LAMP搭建13:Apache访问控制
发布时间:2024-08-20 点击:85
系统运维
apache的访问控制有两种:一是对目录进行限制,一是对文件进行限制。依次介绍这两种访问控制方式。我们的虚拟机有两个ip:一个127.0.0.1,另一个192.168.147.132。如果我们不想让其中一个ip比如127.0.0.1访问我们的网站。(其实主要是限制别人,不是限制自己,这里只是举例子)
编辑虚拟主机配置文件
[root@centos6 ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
添加限制127.0.0.1访问网站根目录的访问控制方法:
……
servername www.test.com
serveralias www.aaa.com
serveralias www.bbb.com
<directory "/data/www">
allowoverride none
options none
order allow,deny
allow from all
deny from 127.0.0.1
</directory>
<ifmodule mod_rewrite.c>
rewriteengine on
rewritecond %{http_host} ^www.aaa.com$ [or]
rewritecond %{http_host} ^www.bbb.com$
rewriterule ^/(.*)$ http://www.test.com/$1 [r=301,l]
</ifmodule>
……
按order顺序匹配,与下面allow行和deny行的先后无关。这里order顺序为先看allow,再看deny,
所以先允许所有的ip访问,再禁止127.0.0.1的访问,最终结果是127.0.0.1被禁止。
检查无误后重新加载配置文件,可以看到我们做到了拒绝127.0.0.1的访问,192.168.147.132仍可访问
[root@centos6 ~]# apachectl -t
syntax ok
[root@centos6 ~]# apachectl graceful
[root@centos6 ~]# curl -x127.0.0.1:80 -i www.test.com
http/1.1 403 forbidden
date: sat, 14 jan 2017 16:18:57 gmt
server: apache/2.2.9 (unix) php/5.4.36
content-type: text/html; charset=iso-8859-1
[root@centos6 ~]# curl -x192.168.147.132:80 -i www.test.com
http/1.1 301 moved permanently
date: sat, 14 jan 2017 16:19:07 gmt
server: apache/2.2.9 (unix) php/5.4.36
x-powered-by: php/5.4.36
location: forum.php
cache-control: max-age=0
expires: sat, 14 jan 2017 16:19:07 gmt
content-type: text/html
[root@centos6 ~]# curl -x192.168.147.132:80 -i www.test.com/forum.php
http/1.1 200 ok
date: sat, 14 jan 2017 16:19:26 gmt
server: apache/2.2.9 (unix) php/5.4.36
x-powered-by: php/5.4.36
set-cookie: sti8_2132_saltkey=nwitwcjx; expires=mon, 13-feb-2017 16:19:26 gmt; path=/; httponly
set-cookie: sti8_2132_lastvisit=1484407166; expires=mon, 13-feb-2017 16:19:26 gmt; path=/
set-cookie: sti8_2132_sid=brefer; expires=sun, 15-jan-2017 16:19:26 gmt; path=/
set-cookie: sti8_2132_lastact=1484410766 forum.php ; expires=sun, 15-jan-2017 16:19:26 gmt; path=/
set-cookie: sti8_2132_onlineusernum=1; expires=sat, 14-jan-2017 16:24:26 gmt; path=/
set-cookie: sti8_2132_sid=brefer; expires=sun, 15-jan-2017 16:19:26 gmt; path=/
cache-control: max-age=0
expires: sat, 14 jan 2017 16:19:26 gmt
content-type: text/html; charset=gbk
我们网站后台肯定不能对任意ip开放访问,比如只能允许在本机登录后台,则需要对后台管理admin.php做白名单:正常情况下,所有人都能看到这个页面,这样不合适
在虚拟主机配置文件中加入如下内容:只允许127.0.0.1访问admin.php
……
<directory "/data/www">
allowoverride none
options none
order allow,deny
allow from all
deny from 127.0.0.1
