LAMP搭建13:Apache访问控制
2017-01-16 15:43
417 查看
Apache的访问控制有两种:一是对目录进行限制,一是对文件进行限制。依次介绍这两种访问控制方式。我们的虚拟机有两个IP:一个127.0.0.1,另一个192.168.147.132。如果我们不想让其中一个IP比如127.0.0.1访问我们的网站。(其实主要是限制别人,不是限制自己,这里只是举例子)
编辑虚拟主机配置文件
[root@centos6 ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
添加限制127.0.0.1访问网站根目录的访问控制方法:
……
ServerName www.test.com
ServerAlias www.aaa.com
ServerAlias www.bbb.com
<Directory "/data/www">
AllowOverride None
Options None
Order allow,deny
Allow from all
Deny from 127.0.0.1
</Directory>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.aaa.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.bbb.com$
RewriteRule ^/(.*)$ http://www.test.com/$1 [R=301,L]
</IfModule>
……
按Order顺序匹配,与下面Allow行和Deny行的先后无关。这里Order顺序为先看allow,再看deny,
所以先允许所有的IP访问,再禁止127.0.0.1的访问,最终结果是127.0.0.1被禁止。
检查无误后重新加载配置文件,可以看到我们做到了拒绝127.0.0.1的访问,192.168.147.132仍可访问
[root@centos6 ~]# apachectl -t
Syntax OK
[root@centos6 ~]# apachectl graceful
[root@centos6 ~]# curl -x127.0.0.1:80 -I www.test.com
HTTP/1.1 403 Forbidden
Date: Sat, 14 Jan 2017 16:18:57 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
Content-Type: text/html; charset=iso-8859-1
[root@centos6 ~]# curl -x192.168.147.132:80 -I www.test.com
HTTP/1.1 301 Moved Permanently
Date: Sat, 14 Jan 2017 16:19:07 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
X-Powered-By: PHP/5.4.36
location: forum.php
Cache-Control: max-age=0
Expires: Sat, 14 Jan 2017 16:19:07 GMT
Content-Type: text/html
[root@centos6 ~]# curl -x192.168.147.132:80 -I www.test.com/forum.php
HTTP/1.1 200 OK
Date: Sat, 14 Jan 2017 16:19:26 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
X-Powered-By: PHP/5.4.36
Set-Cookie: sTi8_2132_saltkey=NwiTwCJX; expires=Mon, 13-Feb-2017 16:19:26 GMT; path=/; httponly
Set-Cookie: sTi8_2132_lastvisit=1484407166; expires=Mon, 13-Feb-2017 16:19:26 GMT; path=/
Set-Cookie: sTi8_2132_sid=BreFeR; expires=Sun, 15-Jan-2017 16:19:26 GMT; path=/
Set-Cookie: sTi8_2132_lastact=1484410766%09forum.php%09; expires=Sun, 15-Jan-2017 16:19:26 GMT; path=/
Set-Cookie: sTi8_2132_onlineusernum=1; expires=Sat, 14-Jan-2017 16:24:26 GMT; path=/
Set-Cookie: sTi8_2132_sid=BreFeR; expires=Sun, 15-Jan-2017 16:19:26 GMT; path=/
Cache-Control: max-age=0
Expires: Sat, 14 Jan 2017 16:19:26 GMT
Content-Type: text/html; charset=gbk
我们网站后台肯定不能对任意IP开放访问,比如只能允许在本机登录后台,则需要对后台管理admin.php做白名单:正常情况下,所有人都能看到这个页面,这样不合适
在虚拟主机配置文件中加入如下内容:只允许127.0.0.1访问admin.php
……
<Directory "/data/www">
AllowOverride None
Options None
Order allow,deny
Allow from all
Deny from 127.0.0.1
</Directory>
<filesmatch "(.*)admin(.*)">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</filesmatch>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.aaa.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.bbb.com$
