前言:
而今姐妹们对“apachephp权限设置”都比较讲究,同学们都需要知道一些“apachephp权限设置”的相关知识。那么小编也在网络上汇集了一些关于“apachephp权限设置””的相关文章,希望看官们能喜欢,朋友们一起来学习一下吧!Apache是世界使用排名第一的Web服务器软件.它可以运行在几乎所有广泛使用的计算机平台上,由于其跨平台和安全性被广泛使用,是最流行的Web服务器端软件之一.它快速、可靠并且可通过简单的API扩充,将Perl/Python等解释器编译到服务器中.同时Apache音译为阿帕奇,是北美印第安人的一个部落,叫阿帕奇族,在美国的西南部.也是一个基金会的名称、一种武装直升机等等.
配置Apache访问控制
Apache可以基于原主机名,原IP地址,或原主机上的浏览器特征,对网站上的资源进行访问控制,它通过Allow指令允许某个主机访问服务器上的网站资源,通过Deny指令实现禁止访问,还可以给指定的页面添加密码认证.
基于用户名密码的认证: 当我们打开指定网页时,会提示需要输入密码才能访问,这就是密码认证技术.
1.通过Yum仓库快速安装apache服务程序.
[root@localhost ~]# yum install -y apr apr-util httpdLoaded plugins: product-id, search-disabled-repos, subscription-managerThis system is not registered with an entitlement server. You can use subscription-manager.Package apr-1.4.8-3.el7_4.1.x86_64 already installed and latest versionPackage apr-util-1.5.2-6.el7.x86_64 already installed and latest versionPackage httpd-2.4.6-80.el7.x86_64 already installed and latest versionNothing to do
2.编辑Apache主配置文件,在相应的区域中加入以下标★语句.
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf146 #147 # AllowOverride controls what directives may be placed in .htaccess files.148 # It can be "All", "None", or any combination of the keywords:149 # Options FileInfo AuthConfig Limit150 #★ AllowOverride all #修改为 AllowOverride all152 153 #154 # Controls who can get stuff from this server.155 #
3.在要添加认证的网页文件下创建 .htaccess 文件,并覆盖写入以下内容.
[root@localhost ~]# echo "hello admin" > /var/www/html/index.html[root@localhost ~]# vim /var/www/html/.htaccessauthname "welcome to admin" #欢迎提示信息authtype basic #认证类型authuserfile /var/www/html/login.psd #认证文件存放位置require valid-user #除认证用户其他用户不允许登陆
4.借助Apache的工具生成密码文件,此处的用户名密码就是访问网页时的号码.
[root@localhost ~]# htpasswd -c /var/www/html/login.psd lyshark #创建认证用户(覆盖)[root@localhost ~]# htpasswd -m /var/www/html/login.psd lyshark #写入认证用户(追加)
5.重启Apache服务,并访问页面测试即可.
[root@localhost ~]# systemctl restart httpd
基于IP地址的身份认证: 打开指定网页时,会判断您的IP地址是允许访问还是拒绝访问,这就是基于IP的认证技术.
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf121 #122 # Relax access to content within /var/ #124 <Directory "/var/www/html">125 126 Order allow,deny127 deny from 192.168.1.8 #允许和拒绝,只需要修改from前面字段.128 require all granted129 </Directory>130 131 # Further relax access to the default document root:开启Apache个人主页
如果想为每个系统独立的用户建立一个网站,通常情况先是基于虚拟主机的功能来部署多个网站,但是这样工作量实在太大,还好Apache为我们提供了个人主页功能,以下实验将实现给予不同的用户一个单独的网页空间,实现每个人可以有自己的空间,类似QQ空间.
1.首先编辑配置文件,修改UserDir disabled注释掉本行,同时开启UserDir public_html,保存退出即可.
[root@localhost ~]# vim /etc/httpd/conf.d/userdir.conf 14 # of a username on the system (depending on home directory 15 # permissions). 16 # 17 # UserDir disabled #注释掉本行 18 ...... 20 # To enable requests to /~user/ to serve the user's public_html 21 # directory, remove the "UserDir disabled" line above, and uncomment 22 # the following line instead: 23 # 24 UserDir public_html #开启本行注释 25 </IfModule>
2.创建一个测试用户,并在其家目录创建一个public_html目录,设置相应的权限.
