Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Web website Service (2)

2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Web website Service (2)

Specific steps:

L client address limit

Through the configuration items Order, Deny from, Allow from, you can decide whether to allow client access based on the client's hostname or IP address. Order is used to set the restriction order, and Deny from and Allow from are used to set the specific limit content.

When using the Order configuration item, you can set it to "allow,deny" or "deny,allow" to determine the order in which the host applies the allow and deny policies.

? Allow,deny: allow and then deny, denying all client addresses that are not explicitly allowed by default.

? Deny,allow: reject first and then allow. By default, all customers and addresses that have not been explicitly rejected are allowed.

When using the Allow and Deny configuration items, you need to set the client address to form a complete restriction policy, which can be in the form of IP address, network address, hostname, domain name, and any address when using the name "all". The format of the restricted format policy is as follows:

Allow from address1 address2...

Deny from address1 address2...

In general, the web server is open to all clients, and there are no restrictions on the web page document directory, so the "Allow from all" policy is used to allow access from any client. As shown in the figure:

When you need to use a "allow only" restriction policy, you should change the processing order to "allow,deny" and explicitly set the allow policy to allow only some hosts to access. For example, if you only want the network management machine with IP address 173.16.16.173 to be able to access the AWStats system, the following settings should be made for the directory area of the AWStats system.

When you need to use the "deny only" restriction policy, you should change the processing order to "deny,allow" and explicitly set the deny policy to prohibit only some hosts from accessing. For example, if you only want to disable host access from two intranet segments 192.168.0.0Uniple 24 and 192.168.1.0 Universe 24, but allow access to any other host, you can use the following restriction policy.

L user authorization restrictions

The httpd server supports both digest authentication (Digest) and basic authentication (Basic). Using digest authentication requires adding the "- enable-auth-digest" option before compiling httpd, but not all browsers support digest authentication; while the basic functionality of httpd services in basic authentication does not require pre-configuration of special options.

User-based access control includes two processes: authentication and authorization. Authentication refers to the process of identifying users, and Authorization is the process of allowing specific users to access a specific directory area.

1. Create a user authentication data file

The basic authentication of httpd determines whether users are allowed to access by verifying the combination of user name and password. User accounts that authorize access need to be established in advance and saved in a fixed data file. Using a special htpasswd tool program, you can create authorized user data files and maintain user accounts in them.

When using the htpasswd tool, you must specify the location of the user data file, and adding the "- c" option means that the file is newly created. For example, do the following to create a new data file / usr/local/httpd/conf/.awspwd that contains a user information named webadmin.

If the "- c" option is omitted, the specified user data file already exists to add a new user or change the password of an existing user. For example, when you need to add a new user pengjie to the .awspwd data file, you can do the following:

two。 Add user authorization configuration

Once you have an authorized user account, you also need to modify the httpd.conf configuration file to add an authorization configuration in a specific directory area to enable basic authentication and set which users are allowed to access. As shown in the figure:

In the above configuration, the meaning of the relevant configuration items is as follows:

? AuthName: defines the protected realm name, which will be displayed in the authentication dialog box that pops up in the browser.

? AuthType: sets the type of authentication. Basic represents basic authentication.

? AuthUserFile: sets the path of the authentication file used to save the user's account and password.

? Require valid-user: only legitimate users in the authentication file are required to access it. Where valid-user represents all legitimate users, if only authorized to a single user, it can be changed to the specified user name.

3. Verify user access

Basic authentication login interface. As shown in the figure:

Access is denied when authentication fails. As shown in the figure:

L domain name-based virtual host

1. Provide domain name resolution for virtual hosts

Set up the DNS server

two。 Prepare web documents for virtual hosts

Create two subdirectories in the / var/www/html/ directory as the root of the two sites, and write the test page files respectively. As shown in the figure:

3. Add virtual host configuration

In the main configuration file of the httpd server, to enable a virtual Web host based on a domain name, you usually need to configure several aspects.

? Listening address: use the NameVirtualHost configuration item to specify the IP address of the virtual host service, that is, the IP address of each virtual Web host when querying the domain name.

? Virtual hosting area: use "…" Zone configuration to establish independent configuration content for each virtual Web host. It should at least include the website name of the virtual host and the configuration items of the root directory of the web page; other configuration items such as managing mailboxes, access logs and so on can be added according to actual needs.

? Directory permissions: use "…" Zone configuration to set access rights for the website directory of each virtual Web host, such as allowing anyone to access it. Directory party access can inherit the license of its parent directory, so you can simplify the configuration by directly granting access to the parent folder.

When there are a large number of virtual Web hosts, it is recommended that you use a separate virtual host configuration file and then load these configurations through Include in the httpd.conf file. This minimizes changes to the httpd.conf file and facilitates the maintenance of configuration content.

4. Access the virtual Web host in the client

In the client's browser, use the site name to access different virtual Web hosts to confirm that you can see different web page content. As shown in the figure:

L Virtual host based on IP address

When configuring virtual Web hosts based on IP addresses, instead of using the NameVirtualHost configuration item to specify the IP address of the listening service, you only need to specify the IP address corresponding to the domain name in the VirtualHost configuration of each virtual Web host.

Specific steps:

1. Prepare web page documents for virtual hosts

two。 Edit configuration file

Port-based virtual host

When configuring a port-based virtual host Web host, you no longer need to use the NameVirtualHost configuration item. Instead, the TCP port number to listen on is specified through multiple Listen configuration items, and both the IP address and port number should be specified in the VirtualHost configuration of each virtual Web host.

Specific steps:

Access on the client and add the port number after the domain name. As shown in the figure:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 218

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report