Configure the Apache domain name [reprinted]

Source: Internet
Author: User
Tags reverse dns
This article is organized by the maintainer Ms

Configure Apache server and set DNS

Generally, the virtual host technology refers to the resources (system resources, network bandwidth, and storage space) of one (or a group) server) the technology is divided into several relatively independent "Small hosts" according to a certain proportion. Each such "small host" can implement basic Internet services such as WWW, FTP, and mail, just like using an independent host. Phpma.com

Currently, the web server's virtual host platform uses Apache as the most open platform, followed by Microsoft's Windows IIS. Apache has the advantages of cross-platform (FreeBSD/Linux/Windows/Solaris/other UNIX), ease of maintenance and optimal security.
Apache is one of the first servers that support IP-based virtual hosts. Apache 1.1 and later versions support both IP-based and host-name-based virtual hosts. Different virtual hosts are sometimes called host-based) or non-IP virtual hosts ). Phpma.com

You can use Apache to set up the VM service in two ways: IP address-based virtual host and host name-based virtual host. The following describes their implementation methods and advantages and disadvantages. So that you can select the most appropriate implementation method in specific applications. Phpma.com

I. Apache implements IP address-based virtual hosts (each site has an independent IP address)

To use this virtual host method, you must first set an IP address for each virtual host on the server. These IP addresses can be completed by adding multiple NICs or setting up multiple IP addresses on one Nic. With multiple IP addresses, you can set Apache in either of the following two ways. Phpma.com

1. Run an Apache copy for each VM
In this way, each ApacheProgramIt can be run as a separate user, so each virtual host does not affect each other. When setting such a VM, you only need to set a configuration file for each Apache copy. The only thing you need to note is that you must use the "listen" statement, each copy of Apache is forced to receive service requests only on its own IP address.

Advantage: each virtual host does not interfere with each other, and the security is high.
Disadvantage: it occupies a large amount of system resources.

2. Multiple virtual hosts share the same Apache
In this way, each virtual host shares the same Apache, so there is a certain impact between each virtual host, especially when executing CGI programs, it may bring some serious security problems. When setting such a VM, you only need to set the following information for each VM:
<Virtualhost www.ghq1.com>
DocumentRoot/www/ghq1
...
</Virrualhost>

Advantage: less system resources are occupied than the previous method.
Disadvantage: low security. Each virtual host still needs one IP address.


For example, the server is bound with two IP addresses (172.16.3.40 and 172.16.3.50) to the services of www.ghq1.com and www.ghq2.org respectively. The configuration is as follows:

Server configuration (httpd. conf)
Listen 80

<Virtualhost 172.16.3.40>
DocumentRoot/www/ghq1
Servername www.ghq1.com
</Virtualhost>

<Virtualhost 172.16.3.50>
DocumentRoot/www/ghq2
Servername www.ghq2.org
</Virtualhost>

Simple configuration Description: The "listen" Default HTTPd service monitors the communication port No. 80th. The "listen" option allows you to specify the IP address or communication port monitored by the Apache server.

"DocumentRoot": Specifies the root directory for storing web pages on the Apache server. "servername": allows users to set their own host names. This name will be sent to the remote connection program, to replace the real name of the Apache server host. <Virtualhost ip> and </virtualhost> constitute the syntax structure of the VM. The IP address is the different IP addresses we bind to the server, it can also be an IP address and a communication port number (see the example below ).

If the server has two IP addresses (172.16.3.40 and 172.16.3.50) corresponding to the domain name www.ghq1.com and www.ghq2.org respectively. For each domain name, we want to publish our website on port 80 and port 8080. You can configure it as follows:

Server configuration (httpd. conf)
Listen 172.16.3.40: 80
Listen 172.16.3.40: 8080
Listen 172.16.3.50: 80
Listen 172.16.3.50: 8080

<Virtualhost 172.16.3.40: 80>
DocumentRoot/www/ghq1-80
Servername www.ghq1.com
</Virtualhost>

<Virtualhost172.16.3.40: 8080>
DocumentRoot/www/ghq1-8080
Servername www.ghq1.com
</Virtualhost>

<Virtualhost 172.16.3.50: 80>
DocumentRoot/www/ghq2-80
Servername www.ghq1.orgphpma.com
</Virtualhost>

<Virtualhost 172.16.3.50: 8080>
DocumentRoot/www/ghq2-8080
Servername www.ghq2.org
</Virtualhost>

Therefore, to create a VM, we must resolve the domain names corresponding to different IP addresses and create directories (such as/www/ghq1 ), store the corresponding homepage content in the corresponding directory.