[root@localhost ~]# useradd lyshark[root@localhost ~]# echo "123123" |passwd --stdin lysharkChanging password for user lyshark.passwd: all authentication tokens updated successfully.[root@localhost ~]# mkdir -p /home/lyshark/public_html[root@localhost ~]# echo "hello admin" > /home/lyshark/public_html/index.html[root@localhost ~]# chmod 755 -R /home/lyshark/
3.紧接着我们配置SeLinux安全上下文.
[root@localhost home]# ls -lZdrwxr-xr-x. lyshark lyshark unconfined_u:object_r:user_home_dir_t:s0 lyshark[root@localhost home]# ls -lZ /var/www/drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html[root@localhost home]# yum provides semanage[root@localhost home]# yum install -y policycoreutils-python-2.5-22.el7.x86_64Loaded plugins: product-id, search-disabled-repos, subscription-managerThis system is not registered with an entitlement server. You can use subscription-manager.Package policycoreutils-python-2.5-22.el7.x86_64 already installed and latest versionNothing to do[root@localhost home]# semanage fcontext -a -t httpd_sys_content_t /home/lyshark/[root@localhost home]# restorecon -Rv /home/lyshark/[root@localhost home]# restorecon -Rv /home/lyshark/*root@localhost home]# getsebool -a |grep httpd_enablehttpd_enable_cgi --> onhttpd_enable_ftp_server --> offhttpd_enable_homedirs --> off[root@localhost home]# setsebool -P httpd_enable_homedirs=1[root@localhost home]# setsebool httpd_enable_homedirs=1
4.重启Apache服务测试效果.
[root@localhost ~]# systemctl restart httpd[root@localhost ~]# elinks基于IP的虚拟主机
如果一台服务器有多个IP地址,而且每个IP地址与服务器上部署的每个网站对应,这样当用户请求访问不同的IP时,会访问到不同网站的页面资源,而且每个网站都有一个独立的IP地址,以下实验将实现在一台服务器上配置多个IP,搭建多个网站,每个网站使用一个IP地址.
1.通过Yum仓库快速安装apache服务程序.
[root@localhost ~]# yum install -y apr apr-util httpdLoaded plugins: product-id, search-disabled-repos, subscription-managerThis system is not registered with an entitlement server. You can use subscription-manager.Package apr-1.4.8-3.el7_4.1.x86_64 already installed and latest versionPackage apr-util-1.5.2-6.el7.x86_64 already installed and latest versionPackage httpd-2.4.6-80.el7.x86_64 already installed and latest versionNothing to do
2.首先在主IP地址上配置一个子接口.
[root@localhost ~]# ifconfig ens32:0 192.168.1.20 netmask 255.255.255.0[root@localhost ~]# ifconfigens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe8::89c:d2d:cd5:b9ec prefixlen 64 scopeid 0x20<link> ether 01:0c:89:b1:b7:be txqueuelen 1000 (Ethernet) RX packets 1237 bytes 82607 (80.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 184 bytes 24411 (23.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ens32:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.20 netmask 255.255.255.0 broadcast 192.168.1.255 ether 00:0c:29:b1:b1:be txqueuelen 1000 (Ethernet)lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 196 bytes 16656 (16.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 196 bytes 16656 (16.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
3.在/var/www/html目录下创建连个子目录,分别对应两个IP地址.
[root@localhost ~]# mkdir -p /var/www/html/vhost1[root@localhost ~]# mkdir -p /var/www/html/vhost2[root@localhost ~]# echo "vhost 1" > /var/www/html/vhost1/index.html[root@localhost ~]# echo "vhost 2" > /var/www/html/vhost2/index.html
4.修改apache主配置文件,分别添加两个主机区域.