</directory>
<filesmatch "(.*)admin(.*)">
order deny,allow
deny from all
allow from 127.0.0.1
</filesmatch>
<ifmodule mod_rewrite.c>
rewriteengine on
rewritecond %{http_host} ^www.aaa.com$ [or]
rewritecond %{http_host} ^www.bbb.com$
rewriterule ^/(.*)$ http://www.test.com/$1 [r=301,l]
</ifmodule>
……
检查无误后重新加载配置文件,可见现在只允许127.0.0.1登入后台管理,不能通过192.168.147.132访问后台管理了,这样就安全了。
[root@centos6 ~]# apachectl -t
syntax ok
[root@centos6 ~]# apachectl graceful
[root@centos6 ~]# curl -x192.168.147.132:80 -i www.test.com/admin.php
http/1.1 403 forbidden
date: sat, 14 jan 2017 16:36:15 gmt
server: apache/2.2.9 (unix) php/5.4.36
content-type: text/html; charset=iso-8859-1
[root@centos6 ~]# curl -x127.0.0.1:80 -i www.test.com/admin.php
http/1.1 200 ok
date: sat, 14 jan 2017 16:36:25 gmt
server: apache/2.2.9 (unix) php/5.4.36
x-powered-by: php/5.4.36
set-cookie: sti8_2132_saltkey=zva82a89; expires=mon, 13-feb-2017 16:36:25 gmt; path=/; httponly
set-cookie: sti8_2132_lastvisit=1484408185; expires=mon, 13-feb-2017 16:36:25 gmt; path=/
set-cookie: sti8_2132_sid=qe5kco; expires=sun, 15-jan-2017 16:36:25 gmt; path=/
苹果电脑怎么修改MAC地址|苹果电脑修改MAC地址的方法
宜宾市云服务器价格
腾讯云服务器租哪个适合
租用虚拟主机的优劣势是什么
域名本身有价值吗?怎么升值域名?
云服务器一年多少钱 128G内存如何收费
韩国大宽带服务器有哪些优势?
2020阿里云双11拼团活动开启,阿里云服务器最低仅85元/年(附价格表)
apache的访问控制有两种:一是对目录进行限制,一是对文件进行限制。依次介绍这两种访问控制方式。我们的虚拟机有两个ip:一个127.0.0.1,另一个192.168.147.132。如果我们不想让其中一个ip比如127.0.0.1访问我们的网站。(其实主要是限制别人,不是限制自己,这里只是举例子)
编辑虚拟主机配置文件
[root@centos6 ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
添加限制127.0.0.1访问网站根目录的访问控制方法:
……
servername www.test.com
serveralias www.aaa.com
serveralias www.bbb.com
<directory "/data/www">
allowoverride none
options none
order allow,deny
allow from all
deny from 127.0.0.1
</directory>
<ifmodule mod_rewrite.c>
rewriteengine on
rewritecond %{http_host} ^www.aaa.com$ [or]
rewritecond %{http_host} ^www.bbb.com$
rewriterule ^/(.*)$ http://www.test.com/$1 [r=301,l]
</ifmodule>
……
按order顺序匹配,与下面allow行和deny行的先后无关。这里order顺序为先看allow,再看deny,
所以先允许所有的ip访问,再禁止127.0.0.1的访问,最终结果是127.0.0.1被禁止。
检查无误后重新加载配置文件,可以看到我们做到了拒绝127.0.0.1的访问,192.168.147.132仍可访问
[root@centos6 ~]# apachectl -t
syntax ok
[root@centos6 ~]# apachectl graceful
[root@centos6 ~]# curl -x127.0.0.1:80 -i www.test.com
http/1.1 403 forbidden
date: sat, 14 jan 2017 16:18:57 gmt
server: apache/2.2.9 (unix) php/5.4.36
content-type: text/html; charset=iso-8859-1
[root@centos6 ~]# curl -x192.168.147.132:80 -i www.test.com
http/1.1 301 moved permanently
date: sat, 14 jan 2017 16:19:07 gmt
