active directory
Part5 access log does not record static files
Part7 Configure the expiration time of static elements
Part9 Access Control Whitelist
Part10 Access Control-Prohibit parsing PHP
Part11 Access control-user agent
Reference address Douxue.com website link
-
One server can access multiple websites, each website is a virtual host
-
Concepts: domain name (host name), DNS, resolved domain name, hosts
-
The virtual host that can be accessed by any domain name resolved to this machine is the default virtual host.
[root@bogon conf]# cd /usr/local/apache/conf
[root@bogon conf]# ls
extra httpd.conf magic mime.types original
[root@bogon conf]# vim httpd.conf
[root@bogon conf]# vim extra/httpd-vhosts.conf //虚拟目录配置文件
[root@bogon conf]# cd extra
[root@bogon extra]# cp httpd-vhosts.conf httpd-vhosts-bak //文件进行备份
Part1 Default virtual host
<VirtualHost *:80>
ServerAdmin [email protected] //指定管理员邮箱
DocumentRoot "/usr/local/apache/docs/abc.com" //为该虚拟主机站点的根目录
ServerName abc.com //网站的域名
ServerAlias www.abc.com www.aaa.com //网站的第二域名,别名
</VirtualHost>
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/111.com"
ServerName 111.com
ErrorLog "logs/111.com-error_log"
CustomLog "logs/111.com-access_log" common
</VirtualHost>
(1) Restart the Apache service
[root@bogon docs]# /usr/local/apache/bin/apachectl -t
[root@bogon docs]# /usr/local/apache/bin/apachectl graceful
[root@bogon docs]# ps -ef | grep http
(2) File editing
[root@bogon apache]# mkdir docs
[root@bogon apache]# ls
bin build cgi-bin conf docs error htdocs icons include logs man manual modules
[root@bogon apache]# cd docs
[root@bogon docs]# ls
[root@bogon docs]# mkdie
-bash: mkdie: 未找到命令
[root@bogon docs]# mkdir abc.com
[root@bogon docs]# mkdir 111.com
[root@bogon docs]# vim abc.com/index.html //aaa.com
[root@bogon docs]# vim 111.com/index.html //111.com
(3) Configuration verification
[root@bogon docs]# curl -xlocalhost:80 www.abc.com
aaa.com
[root@bogon docs]# curl -xlocalhost:80 www.aaa.com
aaa.com
[root@bogon docs]# curl -xlocalhost:80 111.com
111.com
[root@bogon 111.com]# vim index.php
[root@bogon 111.com]# cat index.php
<?php
echo "111.com";
?>
[root@bogon 111.com]# curl -xlocalhost:80 111.com/index.php
111.com
Part2 User Authentication
User authentication is used to control access to web pages in certain directories. When users access these pages, they need to enter their username and password for authentication.
[root@bogon conf]# cd extra
[root@bogon extra]# vim extra/httpd-vhosts.conf //虚拟目录配置文件
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/abc.com"
ServerName abc.com
ServerAlias www.abc.com www.aaa.com
<Directory /usr/local/apache/docs/abc.com>
AllowOverride AuthConfig
AuthName "abc.com user auth"
AuthType Basic
AuthUserFile /usr/local/apache/docs/.htpasswd
require valid-user
</Directory>
ErrorLog "logs/abc.com-error_log"
CustomLog "logs/abc.com-access_log" common
</VirtualHost>
#<VirtualHost *:80>
# ServerAdmin [email protected]
# DocumentRoot "/usr/local/apache/docs/111.com"
# ServerName 111.com
# ErrorLog "logs/111.com-error_log"
# CustomLog "logs/111.com-access_log" common
#</VirtualHost>
1. User authentication for the entire website
(1) Restart the Apache service
[root@bogon extra]# /usr/local/apache/bin/apachectl -t
Syntax OK
[root@bogon extra]# /usr/local/apache/bin/apachectl graceful
httpd not running, trying to start
[root@bogon extra]# ps -ef | grep http
