关于apache的虚拟主机配置
增加用户账号的验证touch /data/.htpasswd# htpasswd-c/data/.htpasswduser1#新增第一个账号# htpasswd /data/.htpasswduser2 #新增第二个账号编辑/usr/local/apache2/conf/extra/httpd-vhosts.conf<VirtualHost *:80>#<VirtualHost*:80> DocumentRoot"/tmp/111/"#默认虚拟主机,添加多一个不存在的服务器定义的域名来创建一个空目录/文件,限制不是服务器自定义域名的访问 ServerName www.i1111.com</VirtualHost>
php_admin_valueopen_basedir "/usr/local/apache2/htdocs/:/tmp/"#(apapche和php二选一)配置php的网站程序的目录<VirtualHost *:80>#ServerAdmin webmaster@dummy-host.example.com DocumentRoot"/usr/local/apache2/htdocs/" ServerName www.user10.com #默认虚拟主机,指定服务器自定义域名的访问 ServerAlias www.12g3a.com ServerAlias www.12a.com
<Directory /usr/local/apache2/htdocs/> # Options FollowSymLinks #禁止查看目录,+FollowSymLinks允许查看目录 AllowOverride None #apache访问控制,在主配置文件里复制过来的(控制语句) Order allow,deny #看规则的先后 Allow from all #限制某个IP的访问 Deny from ip </Directory>
<filesmatch"(.*)admin(.*)"> Order deny,allow #除了指定的ip能访问admin.php,其他无法访问 deny from all allow from ip1 ip2 AllowOverrideAuthConfig AuthName"abc" #双重验证 AuthType Basic AuthUserFile /data/.htpasswd1 #apache用户认证 require valid-user </filesmatch>
SetEnvIf Request_URI"."\.gif$" image-request SetEnvIf Request_URI"."\.jpg$" image-request SetEnvIf Request_URI"."\.png$" image-request SetEnvIf Request_URI"."\.bmp$" image-request#apache不记录指定文件类型日志 SetEnvIf Request_URI"."\.swp$" image-request SetEnvIf Request_URI "."\.js$"image-request SetEnvIf Request_URI"."\.css$" image-request ErrorLog "logs/user10.com-error_log" CustomLog "|/usr/local/apache2/bin/rotatelogs-l /usr/local/apache2/logs/user10.com-access_%Y%m%d_log 86400" combinedenv=!image-request #apache日志切割 #env=!image-request#不去记录image-request指定的文件类型#apache不记录指定文件类型日志<IfModulemod_expires.c> ExpiresActive on ExpiresByTypeimage/gif"access plus 1 days" ExpiresByType image/jpeg"access plus 24 hours" ExpiresByTypeimage/png"access plus 24hours" #配置静态缓存 ExpiresByTypetext/css"now plus 2 hourss" ExpiresByTypeapplicantion/x-javascript"now plus2 hours" ExpiresByTypeapplicantion/x-shockware-flash"nowplus 2 hours" ExpiresDefault"now plus 0 min" </IfModule>
SetEnvIfNoCase Referer "^http://.*\.user10\.com local_ref #将本机的域名放在白名单 SetEnvIfNoCase Referer ".*\.user11\.com" local_ref #将这个网址加入白名单 <filesmatch "\.(doc|mp3|zip|rar|jpg|gif|png|js|css|jpeg)"> #限制显示 Order Allow,Deny #配置apache防盗链 Allow from env=local_ref#允许定义local_ref,其他拒绝 Deny from all </filesmatch>
<Directory /usr/local/apache2/htdocs/data/> php_admin_flag engine off #虚拟主机中限定某个目录不解析php,关闭php解释引擎 <filesmatch "(.*)php"> Order deny,allow #配置apache禁止解释php Deny from all #使其不能下载php文件 #allow from ip #去掉注释允许某个ip下载 </filesmatch> </Directory>
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond%{HTTP_HOST} ^www.12g3a.com$ #定义的条件 RewriteCond%{HTTP_HOST}^www.12a.com$ #配置301跳转(域名重定向) RewriteRule^/(.*)$http://www.user10.com/$1 RewriteCond%{HTTP_USER_AGENT}^.*curl.* #匹配,NC:不区分大小写 RewriteCond%{HTTP_USER_AGENT}^.*chrome* #加上注释#,不认为禁掉 RewriteCond %{HTTP_USER_AGENT}^.*aeg* #禁用USER_AGENT,随意指定的必须,这样就可以使IE浏览器和第三方浏览器同时使用 RewriteRule.* - #直接禁掉,代表Forbidden RewriteCond%{REQUEST_URI} ^.*/tmp/.* #通过rewrite来限制某个目录,禁止访问/tmp/下的文件 RewriteRule .* - </IfModule>
<Directory/usr/local/apache2/htdocs/abc/> #针对某个目录做认证登录 AllowOverride AuthConfig AuthName "abc" AuthType Basic AuthUserFile/data/.htpasswd1 #apache用户认证 require valid-user </Directory>
<Directory/usr/local/apache2/htdocs/bcd/> #针对某个目录做认证登录 AllowOverride AuthConfig AuthName "abc" AuthType Basic AuthUserFile/data/.htpasswd #apache用户认证 require valid-user </Directory></VirtualHost>
检测配置是否正确curl-A “gaega”-x192.168.0.168:80{www.12a.com,www.123.com} –I #-A:模拟user_agentHTTP/1.1 301 MovedPermanentlyDate: Tue, 05 Jan 201615:51:43 GMTServer: Apache/2.2.24 (Unix)mod_ssl/2.2.24 OpenSSL/0.9.8b DAV/2 PHP/5.5.30Location:http://www.user10.com/Content-Type: text/html;charset=iso-8859-1
