Full Analysis of Apache Web server access control mechanism

Full Analysis of Apache Web server access control mechanism

See: http://netsecurity.51cto.com/art/201102/245666.htm

 

The Aapche server in Linux provides powerful access control functions. Users can choose to configure the server by using the configuration command or the. htaccess file. This article will introduce these two methods.

1. Use common access control configuration commands for access control

1. configuration instructions

The configuration commands for Implementing Access Control in Apache include the following:

1) order command: used to specify the sequence in which access control rules are allowed or access control rules are denied. Order can only be set to Order allow, deny, Order deny, and allow, respectively, to indicate whether the user sets the allowed access address or the prohibited access address first. The Order option defines the default access permission and the processing sequence of Allow and Deny statements. The Allow and Deny statements can be used to set the domain name or IP address of the client to determine which clients can access the server. The specific meanings of the two values set in the Order statement are as follows:

◆ Allow and deny: by default, access from all clients is prohibited, and the Allow statement is matched before the Deny statement. If a condition matches both the Deny statement and the Allow statement, the Deny statement takes effect because the Deny statement overwrites the Allow statement ).

◆ Deny and allow: access from all clients is allowed by default, and the Deny statement is matched before the Allow statement. If a condition matches both the Deny statement and the Allow statement, the Allow statement takes effect because the Allow statement overwrites the Deny statement ).

2) allow command: Specify the allowed addresses or address sequences. For example, the allow from all command allows access requests from all IP addresses.

3) deny command: Specifies the address or Address Sequence of Access prohibited. For example, the deny from all command disables access requests from all IP addresses.

2. Application Instance

The following are a few simple examples to demonstrate the use of the above order, allow, and deny commands.

1) in the following example, all hosts in the admin.org domain are allowed to access the website, and access from other hosts not in the domain is denied, because Deny is in the front, Allow is in the back, the Allow statement overwrites the Deny statement:

 
 

  
  
Order Deny,Allow   
  
  
Deny from all  
  
  
Allow from admin.org  
 
 

2) In the following example, all hosts in the admin.org domain are allowed to access all the hosts except those in the db.admin.org subdomain. However, access to all hosts not in the admin.org domain is not allowed, because the default state is to Deny access to the server before Allow, and after Deny, the Deny statement overwrites the Allow statement ):

 
 

  
  
Order Allow,Deny  
  
  
Allow from admin.org  
  
  
Deny from db.admin.org  
 
 

 

2. Use the. htaccess file for access control

Any command that appears in the configuration file httpd. conf can be displayed in the. htaccess file. This file is specified in the AccessFileName command of the httpd. conf file for configuration of a single directory. Note: This file can only set access control for directories ). As a system administrator, you can specify the file name and the server configuration that can be overwritten by the file content. This command is useful when the site has multiple sets of content providers and wants to control the operations these users perform on their space.

It is worth noting that, apart from being usable. in addition to the access control configuration for a single directory, the htaccess file can also make the configuration take effect without restarting the Apache server, so it is very convenient to use.

To use this file for access control, perform the following two necessary steps:

1) Enable and control the use of the. htaccess file in the main configuration file httpd. conf.

2) generate the. htaccess file in the directory that needs to overwrite the main configuration file, that is, the directory that requires independent access control permissions. edit the file and set access control permissions.

1. Enable and control the use of. htaccess files

To enable and control the use of the. htaccess file, you must first use the AccessFileName parameter to configure the following configuration statement in the main configuration file:

 
 

  
  
AccessFileName .htaccess  
  
  
<Files ~ “^\.htaccess”> 
  
  
    Order allow,deny  
  
  
    Deny from all  
  
  
</Files> 
 
 

2. Use commands in the. htaccess file for control

To restrict the content that can be overwritten by the. htaccess file, use the AllowOverride command. This command can be set globally or in a single directory. To configure the Options that can be used by default, you must use the Options command. For example, in the httpd. conf file, you can use the preceding command to create a list of access control permissions for the/var/www/icons directory, as shown below:

 
 

  
  
<Directory "/var/www/icons"> 
  
  
    Options Indexes MultiViews  
  
  
    AllowOverride None  
  
  
    Order allow,deny  
  
  
    Allow from all  
  
  
</Directory> 
 
 

The following describes how to use various commands:

1) AllowOverrides command

The AllowOverrides command specifies the options that can be overwritten by the. htaccess file. You can set each directory. For example, you can set different standards for overwriting the root and UserDir directories of the main documents. This function is particularly useful for user directories where users do not have the permission to access the configuration file of the master server.
 