(2) Create a new user and password
[root@bogon extra]# /usr/local/apache/bin/htpasswd -cm /usr/local/apache/docs/.htpasswd xuan
New password:
Re-type new password:
Adding password for user xuan
htpasswd is a tool for creating users, -c is creat
-m is the specified password encryption method, which is MD5
data/.htpasswd is the password file
(3) Test configuration
#状态码401
[root@bogon extra]# curl -xlocalhost:80 abc.com -I
HTTP/1.1 401 Unauthorized
Date: Thu, 29 Dec 2022 09:14:09 GMT
Server: Apache/2.4.39 (Unix)
WWW-Authenticate: Basic realm="abc.com user auth"
Content-Type: text/html; charset=iso-8859-1
#状态码200
[root@bogon extra]# curl -xlocalhost:80 -u xuan:xuan abc.com -I
HTTP/1.1 200 OK
Date: Thu, 29 Dec 2022 09:17:12 GMT
Server: Apache/2.4.39 (Unix)
Last-Modified: Thu, 29 Dec 2022 07:44:41 GMT
ETag: "8-5f0f2a865b97a"
Accept-Ranges: bytes
Content-Length: 8
Content-Type: text/html
(4)Host access
hosts文件
CentosIP地址 abc.com www.aaa.com www.abc.com 111.com
2. User authentication for a single file
(1) File configuration
User authentication restrictions for admin.php
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/abc.com"
ServerName abc.com
ServerAlias www.abc.com www.aaa.com
<FilesMatch admin.php>
AllowOverride AuthConfig
AuthName "abc.com user auth"
AuthType Basic
AuthUserFile /usr/local/apache/docs/.htpasswd
require valid-user
</FilesMatch>
ErrorLog "logs/abc.com-error_log"
CustomLog "logs/abc.com-access_log" common
</VirtualHost>
[root@bogon abc.com]# cd /usr/local/apache/docs/abc.com
[root@bogon abc.com]# vim admin.php
[root@bogon abc.com]# cat admin.php
<?php
echo "abc.php --admin.php"
?>
(2) Generate user password
[root@bogon extra]# /usr/local/apache/bin/htpasswd -cm /usr/local/apache/docs/.htpasswd xuan
New password: aaa
Re-type new password: aaa
Adding password for user xuan
(3) Test configuration
[root@bogon abc.com]# curl -xlocalhost:80/admin.php abc.com -I//状态码401
[root@bogon abc.com]# curl -xlocalhost:80/admin.php -u xuan:aaa abc.com -I //状态码200
Part3 Domain name jump
When we change the website domain name or apply for multiple domain names to point to one website, we will use domain name jump at this time.
(1) Configuration file modification
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/111.com"
ServerName 111.com
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} !^111.com$
RewriteRule ^/(.*)$ http://111.com/$1 [R=301,L]
</IfModule>
ErrorLog "logs/abc.com-error_log"
CustomLog "logs/abc.com-access_log" common
</VirtualHost>
Apply regular rules : files that do not start with 111.com and end with 111.com will be redirected to 111.com, and the status code will be returned to 301.
(2) Service configuration
[root@bogon com]# /usr/local/apache/bin/apachectl -M | grep rewrite
#无回显,没有rewrite服务
[root@bogon com]# vim /usr/local/apache/conf/httpd.conf
Enable rewrite service configuration in httpd.conf
(3) Restart the Apache service
[root@bogon com]# /usr/local/apache/bin/apachectl -t
[root@bogon com]# /usr/local/apache/bin/apachectl graceful
(4) Configuration verification
[root@bogon com]# curl -xlocalhost:80 2111.com.cn -I //状态码301
[root@bogon com]# curl -xlocalhost:80 66.com.cn -I //状态码301
[root@bogon com]# curl -xlocalhost:80 2111.com.cn/admin.php -I //状态码301
Part4 access log
Access logs are very useful. They can not only record website visits, but also help us locate problems when abnormalities occur on the website.
