We are well aware that apache is a very good web server today and it uses all kinds of security controls. Including access and identity controls. Now I'm mainly working on address and directory controls.
Apache uses directories as units as access control, and each directory is placed in a unit. The configuration file is in /usr/local/apache2/conf/httpd.conf. Use a paragraph, the first is the / directory. This is The default value of the setting. It is displayed in the configuration as
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Each paragraph is displayed with such angle brackets. Of course, you can also define your own directory. It is mainly in the options. The options mainly describe some settings. The available options are Indexs, FollowSymLinks, includes, ExecCGI, MultiView , Of course, there are two simplest options are None and All. None disables all options, while All allows all options above. Generally our main concern is Indexes and FollowSymLinks.
INDEXS
Indexes is to set whether to allow the directory to be displayed when there is no index.html under the directory,
FollowSymLinks
And FollowSymLinks determines whether the DocumentRoot can be crossed through symbolic links. For example, even though /ftp is not under /home/httpd/html, we can still create a /home/httpd/html/ftp using a symlink, so that we can directly enter
http://mydomain.com/ftp
to access this directory.
The following example:
The following example:
The way to use FollowSymLinks is very simple, that is, first go to
Options FollowSymLinks in the appropriate directory section (the upper level of the symbolic link can be) and then create an alias:
Alias /ftp/ "home/httpd/html/ftp/"
is followed by your creation symlink to /ftp. Note that this line should be
outside .
Options FollowSymLinks in the appropriate directory section (the upper level of the symbolic link can be) and then create an alias:
Alias /ftp/ "home/httpd/html/ftp/"
is followed by your creation symlink to /ftp. Note that this line should be
outside .
AllowOverride
AllowOverride defines whether to allow each directory to override the Options set
here . Its options are Options, FileInfo, AuthConfig, Limit or a
combination , and of course None and All. Since / is the default setting, there is not much to set here, instead, we should set the control of each directory independently after /.
AllowOverride defines whether to allow each directory to override the Options set
here . Its options are Options, FileInfo, AuthConfig, Limit or a
combination , and of course None and All. Since / is the default setting, there is not much to set here, instead, we should set the control of each directory independently after /.
Next is the most concerned about the permission control of the directory, which is a common syntax format:
Order
Deny,Allow
Allow from All
Allow from All
The meaning of the setting is to set "check the prohibition settings first, and allow all those that are not prohibited", and the second sentence does not have Deny, that is, there is no setting to prohibit access, and all access is directly allowed. This is mainly used to ensure or override the settings of the upper-level directory and open access to all content.
In the same way, various effects can be achieved
According to the above explanation, the following settings are unconditional prohibition of access:
Order Allow, Deny
Deny from All
Order Allow, Deny
Deny from All
If you want to prohibit access to some content, all others are open:
Order Deny,Allow
Deny from ip1 ip2
or
Order Allow,Deny
Allow from all
Deny from ip1 ip2
Order Deny,Allow
Deny from ip1 ip2
or
Order Allow,Deny
Allow from all
Deny from ip1 ip2
Apache will decide which rule to use in the end according to the order, such as the second method above, although the second sentence allows access, but because allow is not the last rule in the order, it is necessary to see whether there is a deny rule, so it is the first Three sentences, the access in line with ip1 and ip2 is prohibited. Note that the "last" rule of order decision is very important, here are two examples of errors and how to correct them:
Order Deny, Allow
Allow from all
Deny from domain.org
Error: I want to prohibit access from domain.org, but deny is not the last rule, apache has already matched successfully when it processed the second sentence of allow, and will not look at it at all third sentence.
Solution: Order Allow, Deny, the last two sentences are left unchanged.
Allow from all
Deny from domain.org
Error: I want to prohibit access from domain.org, but deny is not the last rule, apache has already matched successfully when it processed the second sentence of allow, and will not look at it at all third sentence.
Solution: Order Allow, Deny, the last two sentences are left unchanged.
Order Allow,Deny
Allow from ip1
Deny from all
错误:想只允许来自ip1的访问,但是,虽然第二句中设定了allow规则,由于order中deny在后,所以会以第三句deny为准,而第三句的范围中又明显包含了ip1(all include ip1),所以所有的访问都被禁止了。
解决方法一:直接去掉第三句。
解决方法二:
Order Deny,Allow
Deny from all
Allow from ip1
Allow from ip1
Deny from all
错误:想只允许来自ip1的访问,但是,虽然第二句中设定了allow规则,由于order中deny在后,所以会以第三句deny为准,而第三句的范围中又明显包含了ip1(all include ip1),所以所有的访问都被禁止了。
解决方法一:直接去掉第三句。
解决方法二:
Order Deny,Allow
Deny from all
Allow from ip1