Shulou(Shulou.com)06/02 Report--

There are two kinds of access control for Apache: one is to restrict the directory, the other is to restrict the file. The two access control methods are introduced in turn. Our virtual machine has two IP: one 127.0.0.1 and the other 192.168.147.132. If we don't want one of the IP such as 127.0.0.1 to visit our website. (in fact, it is mainly to restrict others, not to restrict yourself. Here are just examples.)

Edit virtual host profile

[root@centos6 ~] # vim / usr/local/apache2/conf/extra/httpd-vhosts.conf

Add an access control method that restricts 127.0.0.1 access to the root directory of the website:

……

ServerName www.test.com

ServerAlias www.aaa.com

ServerAlias www.bbb.com

AllowOverride None

Options None

Order allow,deny

Allow from all

Deny from 127.0.0.1

RewriteEngine on

RewriteCond% {HTTP_HOST} ^ www.aaa.com$ [OR]

RewriteCond% {HTTP_HOST} ^ www.bbb.com$

RewriteRule ^ / (. *) $http://www.test.com/$1 [Rust 301m L]

……

Matches in Order order, regardless of the order of the following Allow lines and Deny lines. Here, the order of Order is to look at allow first and then deny.

So allow all IP access first, then disable 127.0.0.1, and the end result is 127.0.0.1 is banned.

After checking and reloading the configuration file, we can see that we have denied access to 127.0.0.1 and 192.168.147.132 can still be accessed.

[root@centos6 ~] # apachectl-t

Syntax OK

[root@centos6 ~] # apachectl graceful

[root@centos6 ~] # curl-x127.0.0.1 www.test.com 80-I

HTTP/1.1 403 Forbidden

Date: Sat, 14 Jan 2017 16:18:57 GMT

Server: Apache/2.2.9 (Unix) PHP/5.4.36

Content-Type: text/html; charset=iso-8859-1

[root@centos6 ~] # curl-x 192.168.147.132 www.test.com 80-I

HTTP/1.1 301 Moved Permanently

Date: Sat, 14 Jan 2017 16:19:07 GMT

Server: Apache/2.2.9 (Unix) PHP/5.4.36

X-Powered-By: PHP/5.4.36

Location: forum.php

Cache-Control: max-age=0

Expires: Sat, 14 Jan 2017 16:19:07 GMT

Content-Type: text/html

[root@centos6 ~] # curl-x 192.168.147.132 www.test.com/forum.php 80-I

HTTP/1.1 200 OK

Date: Sat, 14 Jan 2017 16:19:26 GMT

Server: Apache/2.2.9 (Unix) PHP/5.4.36

X-Powered-By: PHP/5.4.36

Set-Cookie: sTi8_2132_saltkey=NwiTwCJX; expires=Mon, 13-Feb-2017 16:19:26 GMT; path=/; httponly

Set-Cookie: sTi8_2132_lastvisit=1484407166; expires=Mon, 13-Feb-2017 16:19:26 GMT; path=/

Set-Cookie: sTi8_2132_sid=BreFeR; expires=Sun, 15-Jan-2017 16:19:26 GMT; path=/

Set-Cookie: sTi8_2132_lastact=1484410766%09forum.php%09; expires=Sun, 15-Jan-2017 16:19:26 GMT; path=/

Set-Cookie: sTi8_2132_onlineusernum=1; expires=Sat, 14-Jan-2017 16:24:26 GMT; path=/

Set-Cookie: sTi8_2132_sid=BreFeR; expires=Sun, 15-Jan-2017 16:19:26 GMT; path=/

Cache-Control: max-age=0

Expires: Sat, 14 Jan 2017 16:19:26 GMT

Content-Type: text/html; charset=gbk

The backend of our website certainly cannot have open access to any IP. For example, if you can only log in to the backend on this computer, you need to whitelist the backend management admin.php: normally, everyone can see this page, which is not appropriate.

Add the following to the virtual host configuration file: only 127.0.0.1 is allowed to access admin.php

……

AllowOverride None

Options None

Order allow,deny

Allow from all

Deny from 127.0.0.1

Order deny,allow

Deny from all

Allow from 127.0.0.1

RewriteEngine on

RewriteCond% {HTTP_HOST} ^ www.aaa.com$ [OR]

RewriteCond% {HTTP_HOST} ^ www.bbb.com$

RewriteRule ^ / (. *) $http://www.test.com/$1 [Rust 301m L]

……

Reload the configuration file after checking it correctly, it can be seen that only 127.0.0.1 is allowed to log in to the background management, and the background management cannot be accessed through 192.168.147.132, so it is safe.

[root@centos6 ~] # apachectl-t

Syntax OK

[root@centos6 ~] # apachectl graceful

[root@centos6 ~] # curl-x 192.168.147.132 www.test.com/admin.php 80-I

HTTP/1.1 403 Forbidden

Date: Sat, 14 Jan 2017 16:36:15 GMT

Server: Apache/2.2.9 (Unix) PHP/5.4.36

Content-Type: text/html; charset=iso-8859-1

[root@centos6 ~] # curl-x127.0.0.1 www.test.com/admin.php 80-I

HTTP/1.1 200 OK

Date: Sat, 14 Jan 2017 16:36:25 GMT

Server: Apache/2.2.9 (Unix) PHP/5.4.36

X-Powered-By: PHP/5.4.36

Set-Cookie: sTi8_2132_saltkey=zvA82A89; expires=Mon, 13-Feb-2017 16:36:25 GMT; path=/; httponly

Set-Cookie: sTi8_2132_lastvisit=1484408185; expires=Mon, 13-Feb-2017 16:36:25 GMT; path=/

Set-Cookie: sTi8_2132_sid=qe5kCO; expires=Sun, 15-Jan-2017 16:36:25 GMT; path=/

Set-Cookie: sTi8_2132_lastact=1484411785%09admin.php%09; expires=Sun, 15-Jan-2017 16:36:25 GMT; path=/

Cache-Control: max-age=0

Expires: Sat, 14 Jan 2017 16:36:25 GMT

Content-Type: text/html; charset=gbk

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.