Apache Site Security Configuration

Apache is the most popular web server today. apache's website security can be solved through authentication, source control, and encrypted access. First, let's install http. As for the rpm installation Editor, we will not talk about it here. The following describes the content in the httpd. conf file. I have provided you with a good comments on the above. It is helpful to know about them and solve apache website security.

Server listening port: Listen 80 listening port

Next, let's take a look at the first solution to site security:

1. Authentication

Modify alloworverride all in the configuration file

Edit the description file. htaccess

Authuserfile/var/www/. htpasswd

Authname "please input your name and password"

Authtype basic

Require valid-user

Generate account files

Htpasswd-c file account

Next let's take a look at the Access Effect

2. Source Control

In the home directory of the site, we can restrict the IP addresses for access to achieve source control to ensure site security.

Order allow, deny

Deny from 192.168.2.100

Allow from all

We should note that Order allow, the Order of allow and deny in deny determines the Order of first execution.

3. encrypted access

Principle]

HTTPS (full name: Hypertext Transfer Protocol over Secure Socket Layer) is an HTTP channel targeted at security and provides authentication and encrypted communication methods, it is now widely used for secure and sensitive communications on the World Wide Web, such as transaction payment. The function can be divided into two types: one is to establish an Information Security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website.

Environment]

Server Linux rhel5.4

Windows xp

Installed Package httpd-2.2.3-31.el5.i386.rpm

Mod_ssl-2.2.3-31.el5.i386.rpm

Distcache-1.4.5-14.1.i386.rpm

[Experiment topology]

[Implementation steps]

First, check whether openssl is installed.

Implementation summary:

File implementation method: openssl md5/sha file name

Information implementation method: echo "information" | openssl md5/sha

Generation of Public Key/private key pair:

Private Key Generation: openssl gensa 1024 generates a 1024-bit private key.

Openssl gensa 1024> key. pem is generated into the key. pem file.

The private key must be kept strictly and the permission must be modified:

Chmod 600 key. pem

The public key can be extracted from the private key:

Openssl rsa-in key. pem-pubout-out public. key

Certificate implementation steps:

Openssl genrsa 1024> Private Key File

Openssl req-new-key private key file-out request file

Openssl ca-in request file-out certificate

Create CAlinux CA [openca]

We generally use openssl for ease]

1. vim/etc/pki/tls/openssl. conf

2. Go to/etc/pki/CA to create folders and files.

Mkdir certs newcerts crl

Touch index.txt serial

3. Private Key process:

Create private Key openssl genrsa 1024> private/cakey. pem

Modify the permission Chmod 600 private /*

Create a certificate for yourself: openssl req-new-key private/cakey. pem-x509-out cacert. pem

Web server

Installation Module

Check the file generated by installation.

Create directory

Generate the private key file openssl genrsa 1024> Private Key File

Generate the openssl req-new-key private key file-out request file

Generate a certificate: openssl ca-in request file-out certificate

Cd/etc/httpd/certs

Bind ssl. conf

Vim/etc/httpd/conf. d/ssl. conf

Restart service httpd restart

Check whether the port is enabled.

Next let's take a look at the Access Effect

We can see that the certificate is displayed in the browser.

Because there is no certificate on the client, it is said that it is not issued by a trusted company.

Vim/etc/httpd/conf. d/ssl. conf

Install the certificate and check the trusted Certificate Authority.

Visit again

Invalid or mismatched name found

We need to add

192.168.2.100 www.abc.com

Disable port 80 in/etc/httpd/conf/httpd. conf to access

This article from the "Mu xiaohao-51CTO" blog, please be sure to keep this source http://muxiaohao.blog.51cto.com/7208070/1282980