This is the 20th day of my participation in the Genwen Challenge


A lifelong learner, practitioner and sharer committed to the path of technology, a busy and occasionally lazy original blogger, an occasionally boring and occasionally humorous teenager.

Welcome to dig friends wechat search “Jie Ge’s IT journey” attention!

Access control for HTTPD services

preface

In the first two articles “Detailed Deployment of HTTPD service in Linux environment” and “AWStats analysis system monitoring Web site, YYDS!!” The article, we explained in detail in Linux environment HTTPD service and AWStats analysis system deployment and related configuration, access to AWStats analysis system is no account password can access the Web site, at the same time it also brings some security risks to the server.

In order to better control access to web resources, can be added for a particular site directory access authorization, this article will introduce you to HTTPD service access control, mainly for: based on the client address to limit constraints, based on the user, virtual host restriction based on domain name and virtual host restriction based on IP address and port.

1. Restriction based on client address

The Deny from and Allow FROM configuration items are used to set specific restrictions. When the Deny from and Allow from configuration items are used, you need to set client addresses for restriction policies. Address1/2 can be IP addresses, network addresses, host names, and domain names. In general, the web server is open to all users, and there are no restrictions on the document directory, so “all” can be used to deny or allow access to all arbitrary addresses, etc.

Deny from address1 address2 ...
Allow from address1 address2 ...
Copy the code

The Order configuration item can set Allow,deny or deny,allow to determine the sequence in which the host applies the Permit or deny policy.

  • Allow,deny: Indicates that all client addresses that are not explicitly allowed are denied by default.
  • Deny,allow: Indicates that all client addresses that are not explicitly denied are allowed by default.
<Directory "/usr/local/httpd/htdocs"> ...... Order allow,deny allow from all </Directory>Copy the code

If the Permit only policy is used, change the processing sequence to Allow,deny and specify the permit policy to allow only some hosts to access. If only the terminal whose IP address is 192.168.3.123 is expected to access the AWStats analysis system, configure the following parts for the directory area of the AWStats analysis system.

< Directory "/ usr/local/awstats/below" > Options None AllowOverride None Order allow, deny allow the from 192.168.3.123 # allows 192.168.3.123 </Directory>Copy the code

If the deny only policy is used, change it to deny,allow in sequence and set the deny policy explicitly to deny access to only some hosts. If only terminals on the network segment 192.168.3.0/24 are expected to access the AWStats analysis system, but any other terminals are allowed to access the AWStats analysis system, configure the following sections for the directory area of the AWStats analysis system.

< Directory "/ usr/local/awstats/below" > Options None AllowOverride None Order deny and allow deny the from 192.168.3.0/24 # to refuse 192.168.3.0/24 </Directory>Copy the code

After the configuration is complete, the following error page will be displayed when you access the browser.

2. Limit authorization based on users

User-based access control includes authentication and authorization.

Authentication: refers to the user identity process;

Authorization: allows specific users to access specific directory areas.

Basic HTTPD authentication verifies user name and password combinations to determine whether to allow user access. The user account to authorize access must be created and saved in a fixed data file.

You can use the tool htpasswd to create authorized user data files and maintain user accounts in them. You must specify the location of the user data file, with the -c option to indicate that the file is newly created.

A new data file/usr/local/HTTPD/conf /. Awspwd, webjacktian and webjacktian1 information for the user.

# cd /usr/local/httpd/ # bin/htpasswd -c /usr/local/httpd/conf/.awspwd webjacktian New password: Re-type new password: Adding password for user webjacktian # cat /usr/local/httpd/conf/.awspwd webjacktian:u5Mq.qjrDfsvACopy the code

If the -c option is not used, the specified user data file already exists. You can add a new user or change the password of an existing user.

# bin/htpasswd /usr/local/httpd/conf/.awspwd webjacktian1 New password: Re-type new password: Adding password for user webjacktian1 # cat/usr/local/HTTPD/conf /. Awspwd # webjacktian user data files, to ensure that: 1. WTyxw9 / pItY webjacktian1:zG4sQXO/HveOcCopy the code

After you authorize user accounts, modify the httpd.conf configuration file to add authorization configuration in specific directory areas and enable basic authentication Settings for which users are allowed access.

vi /usr/local/httpd/conf/httpd.conf ...... Part # omit < Directory "/ usr/local/awstats/below" > Options None AllowOverride None Order deny and allow deny the from 192.168.3.124 AuthName "HTTP Web" # Define the protected domain name that will be displayed in the authentication dialog box that pops up in the browser. AuthType Basic # Set the authentication type. Basic stands for Basic authentication. AuthUserFile/usr/local/HTTPD/conf /. Awspwd # set is used to save the user account, password authentication file path. Require valid-user # Only valid users in the authentication file can be accessed. Valid-user indicates all valid users. If only one user is authorized, the user name can be changed to the specified one. Such as: webjacktian/webjacktian1 < / Directory > # / usr/local/HTTPD/bin/apachectl restart # restart service will be the new configuration take effect.Copy the code

Verify that a user is authorized to access the AWStats analysis system. The following dialog box is displayed on the browser. Enter the correct user name and password to log in to the AWStats analysis system and view the analysis report.

