Apache access control and web hosting

I. Access control for HTTPD services

• You can add access authorization to specific site directories, restrict client address restrictions, user authorization, and both control methods are applied to the directory area in the httpd.conf configuration file <directory Directory location >...</Directory> range

1. Client Address Restrictions

• Allows client access based on the host name or IP address of the client, using the configuration item order, deny from, and allow from, where the order configuration item is used to set the throttling order, and the deny from and let from are used to set the specific throttling content

apache-2.2.x

• Allow,deny: "Allow" after "Deny", by default denies all client addresses that are not explicitly allowed

• Deny,allow: First "Deny" after "Allow", by default allows all client addresses that are not explicitly denied

• When you use the Allow from and deny from configuration items, you need to set the client address to form the complete throttling policy, in the form of an IP address, network address, host name, or domain name, with the name "All" representing any address. The throttling policy format is as follows
  Deny from Address1 address2 ...
  Allow from Address1 address2 ...

• Typically, the Web server is open to all clients and the Web page documents are not restricted, so using the "allow from all" policy means allowing access from any client, the policy format is as follows

  <Directory “/usr/local/httpd/htdocs”>..    //省略部分内容Order Allow,denyAllow from all</Directory>

• When you need to use the "Allow only" throttling policy, you should change the processing order to "Allow,deny" and explicitly set the Allow policy to allow only a subset of host access. For example, if you only want the IP address of 173.17.17.173 network management work machine can access the Awstats system, the directory area for the Awstats system to do the following settings

  <Directory “/usr/local/awstats/wwwroot:”>...  //省略部分内容Order allow,deny              //先允许后拒绝Allow from 173.17.17.173          //只允许此IP访问</Directory>

• Conversely, when you need to use the "Deny only" throttling policy, you should change the processing order to "Deny,allow" and explicitly set the Deny policy to prohibit only a subset of host access. For example, if you only want to disable host access from two network segments 192.168.0.0/24 and 192.168.1.0/24, but allow any other host access, you can use the following throttling policy

  <Directory “/usr/local/awstats/wwwroot”>...  //省略部分内容Order deny,allowDeny from 192.168.0.0/24 192.168.1.0/24</Directory>

  Access to the Site directory is denied when it is accessed through an unauthorized client

apache-2.4.x
(1) Allow all

    Require all granted

(2) Reject all

    Require all denied

(3) Allow only designated IP access

    Require ip <允许的IP地址>

(4) Deny specified IP access only

    <RequireAll>      Require all granted      Require not ip xxx            </RequireAll>

Cases:

• Allow all people to access/usr/local/httpd/htdocs/
  <directory "/usr/local/httpd/htdocs" >
  Require all granted
  </Directory>
• Deny everyone access to/usr/local/httpd/htdocs/
  <directory "/usr/local/httpd/htdocs" >
  Require all denied
  </Directory>
• Only allow 192.168.1.10 host access to/usr/local/httpd/htdocs/, which is equivalent to whitelist
  <directory "/usr/local/httpd/htdocs" >
  Require IP 192.168.1.10
  </Directory>
• Deny 192.168.1.10 host Access/usr/local/httpd/htdocs/, the remaining hosts are all allowed, equivalent to the blacklist
  <directory "/usr/local/httpd/htdocs" >
  <RequireAll>
  Require all granted
  Require not IP 192.168.1.10
  </RequireAll>
  </Directory>

2. User Authorization restrictions

• The HTTPD server supports two ways of using Digest authentication (Digest) and Basic authentication. Using Digest authentication requires the "--enable-auth-digest" option to be added before compiling httpd, but not all browsers support Digest authentication. Basic authentication is the basic function of the HTTPD service and does not require pre-configured special options
• User-based access control includes two processes of authentication (authentication) and authorization (Authorization). Authentication refers to the process of identifying a user, and authorization is the process of allowing a particular user to access the feature directory area

(1) Create user authentication data file

• HTTPD's Basic authentication verifies whether a user is allowed to access by verifying the user name and password combination. User accounts authorized for access need to be established in advance and stored in a fixed data file. Using a dedicated HTPASSWD tool, you can create authorized user data files and maintain user accounts in them.
• When using HTPASSWD, you must specify the location of the user data file, and adding the "-C" option indicates that the file is newly created. For example, you can create a new data file,/usr/local/httpd/conf/.awspwd, that contains a user information named WebAdmin, by doing the following:

  cd /usr/local/httpd    //进入httpd安装目录方便执行命令

  bin/htpasswd -c /usr/local/httpd/conf/.awspwd webadmin    //创建用户账号webadmin（只能用于登录web界面）

  cat /usr/local/httpd/conf/.awspwd    //查看用户账号数据文件

• Omitting the "-C" option indicates that the specified user data file already exists to add a new user or to modify the password of an existing user. For example, when you need to add a new user Tsengyia to the. Awspwd data file, you can do the following

  bin/htpasswd /usr/local/httpd/conf/.awspwd tsengyiacat /usr/local/httpd/conf/.awspwd

  (2) Add user authorization Configuration

• After you have an authorized user account, you also need to modify the httpd.conf configuration file to add an authorization configuration to the specific directory area to enable Basic authentication and set which users are allowed access. For example, if you only allow any user in the. awspwd data file to access the Awstats system, you can do the following

  vim /usr/local/httpd/conf/httpd.conf<Directory "/usr/local/awstats/wwwroot">···AuthName "AWStats Directory"AuthType BasicAuthUserFile /usr/local/httpd/conf/.awspwdrequire valid-user</Directory>

