要求:
172.24.0.0/16 段可以访问;
172.25.0.0/16 段不可以访问;
只允许用户jack,tom可访问;
配置:
具体配置详见:http://blog.chinaunix.net/u/25142/showart.php?id=240142
注意事项: 1>配置文件/etc/httpd/conf/httpd.conf中user,group必须对.htaccess拥有读权限;
例如:
配置文件中用户及组为 User apache Group apache
那么, .htaccess文件对其它组成员有读的权限
chmod o+r .htaccess
错误信息如下:
================================================================
Forbidden
You don't have permission to access /doc/ on this server.
Apache/2.0.52 (Red Hat) Server at 192.168.1.2 Port xxxx
2>.htpasswd文件必须对其它组有读权限;
chmod o+r .htpasswd
错误信息:
================================================================
始终提示输入用户或密码
3>定义别名--符号"/"的意义
例如 alias /doc/ "/opt/smb-server"
若在IE中输入
则会提示找不到网页
正确:/
4>定义授权用户
.htaccess文件中的授权用户,是虚拟用户(也就是不一定是本地用户),相比apache,samba授权
用户则要求必须是本地用户;
5>访问机制
5.1)iptables机制
iptables -A INPUT -s 172.24.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 172.25.0.0/16 -p tcp --dport 80 -j DROP
5.2)httpd.conf配置文件
order allow,deny
allow from 172.24.0.0/16
deny from 172.25.0.0/16
6>tcp_wrapper机制是否支持查询方法
6.1>查询某种服务是否支持tcp_wrapper
ldd `which daemon` | grep wrap
6.2>若服务开启后,则可以用另外一种方法查询
lsof |grep wrap |grep xxx
注:xxx就是要查询的服务名
APACHE+mod_ssl配置案例
基于加密的虚拟主机配置
1.安装mod_ssl模块;
rpm -ivh --force --aid mod_ssl-2.0.52-25.ent
2.生成证书;
cd /usr/share/ssl/certs
[root@test certs]# make server.crt
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.....................++++++
................................................++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -new -key server.key -x509 -days 365 -out server.crt
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:company
Organizational Unit Name (eg, section) []:section
Common Name (eg, your name or your server's hostname) []:example
Email Address []:richardliu@example.com
[root@test certs]# openssl x509 -subject -noout subject=
3.拷贝证书到目标下
cp /usr/share/ssl/certs/server.crt /etc/http/conf/ssl.crt/.
cp /usr/share/ssl/certs/server.key /etc/http/conf/ssl.crt/.
4.修改ssl.conf(/etc/httpd/conf.d/ssl.conf)文件,定义虚拟主机
ServerAdmin
DocumentRoot /opt
Alias /doc "/opt/tools"
ServerName test.example.com
AllowOverride AuthConfig --论证方式
Options Indexes MultiViews
Order allow,deny
Allow from all
5.重新启动httpd服务;
service httpd restart
6.测试;
阅读(1457) | 评论(0) | 转发(0) |