Domain name based virtual host access

Domain-based: Use a different domain name for each virtual host, but the corresponding IP address is the same.

For example, the IP address of www.baidu.com and www.taobao.com is 192.168.3.123, which is the most common type of Web host. Domain-based access requires the DNS service to provide web site access. For details about the DEPLOYMENT of the DNS service, see: After the DNS domain name Resolution Service in Linux is set up, add the configurations of baidu.com and Taobao.com to the named.conf main configuration file, as shown in the following figure.

Modify file of Baidu

“/var/named/ of baidu. Jack”, “taobao. Jack”

# cp -v /var/named/baidu. Jack /var/named/baidu. Jack /var/named/ taobao. Jack In this way, you can check whether bidu. Jack and Taobao. Jack have been created in this way Baidu. Jack drwxr-x--. 6 root named 4096 7月 28 03:42 chroot drwxr-x--. 2 dynamical-rw-r -----. 1 root named 1892 Feb.18 2008 named.ca-rw-r -----. 1 root named 1492 Feb.18 2008 Empty-rw-r -----. 1 root named 152 jun 21 2007 localhost -rw-r-----. 1 root named 168 12 15 2009 Named.loopback DRWXRWX --. 2 Named 6096 8月 27 2013 slaves rw-r--r-- 1 root root 307 7月 28 06:56 TaobaoCopy the code

Enter the taobao. Jack file to modify its configuration;

Restart the named service.

# service named start in this port:Copy the code

Modify the nameserver configuration item to point to the DNS server address.

Use the nslookup command to resolve the two configured domain names.

[root@Mr-tian named]# nslookup www.baidu.com # nslookup 192.168.3.123#53 Name: www.baidu.com Address: 192.168.3.123 [root@Mr-tian named]# nslookup www.taobao.com Server: Address: 192.168.3.123#53 Name: www.taobao.com Address: 192.168.3.123Copy the code

Prepare website directories and web documents for each virtual Web host, and provide homepage files containing different contents for each virtual Web host. Create two subfolders baidu and Taobao under /usr/local/httpd/htdocs, and use them as root directories of www.baidu.com and www.taobao.com to test web files.

# mkdir/usr/local/HTTPD/htdocs/baidu # # under the virtual host to web page documents the mkdir/usr/local/HTTPD/htdocs/taobao # ls Taobao # echo /usr/local/ HTTPD /htdocs/ "< / h1 > < h1 > www.baidu.com" > / usr/local/HTTPD/htdocs/baidu/index. The HTML # in baidu and taobao directory to create the index. The HTML file # echo "<h1>www.taobao.com</h1>" > /usr/local/httpd/htdocs/taobao/index.html # cat /usr/local/httpd/htdocs/baidu/index.html # Verify that you have created success < h1 > www.baidu.com < / h1 > # cat/usr/local/HTTPD/htdocs/taobao/index. The HTML < h1 > www.taobao.com < / h1 >Copy the code

To add a virtual host configuration, enable the domain-based virtual Web host in the main configuration file of the HTTPD server.

  • Use

    + zone configuration to set access permissions for each Web host’s web site Directory.
  • Use the NameVirtualHost configuration item to specify the IP address that provides the virtual host service.
  • Use

    + area configuration to set up an independent configuration for each virtual web host, including: the path of the root directory of the web page, the name of the VirtualHost website, access logs and other related configuration items;
# vi/usr/local/HTTPD/conf/extra/HTTPD - vhosts. Conf # # create a separate configuration file < Directory "/ var/WWW/HTML" > # # Order to set the Directory access Allow,deny # allow from all # </Directory> NameVirtualHost 192.168.3.123:80 # set baidu virtual site area DocumentRoot "/ usr/local/HTTPD/htdocs/baidu" ServerName ErrorLog at www.baidu.com "logs/www.baidu.com-error_log" CustomLog "logs/www.baidu.com-access_log" common </VirtualHost> <VirtualHost 192.168.3.123: # 80 > set up taobao virtual site area DocumentRoot "/ usr/local/HTTPD/htdocs/taobao" ServerName ErrorLog at www.taobao.com "logs/www.taobao.com-error_log" CustomLog "logs/www.taobao.com-access_log" common </VirtualHost>Copy the code

If the number of virtual web hosts is large, add Include conf/extra/httpd-vhosts.conf to the independent virtual host configuration file to load the configuration.

