Shulou(Shulou.com)06/02 Report--

Blog catalogue

I. access control of Httpd services

1. Client address limit

2. User authorization restrictions

Second, build a virtual Web host

Third, configure the virtual host based on domain name

4. Configure virtual host based on IP address

Configure a virtual host based on the port number

I. access control of Httpd services

In order to better control access to website resources. You can add access authorization to a specific site directory. It is mainly divided into client address restrictions and user authorization restrictions, both of which are applied to the directory area in the httpd.conf configuration file.

1. Client address limit

With the Require configuration item, you can decide whether to allow client access based on the host name or IP address of the host. The Require configuration item can be used to control client access in the, and configuration sections of the main configuration file of the httpd server. The address can be in the form of an IP address, a network address, a hostname, and a domain name, using the name "all" to indicate any address. The common formats of restriction policies are as follows:

Require all granted: indicates that all hosts are allowed access. Require all denied: denies all host access. Require local: indicates that only the local host is accessed. Require [not] host: allows or denies access to a specified host or domain. Require [not] ip: allows or denies access to a specified IP address or network segment.

When defining a restriction policy, the relationship between is or among multiple require configuration statements without not, that is, any require configuration statement can be accessed. If there are require configuration statements without not and require configuration statements with not, the relationship between statements is and, that is, all require configuration statements can be accessed at the same time.

The specific configuration is as follows:

Make a policy that only hosts with ip address 192.168.100.101 are allowed to access the content under the / usr/local/httpd/htdocs web page directory. The policy is as follows (after entering the website main configuration file httpd.conf, enter / Directory in the last line mode, and press enter to find the appropriate location):

. Require ip 192.168.100.101

After configuring the restart service, the client of 192.168.100.101 can access it.

On the contrary, when you need to use the "deny only" restriction policy, flexibly use Require and Require not configuration statements to set the deny policy to prohibit only part of the host access. When using not to prohibit access, you should place it in the container and specify the appropriate restriction policy in the container.

The specific configuration is as follows:

. Require all granted Require not ip 192.168.100.0/24 192.168.200.0/24

You can also limit it in the following ways:

. Deny from 192.168.100.0amp 24 192.168.200.0Accord 24 2, user authorization restrictions

User-based access control includes two processes: authentication and authorization, which is a way for Apache to allow specified users to access specific resources using usernames and passwords. The httpd server supports both digest authentication (Digest) and basic authentication (Basic). To use digest authentication, you need to add the "--enable-auth-digest" option before compiling http, but not all browsers support digest authentication, so it is not recommended; while basic authentication is a basic function of httpd services, you do not need to configure special options in advance.

1) create a user authentication data file

[root@centos01] # / usr/local/httpd/bin/htpasswd-c / usr/local/httpd/htdocs/.password admin New password: Re-type new password: Adding password for user admin

Check to see if the user added:

[root@localhost httpd] # cd / usr/local/httpd/ [root@localhost httpd] # cat conf/.passwordadmin:oVc8B0TaIVv0s

2) modify Apache main configuration file to load authentication

[root@centos01] # vi / usr/local/httpd/conf/httpd.conf. AuthName "Default" AuthType Basic AuthuserFile / usr/local/httpd/htdocs/.password Require valid-user

3) restart apache service

[root@centos01 ~] # systemctl restart httpd

A prompt box appears for client access, and you can access it by entering the account password. It should be noted that when the user access authorization is set at the same time as the host access control, the set host access control takes precedence. Therefore, when you restrict user authorization, you need to delete the require statement. Otherwise, user access authorization will not take effect.

Second, build a virtual Web host

Virtual Web hosts refer to running multiple Web sites in the same server, each of which does not actually occupy the entire server independently, so it is called a "virtual" Web host. Through the virtual Web host service, we can make full use of the hardware resources of the server, thus greatly reducing the cost of website construction and operation. Using httpd, you can easily build a virtual host server, which only needs to run a httpd service to support a large number of Web sites at the same time. There are three types of virtual hosts supported by httpd:

Domain name-based: use a different domain name for each virtual host, but the corresponding IP address is the same. This is the most commonly used type of virtual Web host.

Domain name-based: use a different domain name for each virtual host, but the corresponding IP address is the same. This is the most commonly used type of virtual Web host. Based on IP address: use a different domain name for each virtual host, and the corresponding IP address is also different. This method requires multiple network interfaces for the server, so the application is not very widespread. Port-based: use different domain names and IP addresses for each virtual host to distinguish different site content, but use different TCP port numbers, so users need to specify port numbers at the same time when browsing different virtual sites. Third, configure the virtual host based on domain name

DNS builds its own. If you have anything you don't understand, please refer to the blog post: CentOS7 simply build DNS service.

I will not explain it in detail below.

