zoukankan      html  css  js  c++  java

  • Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

          Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

                                                    作者:尹正杰

    版权声明:原创作品,谢绝转载!否则将追究法律责任。

    一.Options 

    1>.OPTIONS指令概述

    Options:后跟1个或多个以空白字符分隔的选项列表
  在选项前的+,- 表示增加或删除指定选项
  常见选项:
    Indexes:
          指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户
    FollowSymLinks:
          允许访问符号链接文件所指向的源文件
    None:
          全部禁用
    All: 
          全部允许

    2>.官方文档案例

    3>.实战案例

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
    DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cp -ar /tmp/ /data/www/html/
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ln -s /etc/ /data/www/html/etcDir
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
total 4
lrwxrwxrwx  1 root root   5 Dec  8 06:50 etcDir -> /etc/
-rw-r--r--  1 root root  15 Dec  7 20:07 index.html
drwxrwxrwt. 9 root root 218 Dec  8 06:49 tmp
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/options.conf
<Directory "/data/www/html">
    Options Indexes FollowSymLinks
    Require all granted
</Directory>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
[root@node101.yinzhengjie.org.cn ~]#

    二.AllowOverride

    1>.AllowOverride指令概述

      与访问控制相关的哪些指令可以放在指定目录下的.htaccess(由AccessFileName指定)文件中,覆盖之前的配置指令
    
  只对    <directory>语句有效
    AllowOverride All: 
          .htaccess中所有指令都有效
    AllowOverride None: 
          .htaccess 文件无效
    AllowOverride AuthConfig Indexes 
          除了AuthConfig和Indexes的其它指令都无法覆盖

    2>.官方文档案例

    3>.实战案例

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
    DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/allowOverride.conf 
<Directory "/data/www/html">
    AllowOverride all
    Require all granted
</Directory>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/.htaccess
Options Indexes
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
total 4
lrwxrwxrwx  1 root root   5 Dec  8 06:50 etcDir -> /etc/
-rw-r--r--  1 root root  15 Dec  7 20:07 index.html
drwxrwxrwt. 9 root root 218 Dec  8 06:49 tmp
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
[root@node101.yinzhengjie.org.cn ~]#

    三.基于IP的访问控制

    1>.Require指令概述

      无明确授权的目录,默认拒绝
  允许所有主机访问:Require all granted
  拒绝所有主机访问:Require all denied
  控制特定的IP访问:
    Require ip IPADDR:授权指定来源的IP访问
    Require not ip IPADDR:拒绝特定的IP访问
  控制特定的主机访问:
    Require host HOSTNAME:授权特定主机访问
    Require not host HOSTNAME:拒绝 
      HOSTNAME:
    FQDN:特定主机
    domin.tld:指定域名下的所有主机

  不能有失败,至少有一个成功匹配才成功,即失败优先
        <RequireAll>
      Require all granted
      Require not ip 172.16.1.1   #拒绝特定IP
    </RequireAll>

      多个语句有一个成功,则成功,即成功优先
        <RequireAny>
      Require all denied
      require ip 172.16.1.1     #允许特定IP
    </RequireAny>

    2>.实战案例-"RequireAll"标签

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
    DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
<Directory "/data/www/html">
    <RequireAll>
        Require all granted            #此处我们允许所有人都可以访问服务器
        Require not ip 172.30.1.254       #但是唯独拒绝IP为"172.30.1.254"的IP地址来访问咱们的服务器
    </RequireAll>
</Directory>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
total 8
-rw-r--r-- 1 root root 15 Dec  7 20:07 index.html
-rw-r--r-- 1 root root 31 Dec  8 07:36 info.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/index.html 
/data/www/html
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/info.html 
<h1>尹正杰到此一游</h1>
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
[root@node101.yinzhengjie.org.cn ~]#

    3>.实战案例-"RequireAny"标签

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
    DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
<Directory "/data/www/html">
    <RequireAny>
        Require all denied              #此处我们拒绝所有人访问服务器
        Require ip 172.30.1.254            #但我们唯独允许IP为"172.30.1.254"的IP地址可以访问服务器
    </RequireAny>
</Directory>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# httpd -t
Syntax OK
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
[root@node101.yinzhengjie.org.cn ~]#

    4>.实战案例-实现子目录的权限控制

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
    DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
<Directory "/data/www/html">
    <RequireAny>
        Require all denied
        Require ip 172.30.1.254                         #只允许IP地址为"172.30.1.254"的客户端访问"/data/www/html"根目录
    </RequireAny>
</Directory>

<Directory "/data/www/html/news">                        #虽然上面允许访问"/data/www/html"目录,但是咱们并不允许它访问news子目录,我们这里将所有的子目录都拒绝啦~
    Require all denied
</Directory>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# mkdir /data/www/html/news
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "<h1>https://www.cnblogs.com/yinzhengjie/<h1>" > /data/www/html/news/blog.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# httpd -t                 #检查配置文件的语法格式是否正确
Syntax OK
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd        #要先检查语法再重新加载配置文件哟~别上来就直接加载配置文件,否则可能导致服务无法正常启动~
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
total 8
-rw-r--r-- 1 root root 15 Dec 7 20:07 index.html
-rw-r--r-- 1 root root 31 Dec 8 07:36 info.html
drwxr-xr-x 2 root root 23 Dec 8 08:03 news
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/news/
total 4
-rw-r--r-- 1 root root 45 Dec 8 08:03 blog.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/info.html 
<h1>尹正杰到此一游</h1>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/index.html 
/data/www/html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/news/blog.html 
<h1>https://www.cnblogs.com/yinzhengjie/<h1>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
  • 相关阅读:
    SET TRANSACTION
    SET SESSION AUTHORIZATION
    SET CONSTRAINTS
    SET
    services
    send, sendto, sendmsg
    并列句分析
    cURL 学习笔记与总结(3)模拟登录博客园并下载个人随笔首页
    SQLServer2019安装教程
    Java实现 LeetCode 85 最大矩形
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/12003910.html
Copyright © 2011-2022 走看看