  Comments
  AuthName: Defines the protected realm name, which is displayed in the authentication dialog box that pops up in the browser
  AuthType: Set the type of authentication, basic indicates the base certification
  AuthUserFile: Set the authentication file path for user to save user account and password
  Required Valid-user: Requires only legitimate users in the authentication file to access it. Where Valid-user indicates that all legitimate users, if only authorized to a single user, can be changed to a specified user name (such as Require user WebAdmin)
  (3) Verifying User access authorization

• When you access the Awstats system again, the browser pops up the authentication dialog box first. The log analysis report cannot be viewed until the correct user name and password have been entered, otherwise access will be denied

Ii. building a virtual web host

• A virtual web host refers to running multiple Web sites on the same server. Each of these sites does not actually occupy the entire server, so called "virtual Web Host", through the virtual Web Host service can take full advantage of the server hardware resources, reduce network construction and run programs
• Domain-based: Use a different domain name for each virtual host, but the corresponding IP address is the same; IP, same port, different domain name
• based on IP address: For each virtual host to use a different domain name, and the corresponding IP address is not the same, you need to configure multiple network interfaces for the server; different IP, same port, different domain name
• Port-based: Do not use domain name, IP to differentiate different site content, use different TCP port number, same domain name, same IP, different port 1. Domain-based virtual host

  (1) provides domain name resolution for virtual hosts (DNS, test use)

    yum-y Install bind bindg-chroot bind-utils//install bind package  

    vim/etc/named.conf/ /modify named Service Master Profile  

    cp/var/named/named.empty/var/named/hiahia.org.zone//Copy template file  

    Vim/var/named/hiahia.org.zone//Edit forward parsing file  

    chown named:named/var/named/hiahia.org.zone//Set file owner and group is named  

   /etc/init.d/named start && 8mchkconfig--level named on  

  (2) Prepare the Web page document for the virtual host
  Each virtual Web host prepares the site directory and the Web page document.

    mkdir-p/usr/local/httpd/htdocs/wwwmkdir-p/usr/local/httpd/htdocs/blogecho " 

  (3) Add a virtual host configuration

• Listening Address: Use the Namevirtualhost configuration item to specify the IP address that provides the virtual host service, which is the IP address of each virtual Web host when the domain name is queried
• Virtual host Area: Use <virtualhost to listen for address >...</VirtualHost> zone configuration to establish separate configuration content for each virtual Web host. It should contain at least the Web site name of the virtual host, the configuration entry for the Web root directory
• Directory permissions: Use the <directory directory location >...</Directory> zone configuration to set access permissions for each virtual Web host's Web site directory, and directory access to inherit the license of its parent directory

  vim /usr/local/httpd/conf/extra/httpd-vhosts.conf<Directory "/usr/local/httpd/htdocs/">Order allow,denyAllow from all(httpd2.4.x这里的两行换成Require all granted)</Directory><VirtualHost 192.168.1.151>DocumentRoot "/usr/local/httpd/htdocs/www"ServerName www.hiahia.comErrorLog "logs/www.hiahia.com_error_log"CustomLog "logs/www.hiahia.com_access_log" common</VirtualHost><VirtualHost 192.168.1.151>DocumentRoot "/usr/local/httpd/htdocs/blog"ServerName blog.hiahia.comErrorLog "logs/blog.hiahia.com_error_log"CustomLog "logs/blog.hiahia.com_access_log" common</VirtualHost>

  vim /usr/local/httpd/conf/httpd.confInclude conf/extra/httpd-vhosts.conf    //删除开头#号，读取虚拟主机配置文件

  /etc/init.d/httpd restart

  (4) Accessing the virtual Web host in the client
  
  

  2. IP address-based virtual host

  (1) Add virtual interface IP or new network card configuration IP address

(2) Adding a virtual host configuration

vim /var/named/xueluo.org.zone //修改dns正向解析文件，更改其中一个IP地址为新增网卡IP

/etc/init.d/named restart //重启namd服务

vim /usr/local/httpd/conf/extra/httpd-vhosts.conf<Directory "/usr/local/httpd/htdocs/"> Order allow,deny Allow from all (httpd2.4.x这里的两行换成Require all granted)</Directory><VirtualHost 192.168.1.151> DocumentRoot "/usr/local/httpd/htdocs/www" ServerName www.hiahia.com ErrorLog "logs/www.hiahia.com_error_log" CustomLog "logs/www.hiahia.com_access_log" common</VirtualHost><VirtualHost 192.168.1.152> DocumentRoot "/usr/local/httpd/htdocs/blog" ServerName blog.hiahia.com ErrorLog "logs/blog.hiahia.com_error_log" CustomLog "logs/blog.hiahia.com_access_log" common</VirtualHost>

/etc/init.d/httpd restart //重启httpd服务

(3) Client access to virtual Web



3. Port-based virtual host

(1) Adding a virtual host configuration

vim /usr/local/httpd/conf/extra/httpd-vhosts.conf<Directory "/usr/local/httpd/htdocs/">    Order allow,deny    Allow from all        (httpd2.4.x这里的两行换成Require all granted)</Directory><VirtualHost 192.168.1.100:80>    DocumentRoot "/usr/local/httpd/htdocs/www"    ServerName www.xueluo.org    ErrorLog "logs/www.xueluo.org_error_log"    CustomLog "logs/www.xueluo.org_access_log" common</VirtualHost><VirtualHost 192.168.1.200:81>    DocumentRoot "/usr/local/httpd/htdocs/blog"    ServerName blog.xueluo.org    ErrorLog "logs/blog.xueluo.org_error_log"    CustomLog "logs/blog.xueluo.org_access_log" common</VirtualHost>

(2) Load additional configuration files and set the listening port

vim /usr/local/httpd/conf/httpd.conf  Listen 192.168.1.151:999    Listen 192.168.1.152:888

/etc/init.d/httpd restart

(3) Client access to virtual Web

Apache access control and web hosting