RewriteRule ^/(.*)$ http://www.test.com/$1 [R=301,L]
</IfModule>
……
检查无误后重新加载配置文件,可见现在只允许127.0.0.1登入后台管理,不能通过192.168.147.132访问后台管理了,这样就安全了。
[root@centos6 ~]# apachectl -t
Syntax OK
[root@centos6 ~]# apachectl graceful
[root@centos6 ~]# curl -x192.168.147.132:80 -I www.test.com/admin.php
HTTP/1.1 403 Forbidden
Date: Sat, 14 Jan 2017 16:36:15 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
Content-Type: text/html; charset=iso-8859-1
[root@centos6 ~]# curl -x127.0.0.1:80 -I www.test.com/admin.php
HTTP/1.1 200 OK
Date: Sat, 14 Jan 2017 16:36:25 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
X-Powered-By: PHP/5.4.36
Set-Cookie: sTi8_2132_saltkey=zvA82A89; expires=Mon, 13-Feb-2017 16:36:25 GMT; path=/; httponly
Set-Cookie: sTi8_2132_lastvisit=1484408185; expires=Mon, 13-Feb-2017 16:36:25 GMT; path=/
Set-Cookie: sTi8_2132_sid=qe5kCO; expires=Sun, 15-Jan-2017 16:36:25 GMT; path=/
Set-Cookie: sTi8_2132_lastact=1484411785%09admin.php%09; expires=Sun, 15-Jan-2017 16:36:25 GMT; path=/
Cache-Control: max-age=0
Expires: Sat, 14 Jan 2017 16:36:25 GMT
Content-Type: text/html; charset=gbk
编辑虚拟主机配置文件
[root@centos6 ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
添加限制127.0.0.1访问网站根目录的访问控制方法:
……
ServerName www.test.com
ServerAlias www.aaa.com
ServerAlias www.bbb.com
<Directory "/data/www">
AllowOverride None
Options None
Order allow,deny
Allow from all
Deny from 127.0.0.1
</Directory>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.aaa.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.bbb.com$
RewriteRule ^/(.*)$ http://www.test.com/$1 [R=301,L]
</IfModule>
……
按Order顺序匹配,与下面Allow行和Deny行的先后无关。这里Order顺序为先看allow,再看deny,
所以先允许所有的IP访问,再禁止127.0.0.1的访问,最终结果是127.0.0.1被禁止。
检查无误后重新加载配置文件,可以看到我们做到了拒绝127.0.0.1的访问,192.168.147.132仍可访问
[root@centos6 ~]# apachectl -t
Syntax OK
[root@centos6 ~]# apachectl graceful
[root@centos6 ~]# curl -x127.0.0.1:80 -I www.test.com
HTTP/1.1 403 Forbidden
Date: Sat, 14 Jan 2017 16:18:57 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
Content-Type: text/html; charset=iso-8859-1
[root@centos6 ~]# curl -x192.168.147.132:80 -I www.test.com
HTTP/1.1 301 Moved Permanently
Date: Sat, 14 Jan 2017 16:19:07 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
X-Powered-By: PHP/5.4.36
location: forum.php
Cache-Control: max-age=0
Expires: Sat, 14 Jan 2017 16:19:07 GMT
Content-Type: text/html
[root@centos6 ~]# curl -x192.168.147.132:80 -I www.test.com/forum.php
HTTP/1.1 200 OK
Date: Sat, 14 Jan 2017 16:19:26 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
X-Powered-By: PHP/5.4.36
Set-Cookie: sTi8_2132_saltkey=NwiTwCJX; expires=Mon, 13-Feb-2017 16:19:26 GMT; path=/; httponly
Set-Cookie: sTi8_2132_lastvisit=1484407166; expires=Mon, 13-Feb-2017 16:19:26 GMT; path=/
