SyslogFacility AUTH “SyslogFacility”设置在记录来自sshd的消息的时候,是否给出“facility code”。 LogLevel INFO “LogLevel”设置记录sshd日志消息的层次。INFO是一个好的选择。查看sshd的man帮助页,已获取更多的信息。 RhostsAuthentication no “RhostsAuthentication”设置只用rhosts或“/etc/hosts.equiv”进行安全验证是否已经足够了。 RhostsRSAAuthentication no “RhostsRSA”设置是否允许用rhosts或“/etc/hosts.equiv”加上RSA进行安全验证。 RSAAuthentication yes “RSAAuthentication”设置是否允许只有RSA安全验证。 PasswordAuthentication yes “PasswordAuthentication”设置是否允许口令验证。 PermitEmptyPasswords no “PermitEmptyPasswords”设置是否允许用口令为空的帐号登录。 AllowUsers admin “AllowUsers”的后面可以跟着任意的数量的用户名的匹配串(patterns)或user@host这样的匹配串,这些字符串用空格隔开。主机名可以是DNS名或IP地址。
boxti 2019-12-02 01:27:05 0 浏览量 回答数 0

问题

SSH 登录时出现如下错误:pamlistfile(sshd:auth): Ref used user root for service sshd

注意:本文相关配置及说明已在 CentOS 6.5 64 位操作系统中进行过测试。其它类型及版本操作系统配置可能有所差异,具体情况请参阅相应操作系统官方文档。 问题描述 登录云服务器 ECS &#x...
boxti 2019-12-01 21:59:37 1290 浏览量 回答数 0

问题

云服务器 ECS Linux MySQL 无法远程连接问题有哪些常见错误及解决办法

在使用自建 MySQL 数据库的时候,偶尔会遇到无法连接 MySQL 服务器的情况,以下列举一些常见问题及解决办法: 账号没有授权导致无法连接 MySQL,报错:'...
boxti 2019-12-01 21:55:16 2249 浏览量 回答数 0

云产品推荐

上海奇点人才服务相关的云产品 小程序定制 上海微企信息技术相关的云产品 国内短信套餐包 ECS云服务器安全配置相关的云产品 开发者问答 阿里云建站 自然场景识别相关的云产品 万网 小程序开发制作 视频内容分析 视频集锦 代理记账服务 阿里云AIoT