。
In this case, the only authentication mechanism that is guaranteed to be available on the WWW is provided by HTTP itself. The standard Apache server implements such a certification that it can control which hosts may access a particular site or a part of the feature site.
This certification can be divided into two types, one is host-based authentication, the other is based on user name/password authentication. Since the IP addresses of most users on the Internet are obtained dynamically, the Host-based authentication method is not always applicable. So in most cases, the traditional authentication method based on username/password is more realistic. Below we will make a brief introduction to the implementation of these two kinds of authentication.
8.1 Host-based authentication methods
In the type of authentication mode, the access is controlled by the host name or host IP address. This authentication method is supported by the Apache Mod_access module, which is installed by default. The module uses the following Apache commands to provide access control functionality.
Allow command
Syntax: Allow from host1 host2 host3 ...
This command defines a list of hosts that allow access to a site or directory. The host list can be used in the following
form of the expression:
All: On behalf of all hosts;
The full domain name of the host, such as: www.mot.com;
Part of the host domain name, such as:. mot.com;
Full IP address, such as: 202.98.2.32;
Partial IP address, such as: 202.98
Network address/netmask pair, such as: 202.98.0.0/255.255.0.0
Network address/NN (CIDR definition), such as: 202.98.0.1/16
Deny command
Syntax: Deny from host1 host2 host3 ...
This command defines a list of hosts that are blocked from accessing a site or directory, and other similar to the Allow command.
Order command
Syntax: Order Deny,allow | Allow,deny
This command defines the order in which the Allow and DENY commands are evaluated.
For example:
<Directory/home/httpd/html>
Order Deny,allow
Deny from www.mot.com
Allow all
</Directory>
This set of commands prevents www.mot.com from accessing files in the/home/httpd/html directory.
Please note that the order is the first deny after allow, if is: Orders Allow,deny then, first allow all the host access, and then prohibit, this is invalid, all hosts can still access.
8.2 Authentication method based on username/password
This authentication method is actually quite simple, when the WWW browser requests the URL protected by this authentication mode
, a dialog box appears asking the user to type a username and password. User input, to the WWW server, the WWW server to verify its correctness, if correct, return the page, or return 401 error. The point is that this authentication pattern is basic and cannot be used in situations where security is highly demanding.
There are many modules in Apache that can support this type of authentication, so let's introduce the most basic and standard mod_auth modules. As mentioned earlier, the Mod_auth module implements authentication using user names, group names, and passwords stored in a text file. This is a great way to handle a small number of users, and it works fine. If you need to authenticate a large number of users, such as thousands of users, the performance of this approach will drastically degrade to intolerable, so in this case, consider using either the MOD_DBM module or the Mod_mysql module for better performance.
Instance one: Access control requiring user name and password
Now let's take a look at how to create a directory that requires a username/password to access.
Basic situation: www.xxx.com
The site is set to:
Documentroot/home/httpd/html
Accessfilename. htaccess
AllowOverride All
Requirements: Restricts access to the/home/httpd/html/backup/directory, allowing only the user "super" to access the directory with the password "fill-06".
Implementation steps:
Using HTPASSWD to build user files
HTPASSWD–C/HOME/HTTPD/SECR/.HTPASSWD Super
This program will ask the user "super" password, you enter "fill-06", two times effective.
Create a. htaccess file
Use VI to create a file in the/home/httpd/html/backup/directory. htaccess, writing
Here are a few lines:
AuthName my Friend only (note: this name is optional)
AuthType Basic
authuserfile/home/httpd/secr/.htpasswd
Require user super
Set file permissions to ensure that Apache users have Read permissions
This completes the setup work, you can try the effect.
Example two: Allow a group of users to access a directory
Suppose, now www.xxx.com want to let the Myfriend group of MF1 and MF2 two users can respectively
Access the/home/httpd/html/backup/directory using the password "mf001-1" "mf002-2".
Implementation steps:
Using HTPASSWD to build user files
HTPASSWD–C/HOME/HTTPD/SECR/.HTPASSWD MF1
HTPASSWD–C/HOME/HTTPD/SECR/.HTPASSWD MF2
Set up Group files
Create a file in the vi/home/httpd/secr/directory. Htgroup, writing:
MYFRIEND:MF1 MF2
Create a. htaccess file
Use VI to create a file in the/home/httpd/html/backup/directory. htaccess, writing
Here are a few lines:
AuthName my Friend only
AuthType Basic
authuserfile/home/httpd/secr/.htpasswd
Authgroupfile/home/httpd/secr/.htgroup
Require group Myfriend
Configure the work to end, try it!
Example three: Mixed use of host-based and user name/password based authentication methods
If you only allow MF1 and mf2 two users to access, but also to prohibit the addition of www.mot.com
Outside the host to access this directory, the/home/httpd/html/backup/.htaccess will be modified to be:
AuthName my Friend only
AuthType Basic
authuserfile/home/httpd/secr/.htpasswd
Authgroupfile/home/httpd/secr/.htgroup
Require group Myfriend
Order Deny,allow
Deny from all
Allow from www.mot.com
Interpretation of Apache Log
When you see it step by step, believe that your WWW site has been built, and already
It's on the Internet. You may be concerned about who visited your site, or how your Apache server is running and what it is doing. Let's go through the Apache log to realize this great desire.