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf 76 # All of these directives may appear inside <VirtualHost> containers, 77 # in which case these default settings will be overridden for the 78 # virtual host being defined. 79 # 80 81 <VirtualHost 192.168.1.10:80> 82 DocumentRoot /var/www/html/vhost1 83 ServerName localhost 84 <Directory /var/www/html/vhost1> 85 AllowOverride None 86 Require all granted 87 </Directory> 88 </VirtualHost> 89 <VirtualHost 192.168.1.20:80> 90 DocumentRoot /var/www/html/vhost2 91 ServerName localhost 92 <Directory /var/www/html/vhost2> 93 AllowOverride None 94 Require all granted 95 </Directory> 96 </VirtualHost> 97
5.重启一下apache服务,并访问测试即可.
[root@localhost ~]# systemctl restart httpd[root@localhost ~]# curl 192.168.1.10vhost 1[root@localhost ~]# curl 192.168.1.20vhost 2基于端口的虚拟主机
基于端口的虚拟主机,可以让用户通过端口号,来访问服务器上的资源,在使用Apache配置虚拟网站时,基于端口的配置方式最为复杂,以下实验将实现在一台服务器上配置多个端口,搭建多个网站,每个网站使用一个端口.
1.修改Apache主配置文件,修改两处位置.
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf 38 # Change this to Listen on specific IP addresses as shown below to 39 # prevent Apache from glomming onto all bound IP addresses. 40 # 41 #Listen 12.34.56.78:80 42 Listen 80 43 Listen 8080..... 76 # All of these directives may appear inside <VirtualHost> containers, 77 # in which case these default settings will be overridden for the 78 # virtual host being defined. 79 # 80 81 <VirtualHost 192.168.1.10:80> 82 DocumentRoot /var/www/html/vhost1 83 ServerName localhost 84 <Directory /var/www/html/vhost1> 85 AllowOverride None 86 Require all granted 87 </Directory> 88 </VirtualHost> 89 <VirtualHost 192.168.1.10:8080> 90 DocumentRoot /var/www/html/vhost2 91 ServerName localhost 92 <Directory /var/www/html/vhost2> 93 AllowOverride None 94 Require all granted 95 </Directory> 96 </VirtualHost>
2.在/var/www/html目录下创建连个子目录,分别对应两个端口地址.
[root@localhost ~]# mkdir -p /var/www/html/vhost1[root@localhost ~]# mkdir -p /var/www/html/vhost2[root@localhost ~]# echo "vhost 1" > /var/www/html/vhost1/index.html[root@localhost ~]# echo "vhost 2" > /var/www/html/vhost2/index.html
3.重启一下apache服务,并访问测试即可.
[root@localhost ~]# systemctl restart httpd[root@localhost ~]# curl 192.168.1.10:80vhost 1[root@localhost ~]# curl 192.168.1.10:8080vhost 2基于域名的虚拟主机
当服务器无法为每一个网站分配一个独立的IP的时候,可以尝试让Apache自动识别用户请求的域名,从而根据不同的域名请求来传输不同的内容,这里我们为了验证实验要手动搭建一个DNS解析,以下实验将实现在一台服务器上多个域名,搭建多个网站,每个网站使用一个域名.
1.首先搭建DNS域名解析,模拟vhost1.com与vhost2.com两个网站域名.
[root@localhost ~]# yum install -y bind bind-chrootLoaded plugins: product-id, search-disabled-repos, subscription-managerThis system is not registered with an entitlement server. You can use subscription-manager.Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest versionPackage 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest versionNothing to do
2.配置DNS解析,这里我们简单配置即可,有关DNS详细例子请查看其他相关文章.
[root@localhost ~]# vim /etc/named.conf 12 options { 13 listen-on port 53 { any; }; 14 listen-on-v6 port 53 { ::1; }; 15 directory "/var/named"; 16 dump-file "/var/named/data/cache_dump.db"; 17 statistics-file "/var/named/data/named_stats.txt"; 18 memstatistics-file "/var/named/data/named_mem_stats.txt"; 19 allow-query { any; };[root@localhost ~]# vim /etc/named.rfc1912.zones 43 zone "vhost1.com" IN { 44 type master; 45 file "vhost1.com.zone"; 46 allow-update { none; }; 47 }; 48 zone "vhost2.com" IN { 49 type master; 50 file "vhost2.com.zone"; 51 allow-update { none; }; 52 };
3.拷贝配置文件,并修改成以下模样,并重启Bind
[root@localhost ~]# cp -a /var/named/named.localhost /var/named/vhost1.com.zone[root@localhost ~]# cp -a /var/named/named.localhost /var/named/vhost2.com.zone[root@localhost ~]# vim /var/named/vhost1.com.zone$TTL 1D@ IN SOA dns.vhost1.com. rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.vhost1.com.dns A 127.0.0.1www A 192.168.1.10[root@localhost ~]# vim /var/named/vhost2.com.zone$TTL 1D@ IN SOA dns.vhost2.com. rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.vhost2.com.dns A 127.0.0.1www A 192.168.1.10[root@localhost ~]# systemctl restart named
4.修改Apache主配置文件,修改两处位置.