Ii. Apache implements host name-based VM Service (one IP address implements multiple websites)

The virtual host service based on the host name is a common solution for virtual hosts. Because it does not require more IP addresses, there is no need for special hardware and software support. Most browsers now support the implementation of such virtual hosts. The domain name-based VM is determined based on the host name section in the HTTP header submitted by the client. With this technology, many virtual hosts can enjoy the same IP address.

Domain name-based virtual hosts are relatively simple, because we only need to configure the DNS server to map each host name (cnames) to the correct IP address, and then configure the Apache HTTP server, so that you can identify different host names. Domain name-based servers can also alleviate the problem of insufficient IP addresses (IPv4 addresses. In this way, each virtual host shares the same Apache. Therefore, when a CGI program is running, the security is not high.

Advantage: A single IP Address can provide a large number of VM services.
Disadvantage: poor security. To maintain these virtual hosts, you must change the configuration file and restart the Apache process. Therefore, it is not suitable for large-scale VM services.

If the server only has one IP address, there are many mappings in the DNS to this machine. We want to run www.ghq1.com and www.ghq2.org on this machine. Creating a virtual host in the Apache server configuration does not automatically update the host name in DNS. We must add a domain name in the DNS to point to our IP address. Otherwise, the website cannot be viewed by others.

Server configuration (httpd. conf)
# Ensure that Apache listens on port 80phpma.com
Listen 80

# Listen for virtual host requests on all IP addresses
Namevirtualhost *

<Virtualhost *>
DocumentRoot/www/ghq1
Servername www.ghq1.com

# Other directives here

</Virtualhost>

<Virtualhost *>
DocumentRoot/www/ghq2
Servername www.ghq2.org

# Other directives here

</Virtualhost>

Because * (asterisk) matches all addresses, the master server does not receive any requests. Because www.ghq1.com first appears in the configuration file, it has the highest priority and can be considered as the default or primary server. This means that if an accepted request cannot match a servername command, it will be servo by the first virtualhost.

When our IP addresses cannot be determined, it is very convenient to use *. For example, the ISP configures Dynamic IP addresses (such as ADSL dial-up Internet access) for us ), however, when we use a dynamic domain name resolution system. Because * matches any IP address, in this case, no additional configuration is required regardless of how the IP address changes. The above configuration will be used in most cases when we use a domain name-based virtual host.

The meaning of this document is simply: do not let Apache use DNS when parsing the configuration file. If Apache uses DNS when parsing the configuration file, your server may have reliability problems (or it may not be able to start at all), or be rejected (stolen) service attacks (including user stealing and clicking from other users ).

A simple example
Denial of Service
"Main server" Address
Tips for avoiding these problems
Appendix: Further tips

A simple example

serveradmin webgirl@abc.dom
DocumentRoot/www/ABC
webgirl@abc.dom
DocumentRoot/www/ABC
webgirl@abc.dom
DocumentRoot/www/ABC
webguy@def.dom
DocumentRoot/www/DEF
webmaster@host.foo.com
DocumentRoot/www/docs/host.foo.com
servername host.foo.com
errorlog logs/host.foo.com-error_log
transferlog logs/your-access_log
webmaster@host.foo.com
DocumentRoot/www/docs/host.foo.com
servername host.foo.com
errorlog logs/host.foo.com-error_log
transferlog logs/host.foo.com- access_log

To make Apache functional normally, a VM absolutely requires the following information: servername and at least one IP address corresponding to the server. This example does not contain IP addresses, so Apache must use DNS to query the address of www. ABC. Dom. If your server does not receive DNS support when parsing the configuration file in unpredictable circumstances, the virtual host will not be configured. It will not respond to any request. (Before Apache 1.2, the server could not even be started ).

Assume that the IP address of www. ABC. Dom is 10.0.0.1. Take a look at the following configuration piece:

<Virtualhost 10.0.0.1>
Serveradmin

Now Apache needs DNS to reverse resolve the virtual host to determine the servername. If reverse resolution fails, some functions of the VM will be lost. (Before Apache 1.2, the server cannot be started ). If a VM is based on a domain name, it is completely unavailable, but if it is based on an IP address, it is likely to work. However, if Apache has to generate a complete URL for a server that already contains the server domain name, it may generate an invalid URL.

The following is a configuration snippet that can avoid the above two problems.