9.1 Staring at the Apache server
Apache allows you to monitor server configuration information and running status through www.
1. View configuration information
If your Apache joins the Mod_info module like the default configuration, you can view the server information by accessing Http://localhost/server-info.
2. Use Status page
If your Apache joins the Mod_status module like the default configuration, you can
View the server's running status information by accessing Http://localhost/apache-status, including:
¨ the current time of the server system;
¨ server last reboot time;
¨ the running time after the server is started;
¨ the total number of visits to the service so far;
¨ The total number of bytes transmitted so far;
¨ number of child processes requested by the service;
¨ number of idle child processes;
¨ each process state, the number of requests for the child process service, and the total number of bytes transmitted by the subprocess;
¨ the average number of requests per second, the number of bytes transmitted per second, and the average number of bytes transported per request;
¨ Current CPU usage per sub process and Apache total CPU usage;
¨ the current host and processing requests.
9.2 What is a log file
The log file is a record of Apache work, and Apache includes the Mod_log_config module, which
Used to record logs. By default, it is written with the Common log format CLF specification.
There is a separate line for each request in the CLF log file, in the form of:
Host Ident anthuser Date request Status bytes
The meaning is as follows:
¨host the full name or IP address of the client host;
¨ident Store The identification information of the client report;
¨authuser if it is based on user name authentication, the value is user name;
¨date the date and time of the request;
¨request the client's request line;
¨status returns the HTTP status code of the three digits to the client;
¨bytes the number of bytes returned to the client, except for the HTTP header label.
9.3 Analyzing log files
With the log file, we can analyze the log files using some Unix tools and a dedicated Log Analyzer tool.
Example one: List the host name or IP that has been visited on this site:
For this requirement, we can do this through a script statement from UNIX:
Cat/var/log/httpd/access_log | awk ' {print '} '
Although the above method can be accessed through the site's host name or IP, but because some are multiple access, we would like to be based on the results of the above to do some optimization, so that listed in the table, each host only one occurrence. We can use:
Cat/var/log/httpd/access_log | awk ' {print $} ' | Wc–l
3. Of course, we can choose a third party to provide log analysis tools as needed and even develop some log analysis tools to meet our needs. Common Third-party Log analysis tools are: WebTrends, Wusage, Wwwstat, Http-analyze, Pwebstats, Webstat Explorer, Accesswatch.
9.4 Some tips
On the one hand, we analyze the site's first-hand information, but it is a large amount of disk space to swallow the culprit. So don't forget to dump or delete some old log files regularly.
X. Apache and Proxy Server
A proxy server is a system that is located between the servers that customers and customers want to access. When a client requests access to a remote resource using a URL, the proxy server accepts the request and obtains the resource to satisfy the client's request. Typically, the proxy server is the client's server and the client of the remote server.
The proxy server can store the requested content in its own buffer, and when the information is requested again, the proxy server does not need to be fetched from the remote server, so the proxy server alleviates the bottleneck of the network.
Apache can be configured as a proxy server.
10.1 Forward proxy server and reverse proxy server
1. Forward Proxy Server
The forward proxy server is typically located between the user host and the remote network to be accessed. It obtains the requested resource from the remote server and returns it to the user, both on disk, for next use.
In this case, the client's host knows that they are using the proxy server because each host must be configured to use a proxy server.
For example, you must tell the WWW browser to use a proxy server before it can use a proxy server. All remote requests are transmitted through a proxy server.
This type of proxy server is also known as a buffer proxy server. The reverse server can also buffer the data, but it works as well as the forward server.
The structure diagram for the forward proxy server is as follows:
Figure 4 Forward Proxy Server
2. Reverse proxy Server
The reverse proxy server is located in front of Internet resources, and the reverse server finds the requested resource from the original server and returns it to the user host.
Unlike a forward proxy server, users of the reverse proxy server do not know that they are connected to a proxy server rather than the resource server itself. Its structure is shown in the following illustration:
Figure 5 Reverse Proxy Server
10.2 Configuring the Proxy Server
To allow Apache as a proxy server, you need to set proxyrequests to ON, and then add additional configuration depending on what you want the proxy server to do. Whatever you wish to do, your chosen proxy configuration should be placed in a special <Directory> container.
<directory proxy:*>
...
</Directory>
Example one: Connecting the private IP network to the Internet
Assuming that only one computer on the private Internet is assigned a valid IP address on the Internet, this calculation
Machine runs the Apache proxy server, Proxyrequest is set to ON, and no additional configuration is required, and all requests can be serviced by the proxy server.
Example two: let Apache Yundang remote www site buffer
The first step: set Proxyrequest to On
Step Two: Create the configuration as follows:
<directory proxy:*>
Cacheroot/www/cache
CacheSize 1024
Cachemaxexpire 24
</Directory>
This means setting the cache directory to be/www/cache, size 1024KB, or 1MB; the contents of the buffer will expire after 24 hours.
Example three: Establish a mirror site (in fact, this is the so-called reverse proxy server)
The first step: set Proxyrequest to On
Step Two: Create the configuration as follows:
<directory proxy:*>
Proxypass/www.mot.com/
Cacheroot/www/cache
Cachedefaultexpire 24
</Directory>
10.3 Some tips
Proxy server, which we will detail in later chapters, is just a description of Apache features. Apache as a proxy server performance is not high, the effect is not good. Not recommended for use.