httpd2.2 access control and virtual host configuration

httpd2.2 access control and virtual host configurationLab environment: CentOS 6.9 httpd 2.2 Basics:

Site access Control

You can specify access control for those resources based on two types of paths
File system path
<directory "" > </Direcotry>
<file "" > </File>
<filematch "" > </FileMatch>
URL path:
<location "" > </Location>
...
Access control mechanism
Based on source address
Based on account
Access control is implemented in directory based on source address
(1) Options
All available Features:
Indexes includes followsymlinks symlinksifownermatch execcgi multiviews
None, all
Indexes: Index;
FollowSymLinks: Allow tracking of symbolic link files;
(2) Access control mechanism based on source address
Order: Check Order
Order Allow,deny White List
Order Deny,allow blacklist
Allow from
Deny from
Source Address:
Ip
NETADDR:
172.16
172.16.0.0
172.16.0.0/16
172.16.0.0/255.255.0.0
user-based access control
Certification challenge:
Www-authenticate: The response code is 401, rejecting the client request and stating that the customer is required to provide the account number and password;
Certification:
Authorization: The client user fills in the account number and the password again sends the request message, the authentication passes, then the server sends the response the resource;
Authentication type:
Basic: Clear Text
Digest: Message Digest
Security Domain: A path that requires user authentication to be accessible;
It should be identified by name and used to inform the user of the reason for authentication;
Virtual Account: The authentication logo used only to access a service;
Store:
Text file
SQL database
Ldap
Nis
Basic certification:
(1) Define a security domain
<directory "" >
Options None
AllowOverride None
AuthType Basic
AuthName "STRING"
AuthUserFile "/path/to/httpd_user_passwd_file"
Require User username1 UserName2 ...
</Directory>
Allow all users in the account file to log in to access:
Require Valid-user
(2) Provide account and password storage (text file)
Manage with the HTPASSWD command
htpasswd [Options] passwordfile username
-C: Automatically create passwordfile, so it should only be used when the first user is added;
-M:MD5 Encrypt user password;
-S:SHA1 Encrypt user password;
-D: Delete the specified user
(3) Implementation of group-based authentication
<directory "" >
Options None
AllowOverride None
AuthType Basic
AuthName "STRING"
AuthUserFile "/path/to/httpd_user_passwd_file"
AuthGroupFile "/path/to/httpd_group_file"
Require Group GROUP1 GROUP2 ...
</Directory>
To provide: User account files and group files;
Group files: Define a group for each row
Grp_name:user1 user2 User3 ...

Virtual Host
There are three implementation scenarios:
IP based:
Prepare at least one IP address for each virtual host;
Based on port:
Prepare at least one dedicated port for each virtual host; seldom used in practice;
Based on hostname:
Prepare at least one dedicated hostname for each virtual host;
Can be mixed using any of the above three ways;
Note: The general virtual host is mixed with the central host, so, to use the virtual host, first disable the central host;
Disable Central host: Comment DocumentRoot
Each virtual host has a dedicated configuration:
<virtualhost "Ip:port" >
Severname
DocumentRoot ""
</VirtualHost>
Serveralias: Alias of the virtual host;
Errorlog
Customlog
<directory "" >
</Directory>

Experimental process:

1. access control based on source address (source address can be disguised for limited applicability)
Allowed address access
Edit/etc/httpd/conf/httpd.conf configuration file

    vim /etc/httpd/conf/httpd.conf

Locate the Order allow,deny field under the current home directory
Modify the Enable from field (IP here is the IP you want to allow access to)

Save Exit after
Restart HTTPD Service

service httpd restart（reload也行）

No other machine can access the target page except 192.168.242.1

Address access not allowed
Edit/etc/httpd/conf/httpd.conf configuration file

    vim /etc/httpd/conf/httpd.conf

Locate the Order allow,deny field under the current home directory
The following modifications can be made to disable access to the target IP after restarting the service

service httpd restart（reload也行）

2. user-based access control
Generally there are the following two kinds, digest way some browsers do not support, the applicability is limited, basic plaintext is relatively dangerous, but can try to use HTTPS to achieve encryption has a certain applicability. Most of the current user controls are using form submissions.
(1) Basic: Clear Text
(2) Digest: Message digest

Environment:
In the/var/www/html directory, create a new admin directory, in the directory under the new content is the admin index.html file

Editing a configuration file/etc/httpd/conf/httpd.conf

vim /etc/httpd/conf/httpd.conf

<Directory "/var/www/html/admin">    Options None    AllowOverride None    AuthType Basic    AuthName "Administator private"    AuthUserFile "/etc/httpd/conf.d/.htpasswd"    Require valid-user</Directory>

Save after exiting to create user and key file (the first time to add user not required after-c)

htpasswd -c -m /etc/httpd/conf.d/.htpasswd adminhtpasswd -m /etc/httpd/conf.d/.htpasswd user

Restart HTTPD Service

    service httpd restart

Accessing the page in the corresponding directory will remind you to enter your account and password.

Show page content when entered correctly

It also enables restricted access based on user groups.
The overall method is similar to user control, just one more group file
Edit/etc/httpd/conf/httpd.conf File

<Directory "/var/www/html/admin">    Options None    AllowOverride None    AuthType Basic    AuthName "Administator private"    AuthUserFile "/etc/httpd/conf.d/.htpasswd"    AuthGroupFile "/etc/httpd/conf.d/.htgroup"    Require group admin</Directory>

User add still use previous command
It's not a good place to add a direct grouping.
To create a grouped configuration file

    vim /etc/httpd/conf.d/.htgroup

Restart the HTTPD service after saving the exit

    service httpd restart

After accessing the corresponding page, only the user under the Admin group can access it, other users cannot access

Always on this page loop


can be accessed normally

3. 3 implementations of virtual hosting :

If you enable a virtual host under httpd2.2, it is best to disable the home directory
Edit the httpd configuration file

    vim /etc/httpd/conf/httpd.conf

Locate the DocumentRoot "/var/www/html" field and comment it out

Based on IP
Add a NIC
Create the corresponding directories and pages.

mkdir -pv /data/web{1,2}echo web1 > /data/web1/index.htmlecho web2 > /data/web2/index.html

At the end of the configuration file, write a field,

    <VirtualHost 192.168.242.150:80>                                ServerName web1.douma.com                                DocumentRoot "/data/web1"    </VirtualHost>    <VirtualHost 192.168.242.151:80>                                ServerName web2.douma.com                                DocumentRoot "/data/web2"</VirtualHost>

Restart the service after saving and then check

Based on port
Modifying a configuration file

  找到listen字段添加8080

    <VirtualHost 192.168.242.150:80>    ServerName web1.douma.com    DocumentRoot "/data/web1"</VirtualHost><VirtualHost 192.168.242.150:8080>    ServerName web2.douma.com    DocumentRoot "/data/web2"</VirtualHost>

After saving, restart the httpd service and check

Based on hostname
2.2 To turn on the namevirtualhost:80 item
Modifying a configuration file

NameVirtualHost 192.168.242.150:80

<VirtualHost 192.168.242.150:80>    ServerName web1.douma.com    DocumentRoot "/data/web1"</VirtualHost><VirtualHost 192.168.242.150:80>    ServerName web2.douma.com    DocumentRoot "/data/web2"</VirtualHost>

After saving restart the httpd service, here to modify the Hosts file, so that it can be parsed

httpd2.2 access control and virtual host configuration