zoukankan      html  css  js  c++  java
  • Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

          Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

                                                    作者:尹正杰

    版权声明:原创作品,谢绝转载!否则将追究法律责任。

    一.Options 

    1>.OPTIONS指令概述

    Options:后跟1个或多个以空白字符分隔的选项列表
      在选项前的+,- 表示增加或删除指定选项
      常见选项:
        Indexes:
          指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户     FollowSymLinks:
          允许访问符号链接文件所指向的源文件     None:
          全部禁用     All:
          全部允许

    2>.官方文档案例

    3>.实战案例

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cp -ar /tmp/ /data/www/html/
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ln -s /etc/ /data/www/html/etcDir
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
    total 4
    lrwxrwxrwx  1 root root   5 Dec  8 06:50 etcDir -> /etc/
    -rw-r--r--  1 root root  15 Dec  7 20:07 index.html
    drwxrwxrwt. 9 root root 218 Dec  8 06:49 tmp
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/options.conf
    <Directory "/data/www/html">
        Options Indexes FollowSymLinks
        Require all granted
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
    [root@node101.yinzhengjie.org.cn ~]# 

    二.AllowOverride

    1>.AllowOverride指令概述

      与访问控制相关的哪些指令可以放在指定目录下的.htaccess(由AccessFileName指定)文件中,覆盖之前的配置指令
      只对
    <directory>语句有效     AllowOverride All:
          .htaccess中所有指令都有效     AllowOverride None:
          .htaccess 文件无效     AllowOverride AuthConfig Indexes
          除了AuthConfig和Indexes的其它指令都无法覆盖

    2>.官方文档案例

    3>.实战案例

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/allowOverride.conf 
    <Directory "/data/www/html">
        AllowOverride all
        Require all granted
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/.htaccess
    Options Indexes
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
    total 4
    lrwxrwxrwx  1 root root   5 Dec  8 06:50 etcDir -> /etc/
    -rw-r--r--  1 root root  15 Dec  7 20:07 index.html
    drwxrwxrwt. 9 root root 218 Dec  8 06:49 tmp
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
    [root@node101.yinzhengjie.org.cn ~]# 

    三.基于IP的访问控制

    1>.Require指令概述

      无明确授权的目录,默认拒绝
      允许所有主机访问:Require all granted
      拒绝所有主机访问:Require all denied
      控制特定的IP访问:
        Require ip IPADDR:授权指定来源的IP访问
        Require not ip IPADDR:拒绝特定的IP访问
      控制特定的主机访问:
        Require host HOSTNAME:授权特定主机访问
        Require not host HOSTNAME:拒绝 
      HOSTNAME:     FQDN:特定主机     domin.tld:指定域名下的所有主机   不能有失败,至少有一个成功匹配才成功,即失败优先     
    <RequireAll>       Require all granted       Require not ip 172.16.1.1   #拒绝特定IP     </RequireAll>
      多个语句有一个成功,则成功,即成功优先     
    <RequireAny>       Require all denied       require ip 172.16.1.1     #允许特定IP     </RequireAny>

    2>.实战案例-"RequireAll"标签

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
    <Directory "/data/www/html">
        <RequireAll>
            Require all granted            #此处我们允许所有人都可以访问服务器
            Require not ip 172.30.1.254       #但是唯独拒绝IP为"172.30.1.254"的IP地址来访问咱们的服务器
        </RequireAll>
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
    total 8
    -rw-r--r-- 1 root root 15 Dec  7 20:07 index.html
    -rw-r--r-- 1 root root 31 Dec  8 07:36 info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/index.html 
    /data/www/html
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/info.html 
    <h1>尹正杰到此一游</h1>
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
    [root@node101.yinzhengjie.org.cn ~]# 

    3>.实战案例-"RequireAny"标签

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
    <Directory "/data/www/html">
        <RequireAny>
            Require all denied              #此处我们拒绝所有人访问服务器
            Require ip 172.30.1.254            #但我们唯独允许IP为"172.30.1.254"的IP地址可以访问服务器
        </RequireAny>
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# httpd -t
    Syntax OK
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
    [root@node101.yinzhengjie.org.cn ~]# 

    4>.实战案例-实现子目录的权限控制

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
    DocumentRoot "/data/www/html"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DirectoryIndex
        DirectoryIndex info.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep ServerRoot
    ServerRoot "/etc/httpd"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep IncludeOptional
    IncludeOptional conf.d/*.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
    <Directory "/data/www/html">
        <RequireAny>
            Require all denied
            Require ip 172.30.1.254                         #只允许IP地址为"172.30.1.254"的客户端访问"/data/www/html"根目录
        </RequireAny>
    </Directory>
    
    <Directory "/data/www/html/news">                        #虽然上面允许访问"/data/www/html"目录,但是咱们并不允许它访问news子目录,我们这里将所有的子目录都拒绝啦~
        Require all denied
    </Directory>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# mkdir /data/www/html/news
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo "<h1>https://www.cnblogs.com/yinzhengjie/<h1>" > /data/www/html/news/blog.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# httpd -t                 #检查配置文件的语法格式是否正确
    Syntax OK
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd        #要先检查语法再重新加载配置文件哟~别上来就直接加载配置文件,否则可能导致服务无法正常启动~
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
    total 8
    -rw-r--r-- 1 root root 15 Dec 7 20:07 index.html
    -rw-r--r-- 1 root root 31 Dec 8 07:36 info.html
    drwxr-xr-x 2 root root 23 Dec 8 08:03 news
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/news/
    total 4
    -rw-r--r-- 1 root root 45 Dec 8 08:03 blog.html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/info.html 
    <h1>尹正杰到此一游</h1>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/index.html 
    /data/www/html
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/news/blog.html 
    <h1>https://www.cnblogs.com/yinzhengjie/<h1>
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]#

  • 相关阅读:
    【Elasticsearch 技术分享】—— ES 常用名词及结构
    【Elasticsearch 技术分享】—— Elasticsearch ?倒排索引?这都是什么?
    除了读写锁,JUC 下面还有个 StampedLock!还不过来了解一下么?
    小伙伴想写个 IDEA 插件么?这些 API 了解一下!
    部署Microsoft.ReportViewe
    关于TFS强制undo他人check out
    几段查看数据库表占用硬盘空间的tsql
    How to perform validation on sumbit only
    TFS 2012 Disable Multiple Check-out
    在Chrome Console中加载jQuery
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/12003910.html
Copyright © 2011-2022 走看看