# vim /usr/local/httpd/conf/httpd.conf <Directory "/usr/local/awstats/wwwroot"> Options None AllowOverride None Order Allow, deny, deny the from 192.168.3.124 AuthName "HTTP web" AuthUserFile AuthType, Basic/usr/local/HTTPD/conf /. Awspwd the require Valid-user </Directory> Include conf/extra/httpd-vhosts.conf # Add this line at the end of the article to load a separate configuration fileCopy the code

Restart the HTTPD service

# service HTTPD restartCopy the code

Match the IP address in the same network segment on the client side and point DNS to the HTTPD server.

Testing connectivity;

On the client browser, use the website name to access different virtual Web hosts to check whether the displayed pages are different. If the displayed pages cannot be viewed, check the home page files of the two sites or perform troubleshooting based on other configurations.

Iv. Virtual host based on IP address

Add a new virtual interface to the HTTPD server and configure the IP address;

For IP address-based virtual hosts, each virtual Web host will use a different IP address, and will use the same HTTPD server to provide external services. Instead of using the NameVirtualHost configuration item to specify the IP address of the listening service, you only need to specify the IP address of each domain name in the VirtualHost configuration item of each virtual Web host.

The IP addresses of www.baidu.com and www.taobao.com are 192.168.3.123 and 192.168.3.123 respectively. 192.168.3.126, to implement the virtual Web host based on the IP address, configure the following configuration items on the HTTPD server.

# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf ...... NameVirtualHost 192.168.3.123:80 # The configuration for this www.baidu.com field remains unchanged <VirtualHost 192.168.3.123:80> DocumentRoot "/usr/local/httpd/htdocs/baidu" ServerName www.baidu.com ErrorLog "logs/www.baidu.com-error_log" CustomLog "Logs /www.baidu.com-access_log" common </VirtualHost> <VirtualHost 192.168.3.126:80> # change the configuration of the www.taobao.com area to VirtualHost IP: indicates the port number. IP is changed to add virtual interface eth1:0 the IP address of the DocumentRoot "/ usr/local/HTTPD/htdocs/taobao" ServerName ErrorLog at www.taobao.com "logs/www.taobao.com-error_log" CustomLog "logs/www.taobao.com-access_log" common </VirtualHost>Copy the code

Configuration loads a separate configuration file.

# vi/usr/local/HTTPD/conf/HTTPD. Conf Include conf/extra/HTTPD - vhosts. Conf # load independent configuration fileCopy the code

Restart the HTTPD service.

# service HTTPD restartCopy the code

In the address box of the browser, enter http://192.168.3.123 to display www.baidu.com, and enter http://192.168.3.126 to display www.taobao.com.

Demo renderings

5. Port-based virtual host

Port-based virtual host only needs the same web site, its website name, IP address can be unchanged, the only difference is the TCP port to access different web content. Therefore, when accessing a non-port 80 Web server in the browser, specify the port number of the server. For example: www.taobao.com: 81/ When configuring a port-based virtual Web host, you do not need to use the NameVirtualHost configuration item. You only need to use multiple listening configuration items to specify the TCP port number. The IP address and port number must be specified in the VirtualHost configuration item of each virtual Web host.

If www.baidu.com site is accessed through port 80, the displayed result is the content of Baidu site; if www.taobao.com site is accessed through port 81, the displayed result is the content of Taobao site.

# vi/usr/local/HTTPD/conf/extra/HTTPD - vhosts. Conf NameVirtualHost 192.168.3.123:80 < VirtualHost 192.168.3.123: > 80 # www.baidu.com the configuration of virtual site area remains unchanged DocumentRoot "/ usr/local/HTTPD/htdocs/baidu" ServerName ErrorLog at www.baidu.com "logs/www.baidu.com-error_log" CustomLog "logs/www.baidu.com-access_log" common </VirtualHost> <VirtualHost 192.168.3.123:81> # set the port number of the www.taobao.com virtual site area to: 81 DocumentRoot "/usr/local/httpd/htdocs/taobao" ServerName www.taobao.com ErrorLog "logs/www.taobao.com-error_log" CustomLog "logs/www.taobao.com-access_log" common </VirtualHost>Copy the code

The original loaded independent configuration file and port 80 remain unchanged. You need to add a new virtual site port that listens to www.taobao.com.