1. Provide domain name resolution for virtual hosts [root@centos01 ~] # vi / etc/named.conf options {listen-on port 53 {192.168.100.10; directory "/ var/named"; allow-query {192.168.100.0 bdqn.com.zone 24;}; zone "bdqn.com" IN {type master; file "bdqn.com.zone";} Zone "benet.com" IN {type master; file "benet.com.zone";}; [root@centos01 ~] # vi / var/named/bdqn.com.zone $TTL 86400 @ SOA bdqn.com. Root.bdqn.com (2019081610 1H 15M 1W 1D) @ NS centos01.bdqn.com.centos01 A 192.168.100.10www A 192.168.100.10 [root@centos01] # cp / var/named/bdqn.com.zone / var/named/benet.com.zone [root@centos01] # vi / var/named/benet.com.zone TTL 86400 @ SOA benet.com. Root.benet.com (2019081610 1H 15M 1W 1D) @ NS centos01.benet.com.centos01 A 192.168.100.10www A 192.168.100.102, edit the network card [root@centos01] # vi / etc/sysconfig/network-scripts/ifcfg-ens32... DNS1=192.168.100.10 [root@centos01 ~] # systemctl restart network [root@centos01 ~] # systemctl restart named 3, client resolves domain name

4. Prepare web documents for the virtual machine

Prepare website directories and web page documents for each virtual web host. To facilitate testing, each virtual web host is provided with a different home page file:

[root@centos01 ~] # mkdir-p / var/www/ [root@centos01 ~] # mkdir-p / var/www/bdqn.com [root@centos01 ~] # mkdir-p / var/www/benet.com [root@centos01 ~] # echo "www.bdqn.com" > / var/www/bdqn.com/index.html [root@centos01 ~] # echo "www.benet.com" > / var/www/benet.com/index.html5, Modify the main configuration file to support virtual host [root@centos01 ~] # vi / usr/local/httpd/conf/httpd.conf 390 # Virtual hosts391 Include conf/extra/httpd-vhosts.conf 6, modify virtual host access [root@centos01 ~] # vim / usr/local/httpd/conf/extra/httpd-vhosts.conf NameVirtualHost 192.168.100.10 8 order deny Allow allow from all 7. Configure a domain name-based virtual host [root@centos01 ~] # vim / usr/local/httpd/conf/extra/httpd-vhosts.conf NamevirtualHost www.bdqn.com:80 NamevirtualHost www.benet.com:80 order deny Allow allow from all DocumentRoot "/ var/www/bdqn.com/" ServerName www.bdqn.com ErrorLog "logs/www.bdqn.com.error_log" CustomLog "logs/www.bdqn.com.access_log" common DocumentRoot "/ var/www/benet.com/" ServerName www.benet. Com ErrorLog "logs/www.benet.com.error_log" CustomLog "logs/www.benet.com.access_log" common [root@centos01 ~] # systemctl restart httpd 8, Client access authentication

4. Configure virtual host based on IP address

1. Copy a new network card

[root@centos01] # cp / etc/sysconfig/network-scripts/ifcfg-ens32 / etc/sysconfig/network-scripts/ifcfg-ens32:1 [root@centos01 network-scripts] # vim ifcfg-ens32:1. NAME=ens32:1 DEVICE=ens32:1 ONBOOT=yesIPADDR=192.168.100.20 NATEMASK=255.255.255.0DNS1=192.168.100.10 [root@centos01 ~] # systemctl restart network 2, configure virtual host based on IP address [root@centos01 ~] # vim / usr/local/httpd/conf/extra/httpd-vhosts.conf NamevirtualHost www.bdqn.com:80 NamevirtualHost www.benet.com:80 order deny Allow allow from all DocumentRoot "/ var/www/bdqn.com/" ServerName www.bdqn.com ErrorLog "logs/www.bdqn.com.error_log" CustomLog "logs/www.bdqn.com.access_log" common DocumentRoot "/ var/www/benet.com/" ServerName www.benet.com ErrorLog "logs/www.benet.com.error_log" CustomLog "logs/www.benet.com.access_log" common [root@centos01 ~] # systemctl restart httpd 3, Client access authentication

5. Configure virtual host based on port number 1, modify Apache main configuration file [root@centos01 ~] # vi / usr/local/httpd/conf/httpd.conf 40 Listen 80 41 Listen 8080 2, configure port-based virtual host [root@centos01 ~] # vim / usr/local/httpd/conf/extra/httpd-vhosts.conf NamevirtualHost www.bdqn.com:80NamevirtualHost www.benet.com:80 order deny Allow allow from all DocumentRoot "/ var/www/bdqn.com/" ServerName www.bdqn.com ErrorLog "logs/www.bdqn.com.error_log" CustomLog "logs/www.bdqn.com.access_log" common DocumentRoot "/ var/www/benet.com/" ServerName www.benet.com ErrorLog "logs/www.benet.com.error_log" CustomLog "logs/www.benet.com.access_log" common [root@centos01 ~] # systemctl restart httpd 3, Client access authentication

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.