We talked earlier some basic settings under the httpd, talked httpd configuration file format, the long connection, mpm-based access control and configuration file path and URL control, review Refer https://www.cnblogs.com/qiuhom -1874 / the p-/ 12551518.html ; today we continue to chat with some of the remaining common configuration;
1, define the path Alias: Define alias path need to use the alias command syntax is the alias / URL / "PATH / TO / SOMEDIR /"; what does that mean? Normally a user access / images / the directory, the file system corresponding to the images of the path should be specified in the instruction path documentroot; If a path aliases, user access / images is not necessarily the URI images in the path specified in the instruction documentroot ; which is equivalent to a path on the file system is mapped to a URL path; instruction may be used in the block configuration server, virtual server, and the directory;
Example:
Note: The above example indicates that the file system path "/ usr / local / apache / icons /" is mapped to the URL path "/ icons /", while expressly authorized to allow everyone access to "/ usr / local / apache / icons /" directory; That user access / icons / directory is equivalent to access the file system path "/ usr / local / apache / icons /" directory;
Tip: point to note here is that if we map the URL path is "/" at the end, then the corresponding file system path must be the end of "/" to the above example, if we access that URL / icons will prompt us access less, as shown below
Tip: In fact well understood, URL figure will go documentroot instructions to find icons file path specified in the file system, if they could put the contents of the corresponding file in response to the user, if icons in documentroot directive specifies the file system path is a directory, we visit / icons will be / icons / match, so access to the alias path up; because of our access files in the directory default directory will give way to the index set out, so we visit a directory, its URL will eventually fill a "/", which will be matched to a corresponding alias path;
2, set the default character set: AddDefaultCharset charset This command indicates the default character set is added, can be used in the block configuration server, virtual server, Directory, and .htaccess; the default is off the
3, the log setting; Web service logs such as two types, one is an access log, log the user accessing the site, is another type of error log recording server program error logs and the like;
errorlog: This command defines indicates the error log storage path and name, the instructions may be used in the server configuration section, showing the central host error log recording, the same can be placed in each virtual host, an error log for each virtual host; the the syntax is: errorlog file-path | syslog [: [facility] [: tag]]; see from the syntax we know that in addition to the error log can be recorded locally outside the specified file also can be sent to syslog;
Example:
Note: The above configuration representation stored in the error log logs / error_log file, where the relative path is relative to the path specified serverroot;
loglevel: This directive indicates that the specified error log level, we know that there is a log level, the role of the instruction is to tell the server what level or above the level of log information into the error log;
Example:
Note: The above represents the logging level to warn and above the level of the log;
Access logs: logformat: This directive indicates that the specified access log format, and take a name to the format, in the subsequent use of the name can be invoked by customlog instruction to the record access log format to the format we want; log format there macro, different meanings for each macro has a lot of built-in httpd, we define the access log format is by combining these macros defined; common macros and the corresponding mean as follows
% H: client IP address;
% L: Remote User, typically a minus sign ( "-"); the user refers to the user authentication identd embodiment;
% U: Remote user (from auth; may be bogus if return status (% s) is 401); non-login access, which is a minus; user authenticated the user authentication means;
% T: time when the server receives a request;
% R: First line of request, it means that the first line of the request message; the requested records "method", "URL" and protocol version;
%> S: the response status code; the last recording the response status code, if there is no ">" sign indicates a recording state of the first code information; if the status code in the redirect this is not a very accurate;
% B: a response packet size in bytes; response not including the packet header http;
% {Referer} i: value of the request packet "referer" header; i.e. jump from which a hyperlink to a page of the current page;
% {User-Agent} i: value request packet header "User-Agent"; that the requesting application;
More macro instructions, please refer to the official documentation http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#logformat
example:
Note: The above configuration defines the log format represents two formats are called combined and common
customlog: This directive indicates that the specified path and name of the access log and the log format name
Example:
Note: The above configuration means is designated access log logs / access_log, and use the combined format access log records; the same path where the log is relative to serverroot specified path; we defined access log format in the end what is it? as follows:
4, user-based access control
First, we understand the next several concepts;
Authentication challenge: Client Access server resources if we are to advance client access authentication is required before you can access the configuration, then the client access server when the corresponding resource, the server responds with a status code to the client 401 response header called www-authenticate, clear rejection client access, and tells the client to access this resource requires authentication username and password; this process is called authentication challenge, meaning that tell the client resources client access requires a user name and password; as follows
Certified: After the client receives the challenge response authentication server, in which case the browser will have a dialog box that prompts the user to enter a user name and password, the user corresponding to the user name and password into the dialog box, click OK, then the client's user name and password will pass authorization request to the server headers, the server to get the client's user name and password, it will go ratios are correct username and password provided by the client, if correct, then the corresponding resource content server in response to the client; the process of such a process is called authentication, simple point that is a client to provide a user name and password, the server for authentication is correct, the correct response to the corresponding resource content, not incorrect response; as shown below
Security domains: the so-called security zone path resource is accessed by the user, we need to be clear by its name says clearly informed of the reasons for user authentication;
Understanding of the above three concepts, we can easily understand, to certification, first of all need a user name and password, the user name and password how to store? We know we will be prompted to enter a user name and password, we can normally enter the command after logging in successfully operating a Linux system the login Linux system, Linux, we have a user name and password information log stored in / etc / passwd and / etc / shadow file; however httpd authentication account and password how to store it? In fact, tool storage account password, there are many, we can be stored in the database, you can also draw on storage methods Linux system account password, the user name and password stored in a file, but stored in the database, we also need to consider httpd how to database to find the corresponding user name and password; usually we logged a treasure site, but also need to account and password, where username and password are not this way validation, as we say in the authentication challenge is internal http protocol access control mechanism, the user name and password authentication in the way we provide a treasure website and log in here that certification is not the same thing; usually if the number of the account and the password is relatively large, we will usually account password information is stored in the database; if the user name and password of a very small number, we use the database to store account and password becomes a less efficient;
In the httpd program, it provides a tool you can use to create tools to store user name and password file, which is called htpasswd; now we are under law to understand its use;
[root@test_node1-centos7 conf]# htpasswd --help
Usage:
htpasswd [-cimBdpsDv] [-C cost] passwordfile username
htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
htpasswd -n[imBdps] [-C cost] username
htpasswd -nb[mBdps] [-C cost] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-b Use the password from the command line rather than prompting for it.