[root@localhost docs]#vi /usr/local/apache2.4/conf/httpd.conf //搜索LogFormat
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common //默认是common
(1) File configuration
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/111.com"
ServerName 111.com
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} !^111.com$
RewriteRule ^/(.*)$ http://111.com/$1 [R=301,L]
</IfModule>
ErrorLog "logs/abc.com-error_log"
CustomLog "logs/abc.com-access_log" combined
</VirtualHost>
(2)Apache service restart
[root@bogon com]# /usr/local/apache/bin/apachectl -t
[root@bogon com]# /usr/local/apache/bin/apachectl graceful
(3) Verify configuration
[root@bogon logs]# pwd
/usr/local/apache/logs
[root@bogon logs]# ^C
[root@bogon logs]# curl -xlocalhost:80 2111.com.cn/admin.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://111.com/admin.php">here</a>.</p>
</body></html>
[root@bogon logs]# cat abc.com-access_log
#新增
::1 - - [29/Dec/2022:21:12:23 +0800] "GET HTTP://2111.com.cn/admin.php HTTP/1.1" 301 232
Part5 access log does not record static files
Static files usually refer to files that are not generated by the server, such as scripts, CSS files, images, etc., but must be sent to the browser when requested
Before configuring related commands
[root@bogon extra]# vim httpd-vhosts.conf
CustomLog "logs/abc.com-access_log" combined
[root@bogon 111.com]# cd /usr/local/apache/docs/111.com
[root@bogon 111.com]# mkdir images
[root@bogon 111.com]# ls
images index.html index.php
[root@bogon images]# cd /usr/local/apache/docs/111.com/images
[root@bogon images]# ls
2.png
#重启Apache服务
[root@bogon images]# curl -xlocalhost:80 www.111.com/images/2.png -I
#状态码200,可以进行访问
HTTP/1.1 200 OK
Date: Thu, 29 Dec 2022 13:31:57 GMT
Server: Apache/2.4.39 (Unix)
Last-Modified: Thu, 29 Dec 2022 13:30:07 GMT
ETag: "4e34-5f0f77bbd7f47"
Accept-Ranges: bytes
Content-Length: 20020
Content-Type: image/png
#查看日志
::1 - - [29/Dec/2022:21:31:57 +0800] "HEAD HTTP://www.111.com/images/2.png HTTP/1.1" 200 - "-" "curl/7.29.0"
After configuring the relevant commands
(1) File configuration
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/111.com"
ServerName 111.com
#<IfModule mod_rewrite.c>
# RewriteEngine on
# RewriteCond %{HTTP_HOST} !^111.com$
# RewriteRule ^/(.*)$ http://111.com/$1 [R=301,L]
# </IfModule>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "logs/111.com-access_log" combined env=!img
ErrorLog "logs/111.com-error_log"
#CustomLog "logs/abc.com-access_log" combined
</VirtualHost>
(2) Restart the Apache service
[root@bogon extra]# /usr/local/apache/bin/apachectl -t
[root@bogon extra]# /usr/local/apache/bin/apachectl graceful
(3) Verify configuration
[root@bogon extra]# curl -xlocalhost:80 www.111.com/images/linux.png -I
HTTP/1.1 404 Not Found
Date: Thu, 29 Dec 2022 13:48:45 GMT
Server: Apache/2.4.39 (Unix)
Content-Type: text/html; charset=iso-8859-1
#可以正常访问,但日志文件无这条记录
Part6 Access log cutting
If the log continues to be recorded, one day the entire disk will be filled up, so it is necessary to allow it to be automatically cut and delete the old log files.
(1) File configuration
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/111.com"
ServerName 111.com
#<IfModule mod_rewrite.c>
# RewriteEngine on
# RewriteCond %{HTTP_HOST} !^111.com$
# RewriteRule ^/(.*)$ http://111.com/$1 [R=301,L]
# </IfModule>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
ErrorLog "logs/111.com-error_log"
#变化部分 CustomLog "里面的内容"
CustomLog "|/usr/local/apache/bin/rotatelogs -l logs/www.111.com-access_%Y%m%d.log 86400" combined env=!img #CustomLog "logs/abc.com-access_log" combined </VirtualHost>
(2) Restart the Apache service
[root@bogon extra]# /usr/local/apache/bin/apachectl -t
[root@bogon extra]# /usr/local/apache/bin/apachectl graceful
[root@bogon extra]# ps -ef | grep http
(3) Verify configuration
[root@bogon logs]# cd /usr/local/apache/logs
[root@bogon logs]# ls
www.111.com-access_20221229.log
[root@bogon extra]# curl -xlocalhost:80 www.111.com -I
#在访问www.111.com时有对应日志文件(包含日期)生成
Part7 Configure the expiration time of static elements
When the browser accesses the photos on the website, it will cache the static files in the local computer, so that it does not need to be downloaded remotely the next time it is accessed.