server: apache/2.2.9 (unix) php/5.4.36
x-powered-by: php/5.4.36
location: forum.php
cache-control: max-age=0
expires: sat, 14 jan 2017 16:19:07 gmt
content-type: text/html
[root@centos6 ~]# curl -x192.168.147.132:80 -i www.test.com/forum.php
http/1.1 200 ok
date: sat, 14 jan 2017 16:19:26 gmt
server: apache/2.2.9 (unix) php/5.4.36
x-powered-by: php/5.4.36
set-cookie: sti8_2132_saltkey=nwitwcjx; expires=mon, 13-feb-2017 16:19:26 gmt; path=/; httponly
set-cookie: sti8_2132_lastvisit=1484407166; expires=mon, 13-feb-2017 16:19:26 gmt; path=/
set-cookie: sti8_2132_sid=brefer; expires=sun, 15-jan-2017 16:19:26 gmt; path=/
set-cookie: sti8_2132_lastact=1484410766 forum.php ; expires=sun, 15-jan-2017 16:19:26 gmt; path=/
set-cookie: sti8_2132_onlineusernum=1; expires=sat, 14-jan-2017 16:24:26 gmt; path=/
set-cookie: sti8_2132_sid=brefer; expires=sun, 15-jan-2017 16:19:26 gmt; path=/
cache-control: max-age=0
expires: sat, 14 jan 2017 16:19:26 gmt
content-type: text/html; charset=gbk
我们网站后台肯定不能对任意ip开放访问,比如只能允许在本机登录后台,则需要对后台管理admin.php做白名单:正常情况下,所有人都能看到这个页面,这样不合适
在虚拟主机配置文件中加入如下内容:只允许127.0.0.1访问admin.php
……
<directory "/data/www">
allowoverride none
options none
order allow,deny
allow from all
deny from 127.0.0.1
</directory>
<filesmatch "(.*)admin(.*)">
order deny,allow
deny from all
allow from 127.0.0.1
</filesmatch>
<ifmodule mod_rewrite.c>
rewriteengine on
rewritecond %{http_host} ^www.aaa.com$ [or]
rewritecond %{http_host} ^www.bbb.com$
rewriterule ^/(.*)$ http://www.test.com/$1 [r=301,l]
</ifmodule>
……
检查无误后重新加载配置文件,可见现在只允许127.0.0.1登入后台管理,不能通过192.168.147.132访问后台管理了,这样就安全了。
[root@centos6 ~]# apachectl -t
syntax ok
[root@centos6 ~]# apachectl graceful
[root@centos6 ~]# curl -x192.168.147.132:80 -i www.test.com/admin.php
http/1.1 403 forbidden
date: sat, 14 jan 2017 16:36:15 gmt
server: apache/2.2.9 (unix) php/5.4.36
content-type: text/html; charset=iso-8859-1
[root@centos6 ~]# curl -x127.0.0.1:80 -i www.test.com/admin.php
http/1.1 200 ok
date: sat, 14 jan 2017 16:36:25 gmt
server: apache/2.2.9 (unix) php/5.4.36
x-powered-by: php/5.4.36
set-cookie: sti8_2132_saltkey=zva82a89; expires=mon, 13-feb-2017 16:36:25 gmt; path=/; httponly
set-cookie: sti8_2132_lastvisit=1484408185; expires=mon, 13-feb-2017 16:36:25 gmt; path=/
set-cookie: sti8_2132_sid=qe5kco; expires=sun, 15-jan-2017 16:36:25 gmt; path=/
苹果电脑怎么修改MAC地址|苹果电脑修改MAC地址的方法
宜宾市云服务器价格
腾讯云服务器租哪个适合
租用虚拟主机的优劣势是什么
域名本身有价值吗?怎么升值域名?
云服务器一年多少钱 128G内存如何收费
韩国大宽带服务器有哪些优势?
2020阿里云双11拼团活动开启,阿里云服务器最低仅85元/年(附价格表)