# vi /usr/local/httpd/conf/httpd.conf ...... Listen 80 # add a listening port to the HTTPD server # service HTTPD restartCopy the code

Verification result: enter http://192.168.3.123 in the browser of the client to display baidu site content, enter http://192.168.3.123:81 to display Taobao site content, so it is correct.

Demo renderings

Set the access control for baidu based on the customer address for the Directory, modify the virtual host configuration file and configure the configuration item about Directory, check the syntax and restart the service after the configuration is correct.

# vi/usr/local/HTTPD/conf/extra/HTTPD - vhosts. Conf NameVirtualHost 192.168.3.123:80 < VirtualHost 192.168.3.123: > 80 # Baidu to do access control (based on the access control) address change virtual host configuration file DocumentRoot "/ usr/local/HTTPD/htdocs/baidu" ServerName ErrorLog at www.baidu.com "logs/www.baidu.com-error_log" CustomLog "logs/www.baidu.com-access_log" common <Directory "/ usr/local/HTTPD/htdocs/baidu" > add order # on the www.baidu.com allow, deny allow the from 192.168.3.125 # access client IP address < / Directory > < VirtualHost > < VirtualHost 192.168.3.123:81 > DocumentRoot "/ usr/local/HTTPD/htdocs/taobao" ServerName www.taobao.com ErrorLog "logs/www.taobao.com-error_log" CustomLog "logs/www.taobao.com-access_log" common </VirtualHost> # httpd -t # Syntax OK # service HTTPD restart # restart HTTPD serviceCopy the code

According to the preceding configuration items, only the host whose IP address is 192.168.3.125 is allowed to access the IP address. Therefore, if you access the IP address from the client whose IP address is not 192.168.3.125, the following denial message is displayed.

If allow from 192.168.3.0/24 is configured in the httpd-vhosts.conf configuration file, all hosts in this network segment are accessible.

# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf ...... Part # omit < Directory "/ usr/local/HTTPD/htdocs/baidu" > order allow, deny allow the from 192.168.3.0/24 < / Directory > # service # restart the HTTPD serviceCopy the code

The verification results are as follows.

User authorization restricts access

Create a user -c: used when creating a user for the first time. Do not add a user for the second time and view the user’s file.

# htpasswd - c/usr/local/HTTPD/conf /. User jacktian # to create New user password: # set the password Re - type the New password: Adding the password for user jacktian You have new mail in/var/spool/mail/root # cat/usr/local/HTTPD/conf /. User # to check the user files jacktian:Kga/Hy/OZ2BnwCopy the code

To modify the VM host configuration file, add the AuthName configuration section to www.baidu.com.

# vi/usr/local/HTTPD/conf/extra/HTTPD - vhosts. Conf # modified virtual machine host configuration file NameVirtualHost 192.168.3.123:80 < VirtualHost 192.168.3.123:80 > DocumentRoot "/ usr/local/HTTPD/htdocs/baidu" ServerName ErrorLog at www.baidu.com "logs/www.baidu.com-error_log" CustomLog "logs/www.baidu.com-access_log" common <Directory "/ usr/local/HTTPD/htdocs/baidu" > order allow, deny allow the from 192.168.3.0/24 AuthName "baidu login" # at www.baidu.com Add user authorization Settings AuthUserFile AuthType, Basic configuration items/usr/local/HTTPD/conf /. User Require valid - user < / Directory > < VirtualHost > The < VirtualHost 192.168.3.123:81 > DocumentRoot "/ usr/local/HTTPD/htdocs/taobao" ServerName ErrorLog at www.taobao.com "Logs /www.taobao.com-error_log" CustomLog "logs/www.taobao.com-access_log" common </VirtualHost> # HTTPD -t # Check syntax Syntax OK # service HTTPD restartCopy the code

Verification result: When you enter www.baidu.com in the browser on the client, the following dialog box is displayed: Enter the user name and password for login.

If the user name and password are correct, the following results are obtained.

Demo renderings

If the user name and password are incorrect, the access result is as follows.

Demo renderings

Recommended reading

Nginx series (a) | taught you how to setup Nginx services under Linux environment

Nginx series (2) | article take you read Nginx forward and reverse proxy

Nginx series (3) | show you read Nginx load balancing

Nginx series (4) | show you read Nginx noise separation

Nginx series (5) | using Nginx + Keepalived high availability technology

Nginx series (6) | taught you how to build LNMP architecture and deployment of a system

Deploying HTTPD in Linux

AWStats analysis system monitors Web sites, YYDS!!


Original is not easy, if you think this article is useful to you, please kindly like, comment or forward this article, because this will be my power to output more high-quality articles, thank you!

By the way, please give me some free attention! In case you get lost and don’t find me next time.

See you next time!