Set-Cookie: sTi8_2132_sid=BreFeR; expires=Sun, 15-Jan-2017 16:19:26 GMT; path=/
Set-Cookie: sTi8_2132_lastact=1484410766%09forum.php%09; expires=Sun, 15-Jan-2017 16:19:26 GMT; path=/
Set-Cookie: sTi8_2132_onlineusernum=1; expires=Sat, 14-Jan-2017 16:24:26 GMT; path=/
Set-Cookie: sTi8_2132_sid=BreFeR; expires=Sun, 15-Jan-2017 16:19:26 GMT; path=/
Cache-Control: max-age=0
Expires: Sat, 14 Jan 2017 16:19:26 GMT
Content-Type: text/html; charset=gbk
我们网站后台肯定不能对任意IP开放访问,比如只能允许在本机登录后台,则需要对后台管理admin.php做白名单:正常情况下,所有人都能看到这个页面,这样不合适
在虚拟主机配置文件中加入如下内容:只允许127.0.0.1访问admin.php
……
<Directory "/data/www">
AllowOverride None
Options None
Order allow,deny
Allow from all
Deny from 127.0.0.1
</Directory>
<filesmatch "(.*)admin(.*)">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</filesmatch>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.aaa.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.bbb.com$
RewriteRule ^/(.*)$ http://www.test.com/$1 [R=301,L]
</IfModule>
……
检查无误后重新加载配置文件,可见现在只允许127.0.0.1登入后台管理,不能通过192.168.147.132访问后台管理了,这样就安全了。
[root@centos6 ~]# apachectl -t
Syntax OK
[root@centos6 ~]# apachectl graceful
[root@centos6 ~]# curl -x192.168.147.132:80 -I www.test.com/admin.php
HTTP/1.1 403 Forbidden
Date: Sat, 14 Jan 2017 16:36:15 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
Content-Type: text/html; charset=iso-8859-1
[root@centos6 ~]# curl -x127.0.0.1:80 -I www.test.com/admin.php
HTTP/1.1 200 OK
Date: Sat, 14 Jan 2017 16:36:25 GMT
Server: Apache/2.2.9 (Unix) PHP/5.4.36
X-Powered-By: PHP/5.4.36
Set-Cookie: sTi8_2132_saltkey=zvA82A89; expires=Mon, 13-Feb-2017 16:36:25 GMT; path=/; httponly
Set-Cookie: sTi8_2132_lastvisit=1484408185; expires=Mon, 13-Feb-2017 16:36:25 GMT; path=/
Set-Cookie: sTi8_2132_sid=qe5kCO; expires=Sun, 15-Jan-2017 16:36:25 GMT; path=/
Set-Cookie: sTi8_2132_lastact=1484411785%09admin.php%09; expires=Sun, 15-Jan-2017 16:36:25 GMT; path=/
Cache-Control: max-age=0
Expires: Sat, 14 Jan 2017 16:36:25 GMT
Content-Type: text/html; charset=gbk
相关文章推荐
- 转发,windows下安装php、apache、mysql,并使得外网可访问内网的机器,搭建svn服务器提供版本控制
- 【LAMP环境搭建】配置防盗链、访问控制Directory和访问控制FilesMatch
- LAMP 2.4 Apache访问控制
- LAMP - Apache访问控制
- windows下安装php、apache、mysql,并使得外网可访问内网的机器,搭建svn服务器提供版本控制
- LAMP搭建15:Apache禁止指定user_agent访问
- LAMP架构——Apache优化之访问控制
- windows下安装php、apache、mysql,并使得外网可访问内网的机器,搭建svn服务器提供版本控制
- LAMP--Apache 访问控制
- RHEL 5服务篇—使用Apache搭建web网站(二)客户端访问控制
- Apache的虚拟目录功能和如何对某一个目录进行访问权限控制
- windows xp下设置apache目录访问身份验证(目录访问控制)
- SVN+Apache+AnkhSVN搭建版本控制环境
- LAMP开发平台的搭建(openSUSE11.0 + Apache2.2 + PHP5.2 + MySQL5.1)
- Apache中实现身份验证和访问控制
- LAMP搭建之一:apache编译安装
- Apache2.2和SVN1.4.4搭建svn版本控制平台(windows环境)
- linux中apache访问控制配置文件。
- Apache2.2.11和SVN1.6.1搭建svn版本控制平台(windows环境)(2)----SVNServer
- 用 Apache 和 Subversion 搭建安全的版本控制环境(IBM)