-i Read password from stdin without verification (for script usage).
-m Force MD5 encryption of the password (default).
-B Force bcrypt encryption of the password (very secure).
-C Set the computing time used for the bcrypt algorithm
(higher is more secure but slower, default: 5, valid: 4 to 31).
-d Force CRYPT encryption of the password (8 chars max, insecure).
-s Force SHA encryption of the password (insecure).
-p Do not encrypt the password (plaintext, insecure).
-D Delete the specified user.
-v Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
[root@test_node1-centos7 conf]#
Tip: -c represents the first time create a file to store user names and passwords, -m represent stored in encrypted password (the default encryption method), the use of md5 way - s stands for the encryption password sha way, -B represents the mandatory use of bcrypt way encrypted password, -p means no encryption password stored in clear text ;-D means to delete a user and password; -b indication mode, on the command line specifies a user name and password directly created directly, without having to manually enter a password; -i retrieves from standard input the password is often used in scripts;
Htpasswd tool to understand the options, we come to talk about authentication, there are two user-based authentication in httpd, basic clear text authentication and digest news digest authentication, usually basic certification is not safe, it is easy to leak user name and password, However, digest authentication is relatively safe, but it requires the client to support job; understand the certification process after more than httpd, httpd we look at is how to configure authentication;
authtype: This indicates the instruction specifies the type of authentication;
authname "string": This directive represents Why tell the user authentication, typically used to prompt the user to enter a user name and password;
authuserfile: Specifies the user name and password to store the file path name of the file already;
require user: allow specified authenticated user, the user is not specified can not be certified, even if authuserfile file stored in the application have a username and password;
Directory .htaccess more instructions can only be used or used, is generally used to define the security domain;
Example:
Create a virtual user authentication for httpdbasic
[root@test_node1-centos7 conf]# htpasswd -c /etc/httpd/conf.d/.htpasswd tom New password: Re-type new password: Adding password for user tom [root@test_node1-centos7 conf]# htpasswd /etc/httpd/conf.d/.htpasswd jerry New password: Re-type new password: Adding password for user jerry [root@test_node1-centos7 conf]# cat /etc/httpd/conf.d/.htpasswd tom:$apr1$xLIN6FgB$tQbKDzRRMyx/ahUGHhtN10 jerry:$apr1$5gjGaRfC$hK0MOgR6/dYpU5HBDH1nC/ [root@test_node1-centos7 conf]#
Tip: We created /etc/httpd/conf.d/.htpasswd file to store user names and passwords; and created two fictitious users tom and jerry
Note: The above configuration means that the user access to the root path requires user authentication, user authentication is tom, is the basic type certification
Tip: You can see that we use tom number of users can log in normally, we use jerry users can log it? as follows
Tip: You can not see the writing require user where the user is not logged on, even in some authuserfile user name and password;
require valid-user: This directive allowing all users to log in to access authuserfile
Note: The above configuration means allow /etc/httpd/conf.d/.htpasswd file all users can login access
Tip: You can see authuserfile where users can log in to access
These are the configuration examples demonstrate authentication based on user account, then we say it in group-based account authentication
AuthGroupFile: This command indicates that the specified group file, this file format is the group name: User name User name 1 2 ......
require group: This instruction allows the authentication indicates that the specified group name
Example:
First create a authguoupfile
[root@test_node1-centos7 conf.d]# htpasswd /etc/httpd/conf.d/.htpasswd xiaoming New password: Re-type new password: Adding password for user xiaoming [root@test_node1-centos7 conf.d]# htpasswd /etc/httpd/conf.d/.htpasswd xiaohong New password: Re-type new password: Adding password for user xiaohong [root@test_node1-centos7 conf.d]# cat /etc/httpd/conf.d/.htpasswd tom:$apr1$xLIN6FgB$tQbKDzRRMyx/ahUGHhtN10 jerry:$apr1$5gjGaRfC$hK0MOgR6/dYpU5HBDH1nC/ xiaoming:$apr1$xA1lDL.b$frhycSz3Ainlm4kktPn5A1 xiaohong:$apr1$HhAZCYJE$C/75gZ0k9x/5cw47Udooz1 [root@test_node1-centos7 conf.d]# cat > /etc/httpd/conf.d/.htgroup <<EOF > group1:xiaohong xiaoming > group2:tom jerry > EOF [root@test_node1-centos7 conf.d]# cat /etc/httpd/conf.d/.htgroup group1:xiaohong xiaoming group2:tom jerry [root@test_node1-centos7 conf.d]#
Note: The above two new users and red Xiao Ming, then /etc/httpd/conf.d/ created a authgroupfile called .htgroup, and clearly defines the two groups group1 there are two in the group file xiaoming members and xiaohong; group2 defines two members tom and jerry, then we configured only in group1 allow users to access;
Note: The above configuration means group1 members of the group to allow authenticated access
Tip: You can see in the group1 xiaoming and xiaohong users are working properly authenticated access; then the corresponding group2 where members can access it?
Tip: You can not be allowed to see the group members are not able to authenticate access