Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

时间:2023-12-14 09:46:20

      Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

                                                作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

一.Options 

1>.OPTIONS指令概述

Options:后跟1个或多个以空白字符分隔的选项列表
  在选项前的+,- 表示增加或删除指定选项
  常见选项:
    Indexes:
      指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户
    FollowSymLinks:
      允许访问符号链接文件所指向的源文件
    None:
      全部禁用
    All:
      全部允许

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

2>.官方文档案例

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

3>.实战案例

[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep DirectoryIndex
DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cp -ar /tmp/ /data/www/html/
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ln -s /etc/ /data/www/html/etcDir
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
total 4
lrwxrwxrwx 1 root root 5 Dec 8 06:50 etcDir -> /etc/
-rw-r--r-- 1 root root 15 Dec 7 20:07 index.html
drwxrwxrwt. 9 root root 218 Dec 8 06:49 tmp
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/options.conf
<Directory "/data/www/html">
Options Indexes FollowSymLinks
Require all granted
</Directory>
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
[root@node101.yinzhengjie.org.cn ~]#

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

二.AllowOverride

1>.AllowOverride指令概述

  与访问控制相关的哪些指令可以放在指定目录下的.htaccess(由AccessFileName指定)文件中,覆盖之前的配置指令
  只对<directory>语句有效
    AllowOverride All:
      .htaccess中所有指令都有效
    AllowOverride None:
      .htaccess 文件无效
    AllowOverride AuthConfig Indexes
      除了AuthConfig和Indexes的其它指令都无法覆盖

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

2>.官方文档案例

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

3>.实战案例

[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep DirectoryIndex
DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/allowOverride.conf
<Directory "/data/www/html">
AllowOverride all
Require all granted
</Directory>
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/.htaccess
Options Indexes
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
total 4
lrwxrwxrwx 1 root root 5 Dec 8 06:50 etcDir -> /etc/
-rw-r--r-- 1 root root 15 Dec 7 20:07 index.html
drwxrwxrwt. 9 root root 218 Dec 8 06:49 tmp
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
[root@node101.yinzhengjie.org.cn ~]#

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

三.基于IP的访问控制

1>.Require指令概述

  无明确授权的目录,默认拒绝
  允许所有主机访问:Require all granted
  拒绝所有主机访问:Require all denied
  控制特定的IP访问:
    Require ip IPADDR:授权指定来源的IP访问
    Require not ip IPADDR:拒绝特定的IP访问
  控制特定的主机访问:
    Require host HOSTNAME:授权特定主机访问
    Require not host HOSTNAME:拒绝
  HOSTNAME:
    FQDN:特定主机
    domin.tld:指定域名下的所有主机   不能有失败,至少有一个成功匹配才成功,即失败优先
    <RequireAll>
      Require all granted
      Require not ip 172.16.1.1   #拒绝特定IP
    </RequireAll>

  多个语句有一个成功,则成功,即成功优先
    <RequireAny>
      Require all denied
      require ip 172.16.1.1     #允许特定IP
    </RequireAny>

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

2>.实战案例-"RequireAll"标签

[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep DirectoryIndex
DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
<Directory "/data/www/html">
<RequireAll>
Require all granted            #此处我们允许所有人都可以访问服务器
Require not ip 172.30.1.254       #但是唯独拒绝IP为"172.30.1.254"的IP地址来访问咱们的服务器
</RequireAll>
</Directory>
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
total 8
-rw-r--r-- 1 root root 15 Dec 7 20:07 index.html
-rw-r--r-- 1 root root 31 Dec 8 07:36 info.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/index.html
/data/www/html
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/info.html
<h1>尹正杰到此一游</h1>
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
[root@node101.yinzhengjie.org.cn ~]#

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

3>.实战案例-"RequireAny"标签

[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep DirectoryIndex
DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
<Directory "/data/www/html">
<RequireAny>
Require all denied              #此处我们拒绝所有人访问服务器
Require ip 172.30.1.254           #但我们唯独允许IP为"172.30.1.254"的IP地址可以访问服务器
</RequireAny>
</Directory>
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# httpd -t
Syntax OK
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd
[root@node101.yinzhengjie.org.cn ~]#

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制

4>.实战案例-实现子目录的权限控制

[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf  | grep DocumentRoot
DocumentRoot "/data/www/html"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep DirectoryIndex
DirectoryIndex info.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep ServerRoot
ServerRoot "/etc/httpd"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/httpd/conf/httpd.conf | grep IncludeOptional
IncludeOptional conf.d/*.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/httpd/conf.d/require.conf
<Directory "/data/www/html">
<RequireAny>
Require all denied
Require ip 172.30.1.254                         #只允许IP地址为"172.30.1.254"的客户端访问"/data/www/html"根目录
</RequireAny>
</Directory> <Directory "/data/www/html/news">                        #虽然上面允许访问"/data/www/html"目录,但是咱们并不允许它访问news子目录,我们这里将所有的子目录都拒绝啦~
Require all denied
</Directory>
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# mkdir /data/www/html/news
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# echo "<h1>https://www.cnblogs.com/yinzhengjie/<h1>" > /data/www/html/news/blog.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# httpd -t                 #检查配置文件的语法格式是否正确
Syntax OK
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl reload httpd        #要先检查语法再重新加载配置文件哟~别上来就直接加载配置文件,否则可能导致服务无法正常启动~
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/
total 8
-rw-r--r-- 1 root root 15 Dec 7 20:07 index.html
-rw-r--r-- 1 root root 31 Dec 8 07:36 info.html
drwxr-xr-x 2 root root 23 Dec 8 08:03 news
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /data/www/html/news/
total 4
-rw-r--r-- 1 root root 45 Dec 8 08:03 blog.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/info.html
<h1>尹正杰到此一游</h1>
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/index.html
/data/www/html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /data/www/html/news/blog.html
<h1>https://www.cnblogs.com/yinzhengjie/<h1>
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#

Httpd服务入门知识-Httpd服务常见配置案例之基于客户端来源地址实现访问控制