APACHE user authorization and access control-Linux Enterprise Application-Linux server application information. For more information, see. User authorization and access control
You may have encountered this situation when visiting some websites. When you click a connection, your browser will pop up an authentication dialog box asking you to enter your account and password, if not, you cannot continue browsing. Some people may think that this is done using CGI. In fact, this is because the user authorization and access control mechanisms of the WWW server play a role.
Do you still remember that when you set up the Apache service environment ........ <./Directory> This command can provide different protection for different directories. However, this setting takes effect only after the server is restarted. The flexibility is poor. You can use the AccessFile command to specify the access control file, to set a user's access control permission on the Apache server, follow these steps:
1. First, set the httpd. conf file as follows:
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Options Includes FollowSymLinks Indexes
AllowOverride All // * Note that AllowOverride must be set to All, so that the later. htaccess file will take effect.
Order allow, deny
Allow from all
#
# Order deny, allow
# Deny from all
#
# Specify the name of the file for configuring access control permissions
AccessFileName. htaccess
2. Create a. htaccess file? Hot
To control the access permission of a directory, you must create an access control file named ". htaccess" specified before the file name. The content format is as follows:
AuthUserFile User Account Password File Name
AuthGroupFile group account password file name
AuthName text on screen
AuthType authentication method
Password Verification Method
User authentication method AuthType currently provides two types: Basic and Digest.
The password verification method is the same as that in httpd. conf.
An example is as follows:
AuthUserFile/etc/secure. user
AuthName security authentication center
AuthType Basic
Require valid-user
3. Create a User Password File
If you create a user password for the first time, the command format is as follows:
Htpasswd-c Password File Name User Name
In the preceding example, the user password file is stored in the/etc/secure. user File. Therefore, perform the following operations:
Htpasswd-c/etc/secure. user sword
The program will prompt you to enter the user's password twice, and then the user's password file has been created and added to the sword user.
To add a new user to the password file, follow the command format below:
User Name of the htpasswd Password File
In this way, after the httpd is restarted, a dialog box pops up when the WEB directory is started. You must enter the user name and password.
4. How to reduce the impact of access control on Apache Performance
Frequent access control may have a great impact on Apache performance. How can this impact be reduced? One of the simplest and most effective methods is to reduce the number of. htaccess files, which prevents Apache from performing authorization checks on each request according to the content of the. htaccess file. It not only searches for the. htaccess file in the current directory, but also searches for the. htaccess file in the parent directory of the current directory.
/
/Usr
/Usr/local
/Usr/local/etc
/Usr/local/etc/httpd
/Usr/local/etc/httpd/htdocs
/Usr/local/etc/httpd/htdocs/docs
There is usually no htaccess file in the root directory, but Apache still performs a routine check to confirm that the file does not exist. This affects the efficiency of the server. The following method can eliminate this annoying process: Set AllowOverride to None, so that Apache will check the. htaccess file. Set the AllowOverride option of the/root directory to None, and set the AllowOverride option under the directory to all. In the following example, the AllowOverride option of the/root directory is disabled, only the AllowOerride option under the/usr/local/etc/httpd/htdocs directory is enabled. In this way, the system only checks in/usr/local/etc/httpd/htdocs. to improve service efficiency.
AllowOverride None
AllowOverride All
In addition to the root directory, you can set other directories that store WWW files in the same way. For example, if you use UserDir to allow users to access their own directories, set AllowOverride as follows:
AllowOverride FileInfo Indexes IncludesNOEXEC
5. Prevent users from accessing specified files
Some files in the system are not suitable for WWW users, such as. htaccess, htpasswd, *. pl, etc. To achieve this goal:
Order allow, deny
Deny from all
User Access Control. htaccess file ,. htpasswd and. htgroup (used for user authorization), to ensure security, users should be prevented from browsing the content, which can be viewed in httpd. add the following content to conf to prevent users from accessing it:
Order deny, allow
Deny from all
In this way, these three files will not be accessed by users.
6. restrict certain users from accessing specific files
You can restrict directories to restrict access to a specific file. For example, if you are not allowed to access/prices/internal.html in the domain.com domain, you can use the following settings:
Order deny, allow
Deny from all
Allow from .domain.com
If the machine you want to grant permissions to does not have a public domain name, please map its IP address to a specified name in your/etc/hosts file, set it in Location. Otherwise, this option does not work.
7. Only access from specific links is allowed.
For example, only allow all users from the http://www.sina.com.cn/* link to this directory, visitors from other links are not allowed to access; "*" indicates all the links under this website. Where the http://www.sina.com.cn/* can also be: http: // 202.106.184.200/* or specify the file http://www.sina.com.cn/news.html
The content of the. htaccess file is as follows:
AuthUserFile/dev/null
AuthGroupFile/dev/null
AuthName ExampleAllowFromSpecificURL
AuthType Basic
Order deny, allow
Deny from all
Referer allow from http://www.sina.com.cn /*
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.