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf 76 # All of these directives may appear inside <VirtualHost> containers, 77 # in which case these default settings will be overridden for the 78 # virtual host being defined. 79 # 80 81 <VirtualHost *:80> 82 DocumentRoot /var/www/html/vhost1 83 ServerName 84 <Directory /var/www/html/vhost1> 85 AllowOverride None 86 Require all granted 87 </Directory> 88 </VirtualHost> 89 <VirtualHost *:80> 90 DocumentRoot /var/www/html/vhost2 91 ServerName 92 <Directory /var/www/html/vhost2> 93 AllowOverride None 94 Require all granted 95 </Directory> 96 </VirtualHost>
5.在/var/www/html目录下创建连个子目录,分别对应两个域名地址.
[root@localhost ~]# mkdir -p /var/www/html/vhost1[root@localhost ~]# mkdir -p /var/www/html/vhost2[root@localhost ~]# echo "vhost 1" > /var/www/html/vhost1/index.html[root@localhost ~]# echo "vhost 2" > /var/www/html/vhost2/index.html
6.重启一下apache服务,并访问测试即可.
[root@localhost ~]# systemctl restart httpd[root@localhost ~]# curl 1[root@localhost ~]# curl 2配置HTTPS/SSL加密
在生产环境中,我们需要让我们的网站更加的安全,多数情况下我们会开启https的加密认证,来保证数据传输的安全性,下面实验将实现启动SSL证书,也就是https认证,端口为443.
1.建立服务器私钥,过程中需要输入密码.
[root@localhost ~]# openssl genrsa -des3 -out server.key 1024----------------------------------------------------------------------------注释: Genrsa –des3 #加密类型 -out server.key #输出文件 -1024 #加密长度----------------------------------------------------------------------------
2.建立证书,生成的csr文件交给CA签名后形成服务端自己的证书.
[root@localhost ~]# openssl req -new -key server.key -out server.csr----------------------------------------------------------------------------注释: req -new #新建证书 -key server.key #私钥文件 -out server.csr #输出文件注:依次输入:国家 省 市 组织 机构 全称 EMAIL 是否要改变密码 是否改名称----------------------------------------------------------------------------
3.转化成证书,这一步由证书CA机构来做的,这里只是实验.
[root@localhost ~]# openssl x509 -req -days 365 -sha256 -in server.csr -signkey server.key -out servernew.crt
4.将生成的证书文件拷贝到/etc/http/conf目录下,并配置好权限.
[root@localhost ~]# cp -a server.crt /etc/httpd/conf[root@localhost ~]# cp -a server.key /etc/httpd/conf
5.创建一个配置文件,并写入以下内容,开启SSL的支持.
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.confListen 443 httpsSSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialogSSLSessionCache shmcb:/run/httpd/sslcache(512000)SSLSessionCacheTimeout 300SSLRandomSeed startup file:/dev/urandom 256SSLRandomSeed connect builtinSSLCryptoDevice builtin<VirtualHost _default_:443>ErrorLog logs/ssl_error_logTransferLog logs/ssl_access_logLogLevel warnSSLEngine onSSLProtocol all -SSLv2SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5SSLCertificateFile /etc/pki/tls/certs/localhost.crtSSLCertificateKeyFile /etc/pki/tls/private/localhost.key#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt<Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars</Files><Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars</Directory>BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</VirtualHost>
标签: #apachephp权限设置