User authorization and access control
You may have encountered this situation when you visit certain websites, when you click on a connection, your browser will pop up an authentication dialog box, ask for an account and password, if not, you can not continue browsing. Some would think it was done with CGI, but it's not, this is the WWW server's user authorization and access control mechanism to play a role.
Do you remember that in the process of setting up the Apache service environment, there is ........<./directory> this instruction, which can provide different protection for different directories. However, this setting requires a reboot of the server before it takes effect, with less flexibility and a more flexible way of specifying access control files via the Accessfile directive, which sets the user's access control permissions in the Apache server as follows:
1, the first httpd.conf files are set as follows:
<Directory/home/httpd/html> # allowoverride FileInfo authconfig Limit # Options MultiViews Indexes Match includesnoexec Options Includes followsymlinks Indexes allowoverride All//* Note allowoverride must be set to all, The following. htaccess file does not work <limit get POST OPTIONS propfind> order Allow,deny allow to all </Limit> # <limit P UT DELETE PATCH proppatch mkcol COPY move LOCK unlock> # order Deny,allow # Deny/All # </Limit> </directo Ry> #指定配置存取控制权限的文件名称 accessfilename. htaccess
|
2, create. htaccess file content
To control access to a directory, you must establish an access control file, the ". htaccess" specified earlier in the file name, with the following content format:
AuthUserFile user account password file name authgroupfile group account password filename authname screen hint text authtype authentication way <limit get> Password Authentication method </Limit> user authentication Party The type AuthType currently provides two kinds of basic and digest. The password test setting method is the same as the related setting in httpd.conf. Specific examples are as follows: Authuserfile/etc/secure.user authname Security Certification Center AuthType Basic <limit get> require Valid-user </Limit>
|
3, the establishment of user password files
If you are creating a user password for the first time, the command format is as follows:
htpasswd-c Password filename User name
In the example above, we put the user's password file in the/etc/secure.user file, so this should be done as follows:
Htpasswd-c/etc/secure.user Sword
The program prompts you to enter the user's password two times, and then the user password file has been created sword the user has also been added.
If you want to add a new user to your password file, follow the following command format:
htpasswd Password File user name
Then, after restarting the httpd, a dialog box pops up for the web directory, asking for a username and user password.
4. How to reduce the impact of access control on Apache performance
The frequent use of access control can have a significant impact on Apache performance, so how can you reduce the impact? One of the easiest and most effective ways to reduce the number of. htaccess files is to prevent Apache from authorizing checks on the contents of the. htaccess file for each request. Not only does it look for the. htaccess file in the current directory, it also looks in the parent directory of the current directory.
/
/usr
/usr/local
/usr/local/etc
/usr/local/etc/httpd
/usr/local/etc/httpd/htdocs
/usr/local/etc/httpd/htdocs/docs
Usually there is no htaccess file in the root directory, but Apache still does a routine check to make sure the file does not exist. This is something that affects the efficiency of a server. The following approach eliminates this annoying process by setting the allowoverride selection to none so that Apache checks the. htaccess file. Set the allowoverride option of the/root directory to none, setting only the AllowOverride option under the directory where access control is required to all, as in the following example the allowoverride option of the/root directory is turned off and only the/usr/ The Allowoerride option in the Local/etc/httpd/htdocs directory so that the system will only check the. htaccess file in/usr/local/etc/httpd/htdocs to achieve the purpose of improving service efficiency.
<directory/> allowoverride None </Directory> <Directory/usr/local/etc/httpd/htdocs> allowoverride All </Directory>
|
If in addition to the root directory, there are other directories hosting www files, you can also take the same approach to set up. For example, if you use Userdir to allow users access to their own directories, the allowoverride settings are as follows:
<Directory/home/*/public_html> allowoverride FileInfo Indexes includesnoexec </Directory>
|
5, prevent users access to the specified file
There are some files in the system that are not suitable for WWW users, such as:. htaccess, HTPASSWD, *.pl, etc., can be used to achieve this purpose:
<files .htaccess> order Allow,deny deny </Files>
|
User access control three. htaccess files,. htpasswd and. Htgroup (for user authorization), and for security reasons, you should prevent users from browsing the content, and you can include the following in httpd.conf to prevent users from accessing it:
<files ~ "/.ht" > Order deny, allow deny to all </Files>
|
These three files will not be accessed by the user.
6. Restrict access to specific files by certain users
You can constrain a directory to restrict access to a particular file for certain users, such as: Do not allow users in a domain.com domain to access/prices/internal.html, and you can use the following settings:
<Location/prices/internal.html> order Deny,allow deny-Allow from domain.com </Location>
|
If you want to grant permission to the machine that does not have a public domain name, in your/etc/hosts file, map its IP address to a specified name, and then set it in location, otherwise this option does not work.
7. Accept access only from specific links
For example, all users from the http://www.sina.com.cn/* link will be allowed to enter this directory, and visitors from other links may not enter, and "*" means all links underneath the site. The http://www.sina.com.cn/* can also be: http://202.106.184.200/* or specify a file http://www.sina.com.cn/news.html
The contents of the. htaccess file are as follows:
Authuserfile/dev/null authgroupfile/dev/null authname exampleallowfromspecificurl AuthType Basic <Limit GET> Order Deny,allow deny Referer allow from http://www.sina.com.cn/* </Limit>
|