HTTP/1.1 301 MovedPermanentlyDate: Tue, 05 Jan 201615:51:43 GMTServer: Apache/2.2.24 (Unix)mod_ssl/2.2.24 OpenSSL/0.9.8b DAV/2 PHP/5.5.30Location: http://www.user10.com/Content-Type: text/html;charset=iso-8859-1
在主配置文件/usr/local/apache2/conf/httpd.conf找到includeconf/extra/httpd-vhosts.conf这一行的注释去除掉,不然用户验证不成功
vim/etc/profile.d/path.sh #!/bin/bash exportPATH=$PATH:/usr/local/mysql/bin:/usr/local/apache2/bin
apachectl -M #查看apache安装了什么支持的模块# apachectl -MLoaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) authn_file_module (shared) authn_dbm_module (shared) authn_anon_module (shared) authn_dbd_module (shared) authn_default_module (shared) authz_host_module (shared) authz_groupfile_module (shared) authz_user_module (shared) authz_dbm_module (shared) authz_owner_module (shared) authz_default_module (shared) auth_basic_module (shared) auth_digest_module (shared) dbd_module (shared) dumpio_module (shared) reqtimeout_module (shared) ext_filter_module (shared) include_module (shared) filter_module (shared) substitute_module (shared) deflate_module (shared) log_config_module (shared) logio_module (shared) env_module (shared) expires_module (shared) headers_module (shared) ident_module (shared) setenvif_module (shared) version_module (shared) ssl_module (shared) mime_module (shared) dav_module (shared) status_module (shared) autoindex_module (shared) asis_module (shared) info_module (shared) cgi_module (shared) dav_fs_module (shared) vhost_alias_module (shared) negotiation_module (shared) dir_module (shared) imagemap_module (shared) actions_module (shared) speling_module (shared) userdir_module (shared) alias_module (shared) rewrite_module (shared) php5_module (shared)Syntax OKapachectl -l #查看apache已安装的模块,不指定模式是默认prefork# apachectl -lCompiled in modules:core.cprefork.chttp_core.cmod_so.c
OR #或者,如果不设置,会被认为两个条件同时存在(.*)#代表不包含HOST/ # 代表将域名省掉301 #永久重定向302 #临时重定向L #代表最后,结束401#请求未经授权,需要身份验证返回状态码403404500#php的错误
概念:Apache防盗链:防止网站的东西被盗用referer:%{Referer}指的是启动浏览器访问第一个的网址就是referer,即使是访问自定义域名(www.12a.com)做了跳转到真正的网址(www.user10.com),真正的网址就是%{Referer}点击下一个网址的连接前,当前浏览器的网址就是referer指的是,它从哪里跳过来的。 比如你访问的一个网页地址是http://123.com/1.html 这个页面中有一个网址http://234.com/2.html 你直接点这个链接进入到了 234.com/2.html 那这时候,日志中会记录一条日志 2.html 它的referer是 http://123.com/1.html
访问控制:发现攻击,可以封IP,从主配置里配置的一个模板复制到虚拟主机的配置里
静态缓存:设置一些图片,css文件的缓存保存时间,当时间一过(即过期以后)那浏览器就会将这些缓存文件进行删除。当再重新打开此网页时,那些文件又会再被重新缓存。可缓存几个小时或者几天时间,时间过后可重新请求,但不会在服务端请求,从而节省带宽。#curl -x192.168.0.168:80'http://www.user10.com/static/image/common/logo_88_31.gif' -IHTTP/1.1 200 OKDate: Thu, 07Jan 2016 02:49:38 GMTServer:Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8b DAV/2 PHP/5.5.30Last-Modified:Mon, 04 Jan 2016 14:51:47 GMTETag:"d9087-9e0-52883429d86c0"Accept-Ranges:bytesContent-Length:2528Cache-Control:max-age=86400Expires: Fri,08 Jan 2016 02:49:38 GMTContent-Type:image/gif
User_agent的概念:浏览器的版本,搜索引擎的爬虫apache运行的用户就是daemonapache防盗链的概念:只要不是服务器上白名单定义的域名,其他网站都是插入该网站的资源就拒绝访问apache日志切割概念:CustomLog"|/usr/local/apache2/bin/rotatelogs -l /usr/local/apache2/logs/user10.com-access_%Y%m%d_logi86400/5M" combined| #管道,把日志交给后面的rotatelogs工具处理86400/5M#单位秒,一天一个日志/一个日志为5M
/usr/local/apache2/conf/httpd.conf<IfModulelog_config_module> # The following directives define someformat nicknames for use with # a CustomLog directive (see below). # LogFormat "%h %l %u %t\"%r\" %>s %b \"%{Referer}i\"\"%{User-Agent}i\"" combined LogFormat "%h %l %u %t\"%r\" %>s %b" common
<IfModule logio_module> # You need to enable mod_logio.c to use%I and %O,自定义 LogFormat "%h %l %u %t\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"%I %O" combinedio </IfModule>%h #来源IP-- #空的,所以这样表示%u #user,用户%t #当前时间%r #动作%{Referer} #网址%{User-Agent} #使用浏览器的相关信息可限制来源ip使用的user-agent类curl -A "ggaweagew"-xip:80 网址 –I #-A:模仿user_agentapachectl graceful#重新加载配置apachectl-S#查询虚拟机的域名配置所在的行数apache调用了php的libphp5.so文件
加入启动:vi /etc/profile.d/path.sh#!/bin/bashexportPATH=$PATH:/usr/local/mysql/bin:/usr/local/apache2/binchmod 755 /etc/profile.d/path.sh
页:
[1]