zoukankan      html  css  js  c++  java
  • Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

          Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

                                                    作者:尹正杰

    版权声明:原创作品,谢绝转载!否则将追究法律责任。

    一.Options 

    1>.OPTIONS指令概述

    Options:后跟1个或多个以空白字符分隔的选项列表
      在选项前的+,- 表示增加或删除指定选项
      常见选项:
        Indexes:
          指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户     FollowSymLinks:
          允许访问符号链接文件所指向的源文件     None:
          全部禁用     All:
          全部允许

    2>.官方文档案例

    3>.实战案例

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cp -ar /tmp/ /data/www/html/
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ln -s /etc/ /data/www/html/etcDir
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
    total 4
    lrwxrwxrwx  1 root root   5 Dec  8 06:50 etcDir -> /etc/
    -rw-r--r--  1 root root  15 Dec  7 20:07 index.html
    drwxrwxrwt. 9 root root 218 Dec  8 06:49 tmp
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/options.conf
    <Directory "/data/www/html">
        Options Indexes FollowSymLinks
        Require all granted
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
    [root@node101.yinzhengjie.org.cn ~]# 

    二.AllowOverride

    1>.AllowOverride指令概述

      与访问控制相关的哪些指令可以放在指定目录下的.htaccess(由AccessFileName指定)文件中,覆盖之前的配置指令
      只对
    <directory>语句有效     AllowOverride All:
          .htaccess中所有指令都有效     AllowOverride None:
          .htaccess 文件无效     AllowOverride AuthConfig Indexes
          除了AuthConfig和Indexes的其它指令都无法覆盖

    2>.官方文档案例

    3>.实战案例

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/allowOverride.conf 
    <Directory "/data/www/html">
        AllowOverride all
        Require all granted
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/.htaccess
    Options Indexes
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
    total 4
    lrwxrwxrwx  1 root root   5 Dec  8 06:50 etcDir -> /etc/
    -rw-r--r--  1 root root  15 Dec  7 20:07 index.html
    drwxrwxrwt. 9 root root 218 Dec  8 06:49 tmp
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
    [root@node101.yinzhengjie.org.cn ~]# 

    三.基于IP的访问控制

    1>.Require指令概述

      无明确授权的目录,默认拒绝
      允许所有主机访问:Require all granted
      拒绝所有主机访问:Require all denied
      控制特定的IP访问:
        Require ip IPADDR:授权指定来源的IP访问
        Require not ip IPADDR:拒绝特定的IP访问
      控制特定的主机访问:
        Require host HOSTNAME:授权特定主机访问
        Require not host HOSTNAME:拒绝 
      HOSTNAME:     FQDN:特定主机     domin.tld:指定域名下的所有主机   不能有失败,至少有一个成功匹配才成功,即失败优先     
    <RequireAll>       Require all granted       Require not ip 172.16.1.1   #拒绝特定IP     </RequireAll>
      多个语句有一个成功,则成功,即成功优先     
    <RequireAny>       Require all denied       require ip 172.16.1.1     #允许特定IP     </RequireAny>

    2>.实战案例-"RequireAll"标签

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
    <Directory "/data/www/html">
        <RequireAll>
            Require all granted            #此处我们允许所有人都可以访问服务器
            Require not ip 172.30.1.254       #但是唯独拒绝IP为"172.30.1.254"的IP地址来访问咱们的服务器
        </RequireAll>
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
    total 8
    -rw-r--r-- 1 root root 15 Dec  7 20:07 index.html
    -rw-r--r-- 1 root root 31 Dec  8 07:36 info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/index.html 
    /data/www/html
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/info.html 
    <h1>尹正杰到此一游</h1>
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
    [root@node101.yinzhengjie.org.cn ~]# 

    3>.实战案例-"RequireAny"标签

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
    <Directory "/data/www/html">
        <RequireAny>
            Require all denied              #此处我们拒绝所有人访问服务器
            Require ip 172.30.1.254            #但我们唯独允许IP为"172.30.1.254"的IP地址可以访问服务器
        </RequireAny>
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# httpd -t
    Syntax OK
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
    [root@node101.yinzhengjie.org.cn ~]# 

    4>.实战案例-实现子目录的权限控制

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
    <Directory "/data/www/html">
        <RequireAny>
            Require all denied
            Require ip 172.30.1.254                         #只允许IP地址为"172.30.1.254"的客户端访问"/data/www/html"根目录
        </RequireAny>
    </Directory>
    
    <Directory "/data/www/html/news">                        #虽然上面允许访问"/data/www/html"目录,但是咱们并不允许它访问news子目录,我们这里将所有的子目录都拒绝啦~
        Require all denied
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# mkdir /data/www/html/news
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo "<h1>https://www.cnblogs.com/yinzhengjie/<h1>" > /data/www/html/news/blog.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# httpd -t                 #检查配置文件的语法格式是否正确
    Syntax OK
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd        #要先检查语法再重新加载配置文件哟~别上来就直接加载配置文件,否则可能导致服务无法正常启动~
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
    total 8
    -rw-r--r-- 1 root root 15 Dec 7 20:07 index.html
    -rw-r--r-- 1 root root 31 Dec 8 07:36 info.html
    drwxr-xr-x 2 root root 23 Dec 8 08:03 news
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/news/
    total 4
    -rw-r--r-- 1 root root 45 Dec 8 08:03 blog.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/info.html 
    <h1>尹正杰到此一游</h1>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/index.html 
    /data/www/html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/news/blog.html 
    <h1>https://www.cnblogs.com/yinzhengjie/<h1>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]#

  • 相关阅读:
    Zookeeper
    RPC
    RabbitMQ学习总结
    ActiveMQ学习总结
    mybatis自动映射和手动映射
    oracle instantclient_12_2安装
    EFK(Elasticsearch+Filebeat+Kibana)收集容器日志
    prometheus-operator监控Kubernetes
    编译安装 keepalived-2.0.16.tar.gz
    Kubernetes pod平滑迁移
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/12003910.html
Copyright © 2011-2022 走看看