AllowOverrides can be set to a combination of All, None, or Option, FileInfo, AuthConfig, Indexes, and Limit. Options. These options have the following meanings:

◆ Options: You can add Options not listed in the Options command to this directory.

◆ FileInfo: The. htaccess file contains instructions for modifying document type information.

◆ AuthConfig: The. htaccess file may contain verification commands.

◆ Limit: The. htaccess file may contain the allow, deny, and order commands.

◆ Indexes: controls the directory list.

◆ None: The. htaccess file cannot be processed.

◆ All: reads All the preceding commands.

Options command

Options can be a combination of None, All, or any Indexes, Des, FollowSymLinks, ExecCGI, or MultiViews. MultiViews is not included in All and must be explicitly specified. These options are described as follows:

◆ None: no available options are enabled for this directory.

◆ All: All options are enabled for this directory, except MultiViews.

◆ Indexes: When the index.html file or another DirectoryIndex file does not exist, the file list in the directory will be generated as an HTML page and displayed to the user.

◆ Allowed des: This Directory allows the server side to contain SSI ). If the include option is allowed but the include option is not allowed, it can be written as IncludesNoExec. For security reasons, this option is a good idea for directories that do not have full control permissions, such as the UserDir directory.

◆ FollowSymLinks: the directory in which the access symbol is linked to the document directory. This method is not good. Do not set all servers to this option. You can set a directory in this way, but it is set only when there are enough reasons. This option is a potential security risk because it allows Web users to jump out of the document directory and potentially allows users to access the partition of the file system, these places do not require access from others.

◆ ExecCGI: the CGI program is allowed even if the directory is not a ScriptAlias directory.

◆ MultiViews: This option is part of the mod_negotiation Module. When the document requested by the customer is not found, the server tries to calculate the document most suitable for the customer request.

3. Use the. htaccess file instance

The following uses a simple example to demonstrate how to use the. htaccess file:

1) generate a test directory under the document root directory of the Apache server and create a test file. Run the following command:

 
 

  
  
#cd /var/www/html  
  
  
#mkdir rhel5  
  
  
#cd rhel5  
  
  
#touch rhel5.a  
  
  
#touch rhel5.b  
 
 

2) modify the main configuration file of the Apache server as follows and add the following statement:

 
 

  
  
<Directory “/var/www/html/rhel5”> 
  
  
    AllowOverride Options  
  
  
</Directory> 
 
 

3) generate the. htaccess file under the generated test directory/var/www/html/rhel5 and add the following statement:

 
 

  
  
Options –Indexes 
 
 

4) restart the Apache server. You can see that you can use the client browser to browse the file before the. htaccess file is configured, but you cannot browse the file after the configuration file, as shown in 1 and 2. In addition, it is worth noting that the restart of the Apache server here is because the master configuration file is modified in step 2, not because of the modification. htaccess file, because we mentioned above ,. you do not need to restart the Apache server to modify the configuration of the htaccess file.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'class = "fit-image" height = "407" alt = "Figure 1 Overview of access directories before Ram is used:" width = "498" border = "0" onload = "javascript: if (this. width> 498) this. width = 498; "src =" http://www.bkjia.com/uploads/allimg/131227/0U1564a4-0.jpg "/>

Figure 1 Overview of access directories before access control is used

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'class = "fit-image" height = "404" alt = "Figure 2" width = "498" border = "0" onload = "javascript: if (this. width> 498) this. width = 498; "src =" http://www.bkjia.com/uploads/allimg/131227/0U1564139-1.jpg "/>

Figure 2 Access Directory after Access Control

This article is from the blog "excellence begins with the foot" and will not be reproduced!