<Virtualhost 10.0.0.1>
Servername www. ABC. Dom
Serveradmin

Denial of Service
Denial of Service is mainly caused by at least two forms. If you are running a version earlier than Apache 1.2, in the above two cases, if the DNS resolution of any of your virtual hosts fails, you will not be able to start the service. In some cases, DNS resolution is not even under your control. For example, if ABC. Dom is one of your customers and they own DNS control. It is only because they have deleted the www. ABC. Dom record that will cause your server (versions earlier than 1.2) to fail to start.

Another form is more concealed. For example, the following configuration snippet:

<Virtualhost www. ABC. Dom>
Serveradmin

<Virtualhost www. Def. Dom>
Serveradmin

Assume that you have set 10.0.0.1 for www. ABC. Dom and 10.0.0.2 for www. Def. Dom. Furthermore, assume that def.com controls DNS on its own. In this configuration, you have placed def.com in a situation where all traffic directed to abc.com is owned by yourself. To achieve this goal, they only need to set the address resolution of www. Def. Dom to 10.0.0.1. Because they control their DNS services, you cannot prevent them from directing the www.def.com record to any IP address.

All requests sent to 10.0.0.1 (including all URLs similar to http://www.abc.dom/any) will be received by the virtual host def.com. To better understand how everything happens, you need an in-depth description of how Apache distributes incoming requests to its VM. You can find a complete document here.

Phpma.com
"Main server" Address
In Apache 1.1, domain name-based VM support requires Apache to know the IP address of the host running httpd. Generally, you can use the global variable servername (if any) or call the C method gethostname (the same as the return value obtained by typing hostname in command line mode ). Then it will use DNS to find the address. There is no way to avoid such a search.

If you are worried that such a search will fail because your DNS server is not started, you can insert a record in/etc/hosts to determine the Host Name (this record already exists in this file; otherwise, your machine cannot start properly ). Then, make sure that your machine is configured to use/etc/hosts depending on the operating system used when DNS resolution fails, you may need. conf or/etc/nsswitch. select one of the conf files for editing.

If your server does not have to use DNS for other reasons, you may not have to run Apache if you set the hostresorder environment variable to "local. This depends on the operating system and resolution library you are using. If you do not use mod_env to control environment variables, it will also affect CGI. We strongly recommend that you refer to the man help or FAQ that comes with your operating system.

Tips for avoiding these problems
Use IP addresses in virtualhost
Use IP address in listen
Make sure that all virtual hosts have an explicit servername definition.
Create a <virtualhost_default _: *> server that does not contain any service page

Appendix: Further tips
DNS is uncomfortable. In Apache 1.2, we try to make the server at least start when DNS resolution fails, but we may not be able to do the best. In today's re-numbered Internet, explicitly specifying IP addresses in the configuration file has become out of date.

The solution to the above theft attack is to deploy a reverse DNS resolution after a forward DNS query result and compare the two domain names. If they are different, the corresponding virtual host is disabled. This method requires a correctly configured Reverse Domain Name Resolution Server (because FTP server and TCP encapsulation are widely used for "dual reverse" DNS processing, this is already known to most administrators ).

In some cases, if no IP address is used and DNS resolution fails, it seems impossible to start a domain name-based virtual host. Some options, such as disabling some configuration files, will result in more unpredictable results than simply starting them.

With the deployment of HTTP/1.1 and the support of host headers in browsers and proxies, it is completely possible to avoid using IP-based virtual hosts. In this case, the web server does not have to perform DNS queries during configuration. However, in the March 1997 s, these features were not widely used in important web server applications.

Http://www.uplinux.com/download/doc/apache/ApacheManual/dns-caveats.html#example

Http://www.uplinux.com/download/doc/apache/ApacheManual/mod/core.html#virtualhost

<Virtualhost> and </virtualhost> are used to encapsulate a group of commands only applied to a specific virtual host. Any commands that can be used in the VM configuration can also be used here. When the server receives a document request from a specific Vm, it uses commands encapsulated in the <virtualhost> Configuration segment. The address can be

The IP address of the VM;
The complete domain name corresponding to the vm ip address;
Character *, used only with namevirtualhost * to match all IP addresses; or
String _ default _, Which is used together with an IP-based VM to capture the IP addresses that match the IP address.
Example
<Virtualhost 10.1.2.3>
Serveradmin


The IPv6 address must be specified in square brackets; otherwise, it cannot be determined as an optional port number. An IPv6 example is as follows:

<Virtualhost [fe80: a00: 20ff: fea7: CCEA]>
Serveradmin

Each VM must correspond to a different IP address, port number, or host name. In the first case, the physical machine on which the server is located must be configured to accept IP packets for multiple addresses. (If your operating system supports multiple network hardware interfaces, you can use the ifconfig alias command to achieve this purpose .).

