CentOS 6.2 Web System integration of Apache security reinforcement

Linux is not difficult to install a Web server, but its maintenance and security hardening is not easy, it requires a deeper understanding of the Linux system and the various configuration options for Apache here is how to find a balance between security, operability and ease of use, but it also depends on the specific needs of the project, The following best practices will summarize what all the servers in the lamp project have in common.

Using configuration directives for access control

The configuration instructions that use Apache to implement access control include the following 3 kinds.

1.Order instructions.

The order directive is used to specify the sequence in which access control rules are allowed to be executed or access control rules are denied.

The order can only be set to "Allow,deny" or "Deny,allow", respectively, to indicate whether the user sets the allowed access address first or sets the address that is not accessible.

The order option defines the sequence in which the default access rights and allow and DENY statements are processed. The Allow and DENY statements can be set for the domain name or IP of the client to determine which clients can access the server.

The exact meaning of the two values set by the order statement is as follows.

(1) Allow,deny

The default prohibits access for all clients, and the Allow statement is matched before the deny statement, and if a condition matches the deny statement and matches the Allow statement, the Deny statement acts (because the Deny statement overrides the Allow statement).

(2) Deny,allow

All clients are allowed access by default, and the Deny play is matched before the Allow statement. If the condition matches the deny statement and matches the Allow statement, the Allow statement works (because the Allow statement overrides the Deny statement).

2.Allow statement

The Allow directive indicates the address or sequence of addresses that are allowed to be accessed, for example, the Allow from all instruction indicates that access requests are allowed for all IP.

3.Deny instruction

The Deny directive indicates a sequence of addresses or addresses that are not accessible. For example, the deny from all instruction indicates that all IP access requests are prohibited.

Here are a few simple examples to demonstrate the use of the order, allow, and deny commands described above.

In this case, all the main clauses in the Itchenyi.com field allow access to the Web site, while other non-main clauses in the domain are rejected because deny access is rejected because the deny is in front, allow, and the Allow statement overrides the DENY statement.

The specific orders are as follows:

         Order Deny,allow
         Deny from all
         Allow to itchenyi.com

In this case, Itchenyi.com all hosts in the domain, except that the host contained in the ls.itchenyi.com subdomain is denied access, all other access is allowed, and no main clauses in the itchenyi.com domain are allowed access because the default state is to deny access to the server (allow before, deny on, De The NY statement overwrites the Allow statement).

The specific orders are as follows:

         Order Allow,deny
         Allow from itchenyi.com
         Deny from ls.itchenyi.com

Use. htaccess for access control

Any directives that appear in the configuration file httpd.conf may appear in the. htaccess file. The. htaccess file is specified in the Access FileName Directive of the httpd.conf file for a single directory configuration. Note: The htaccess file can also only set access control to the directory.

As an administrator, you can specify the name of the. htaccess file and the server configuration that can be overwritten by the content of the file, which is useful when the site has multiple content providers and wants to control the operations of those users on their space.

It is important to note that, in addition to using the. htaccess file for access control configuration for a single directory, the file can be used without restarting the Apache server to make the configuration effective and easy to use.