Apache配置案例(on RHEL4)
时间:2007-03-20 来源:richardliu1123
要求:
172.24.0.0/16 段可以访问;
172.25.0.0/16 段不可以访问;
只允许用户jack,tom可访问;
配置:
具体配置详见:http://blog.chinaunix.net/u/25142/showart.php?id=240142
注意事项:
1>配置文件/etc/httpd/conf/httpd.conf中user,group必须对.htaccess拥有读权限;
例如:
配置文件中用户及组为 User apache Group apache
那么, .htaccess文件对其它组成员有读的权限
chmod o+r .htaccess
错误信息如下:
================================================================
Forbidden
You don't have permission to access /doc/ on this server.
Apache/2.0.52 (Red Hat) Server at 192.168.1.2 Port xxxx
2>.htpasswd文件必须对其它组有读权限; chmod o+r .htpasswd 错误信息:
================================================================
始终提示输入用户或密码 3>定义别名--符号"/"的意义 例如 alias /doc/ "/opt/smb-server" 若在IE中输入http://localhost/doc 则会提示找不到网页
正确:http://localhost/doc/ 4>定义授权用户 .htaccess文件中的授权用户,是虚拟用户(也就是不一定是本地用户),相比apache,samba授权 用户则要求必须是本地用户; 5>访问机制 5.1)iptables机制 iptables -A INPUT -s 172.24.0.0/16 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -s 172.25.0.0/16 -p tcp --dport 80 -j DROP 5.2)httpd.conf配置文件 order allow,deny allow from 172.24.0.0/16 deny from 172.25.0.0/16 6>tcp_wrapper机制是否支持查询方法 6.1>查询某种服务是否支持tcp_wrapper ldd `which daemon` | grep wrap 6.2>若服务开启后,则可以用另外一种方法查询 lsof |grep wrap |grep xxx 注:xxx就是要查询的服务名 APACHE+mod_ssl配置案例 基于加密的虚拟主机配置 1.安装mod_ssl模块; rpm -ivh --force --aid mod_ssl-2.0.52-25.ent 2.生成证书; cd /usr/share/ssl/certs [root@test certs]# make server.crt
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.....................++++++
................................................++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -new -key server.key -x509 -days 365 -out server.crt
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:company
Organizational Unit Name (eg, section) []:section
Common Name (eg, your name or your server's hostname) []:example
Email Address []:[email protected]
[root@test certs]# openssl x509 -subject -noout <server.crt
subject= /C=cn/ST=shanghai/L=shanghai/O=company/OU=section/CN=example/[email protected] 3.拷贝证书到目标下 cp /usr/share/ssl/certs/server.crt /etc/http/conf/ssl.crt/. cp /usr/share/ssl/certs/server.key /etc/http/conf/ssl.crt/. 4.修改ssl.conf(/etc/httpd/conf.d/ssl.conf)文件,定义虚拟主机 ServerAdmin [email protected]
DocumentRoot /opt
Alias /doc "/opt/tools"
ServerName test.example.com
<Directory "/opt">
AllowOverride AuthConfig --论证方式
Options Indexes MultiViews
Order allow,deny
Allow from all
</Directory 5.重新启动httpd服务; service httpd restart 6.测试; https://192.168.1.2
172.24.0.0/16 段可以访问;
172.25.0.0/16 段不可以访问;
只允许用户jack,tom可访问;
配置:
具体配置详见:http://blog.chinaunix.net/u/25142/showart.php?id=240142
注意事项:
1>配置文件/etc/httpd/conf/httpd.conf中user,group必须对.htaccess拥有读权限;
例如:
配置文件中用户及组为 User apache Group apache
那么, .htaccess文件对其它组成员有读的权限
chmod o+r .htaccess
错误信息如下:
================================================================
Forbidden
You don't have permission to access /doc/ on this server.
Apache/2.0.52 (Red Hat) Server at 192.168.1.2 Port xxxx
2>.htpasswd文件必须对其它组有读权限; chmod o+r .htpasswd 错误信息:
================================================================
始终提示输入用户或密码 3>定义别名--符号"/"的意义 例如 alias /doc/ "/opt/smb-server" 若在IE中输入http://localhost/doc 则会提示找不到网页
正确:http://localhost/doc/ 4>定义授权用户 .htaccess文件中的授权用户,是虚拟用户(也就是不一定是本地用户),相比apache,samba授权 用户则要求必须是本地用户; 5>访问机制 5.1)iptables机制 iptables -A INPUT -s 172.24.0.0/16 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -s 172.25.0.0/16 -p tcp --dport 80 -j DROP 5.2)httpd.conf配置文件 order allow,deny allow from 172.24.0.0/16 deny from 172.25.0.0/16 6>tcp_wrapper机制是否支持查询方法 6.1>查询某种服务是否支持tcp_wrapper ldd `which daemon` | grep wrap 6.2>若服务开启后,则可以用另外一种方法查询 lsof |grep wrap |grep xxx 注:xxx就是要查询的服务名 APACHE+mod_ssl配置案例 基于加密的虚拟主机配置 1.安装mod_ssl模块; rpm -ivh --force --aid mod_ssl-2.0.52-25.ent 2.生成证书; cd /usr/share/ssl/certs [root@test certs]# make server.crt
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.....................++++++
................................................++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -new -key server.key -x509 -days 365 -out server.crt
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:company
Organizational Unit Name (eg, section) []:section
Common Name (eg, your name or your server's hostname) []:example
Email Address []:[email protected]
[root@test certs]# openssl x509 -subject -noout <server.crt
subject= /C=cn/ST=shanghai/L=shanghai/O=company/OU=section/CN=example/[email protected] 3.拷贝证书到目标下 cp /usr/share/ssl/certs/server.crt /etc/http/conf/ssl.crt/. cp /usr/share/ssl/certs/server.key /etc/http/conf/ssl.crt/. 4.修改ssl.conf(/etc/httpd/conf.d/ssl.conf)文件,定义虚拟主机 ServerAdmin [email protected]
DocumentRoot /opt
Alias /doc "/opt/tools"
ServerName test.example.com
<Directory "/opt">
AllowOverride AuthConfig --论证方式
Options Indexes MultiViews
Order allow,deny
Allow from all
</Directory 5.重新启动httpd服务; service httpd restart 6.测试; https://192.168.1.2
相关阅读 更多 +