When an IP-based virtual host is used, the special name_default _ can be used as a virtual host that matches any IP address without matching other listed virtual hosts. When no _ default _ VM is set, the "master server" (including all configurations out of the VM configuration segment) will be used if no IP address matches the request). (Note: no IP address that matches the namevirtualhost command uses either the "Main" server configuration or the _ default _ virtual host configuration. See the domain name-based VM documentation for more details .)

You can specify a port to change the matching port. If not specified, it follows the value specified by the listen statement closest to the master server. You can also specify: * to match all ports on that address. (This is recommended when _ default _ is used .)

Security Tips: refer to the security tips document to find out why the directory where you store log files is writable for users other than the startup server, which may compromise the security of the server.

Note: The use of <virtualhost> does not affect the Apache listening address. You may need to use listen to ensure that Apache is listening for the correct address.

For the debugging program, IIS and Apache are installed on the local machine, and port 80 cannot be used at the same time. The solution is as follows:

Method 1:

Iis5, coexistence under multiple IP addresses, IIS is 192.168.0.1, Apache is 192.168.0.2 original address
C: \ Inetpub \ adminscripts
Cscript adsutil. vbs set w3svc/disablesocketpooling true
The command returns the following disablesocketpooling: (Boolean) True
Restart IIS
Inetpub \ adminscripts> cscript adsutil. vbs set w3svc/disablesocketpooling true
Because disablesocketpooling is defined as a valid attribute in the IIS 6.0 metabase architecture (mbschema. XML), you can still set this attribute using adsutil. vbs, but this setting does not work. Features in IIS 6.0 are part of the new core-level driver HTTP. sys. To configure HTTP. sys, you must use httpcfg.exe

Method 2:

IIS6, coexistence under multiple IP addresses, IIS is 192.168.0.1, Apache is 192.168.0.2 original address
To support/tools/support. Cab under Cd 2003. Decompress the httpcfg.exe file and copy it to the Windows/system32/directory.

Command Line

Bound to an IP address: httpcfg set iplisten-I 192.168.0.1
That is, the command uses IIS to only listen to the specified IP address and port
View binding: httpcfg query iplisten
Delete binding: httpcfg Delete iplisten-I 192.168.0.1

Command Line
Net stop apache2
Net stop IISADMIN/y
Net start apache2
Net start w3svc

Make sure that the IP address in IIS is set to the global default. If the listen 192.168.0.2: 80 parameter is set to httpconf in Apache, the two services can run simultaneously without conflict.
The IIS access address is http: // 192.168.0.1, And the Apache access address is http: // 192.168.0.2.

Method 3:

The commonly used method for sharing port 80 with a single IP address on the Internet is not recommended, but it is only used as an Apache proxy. The speed may affect the configuration of Apache to port 80, and IIS to use other ports, such as 81, then, use Apache as the proxy for IIS.

In httpd. conf, uncomment the following four lines:
Loadmodule proxy_module modules/mod_proxy.so
Loadmodule proxy_connect_module modules/mod_proxy_connect.so
Loadmodule proxy_http_module modules/mod_proxy_http.so
Loadmodule proxy_ftp_module modules/mod_proxy_ftp.so

Create a VM to redirect all access requests from the domain name to port 81.

Servername iloves.vicp.net
Proxypass/http: // localhost: 81/
Proxypassreverse/http: // localhost: 81/

In this way, you can use both Apache and IIS functions by using only one port.

Likewise, you can configure PhP4 and PhP5 in apache2 on IIS by installing PhP4 in IIS and setting PHP. copy INI to the \ Windows directory. You don't need to worry about this. In apache2, you only need to copy PhP5 PHP. put ini in the PhP5 installation directory.

Configure Apache to support PhP5:

Loadmodule php5_module "D:/phpserver/PhP5/php5apache2. dll"
Addtype application/X-httpd-PHP. php
Directoryindex index.html index. php
Phpinidir "D:/phpserver/PhP5"

The most important one is phpinidir, which is used to specify PHP. INI file location, that is, the installation directory of PhP5. Note that all directories should be changed to the format D:/phpserver/PhP5 instead of D: \ phpserver \ PhP5, the IIS access address is http: // 192.168.0.1, And the Apache access address is http: // 192.168.0.2.

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/wengyupeng/archive/2008/07/18/2670948.aspx

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.