(1) Configuration file
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/111.com"
ServerName 111.com
#静态元素过期时间
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType image/gif "access plus 1 days"
ExpiresByType image/jpeg "access plus 24 hours"
ExpiresByType image/png "access plus 24 hours"
ExpiresByType text/css "now plus 2 hour"
ExpiresByType application/x-javascript "now plus 2 hours"
ExpiresByType application/javascript "now plus 2 hours"
ExpiresByType application/x-shockwave-flash "now plus 2 hours"
ExpiresDefault "now plus 0 min"
</IfModule>
ErrorLog "logs/www.111.com-error_log"
CustomLog "logs/www.111.com-access_log" combined
</VirtualHost>
(2) Configuration file expire release
#检查是否有expires模块
[root@bogon conf]# /usr/local/apache2.4/bin/apachectl -M | grep -i expires
expires_module (shared)
#添加expires模块
[root@bogon conf]# cd /usr/local/apache/conf
[root@bogon conf]# vim httpd.conf
(3) Restart the Apache service
[root@bogon extra]# /usr/local/apache/bin/apachectl -t
[root@bogon extra]# /usr/local/apache/bin/apachectl graceful
[root@bogon extra]# ps -ef | grep http
(4) Verify configuration
[root@bogon conf]# curl -xlocalhost:80 www.111.com/images/2.png -I
HTTP/1.1 200 OK
Date: Thu, 29 Dec 2022 15:28:04 GMT
Server: Apache/2.4.39 (Unix)
Last-Modified: Thu, 29 Dec 2022 13:30:07 GMT
ETag: "4e34-5f0f77bbd7f47"
Accept-Ranges: bytes
Content-Length: 20020
Cache-Control: max-age=86400
Expires: Fri, 30 Dec 2022 15:28:04 GMT
Content-Type: image/png
日志文件
::1 - - [29/Dec/2022:23:28:04 +0800] "HEAD HTTP://www.111.com/images/2.png HTTP/1.1" 200 - "-" "curl/7.29.0"
Part8 Anti-hotlinking
Don't let others steal the resources on your website. This resource usually refers to pictures, videos, songs, documents, etc.
(1) Configuration file
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/www.111.com"
ServerName www.111.com
ServerAlias 111.com
ErrorLog "logs/111.com-error_log"
#配置防盗链
<Directory /usr/local/apache/docs/www.111.com>
SetEnvIfNoCase Referer "http://www.111.com" local_ref
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">
Order Allow,Deny
Allow from env=local_ref
</filesmatch>
</Directory>
</VirtualHost>
//First define the referer that allows access to the link, where ^$ is an empty referer
//When you enter the image address directly in the browser to access it, its referer is empty
(2) Restart the Apache service
[root@bogon extra]# /usr/local/apache/bin/apachectl -t
[root@bogon extra]# /usr/local/apache/bin/apachectl graceful
[root@bogon extra]# ps -ef | grep http
(3) Configuration verification
curl -e "http://www.douxue.com/123.php" -xlocalhost:80 www.111.com/images/2.png -I //状态码403
curl -e "http://www.111.com/123.php" -xlocalhost:80 www.111.com/images/2.png -I //状态码200
curl -xlocalhost:80 www.111.com/images/2.png -I //自定义referer 回显200
Part9 Access Control Whitelist
(1) File configuration
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/www.111.com"
ServerName www.111.com
ServerAlias 111.com
#访问控制-白名单
<Directory /usr/local/apache/docs/www.111.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
ErrorLog "logs/111.com-error_log"
CustomLog "logs/111.com-access_log" common
</VirtualHost>
(2) Start the Apache service
[root@bogon extra]# /usr/local/apache/bin/apachectl -t
[root@bogon extra]# /usr/local/apache/bin/apachectl graceful
[root@bogon extra]# ps -ef | grep http
(3) Verify configuration
[root@bogon www.111.com]# curl -xlocalhost:80 www.111.com/admin/123.php -I//状态码403
[root@bogon www.111.com]# curl -x127.0.0.1:80 www.111.com/admin/123.php -I //状态码200
Extension: For website access starting with admin.php under www.111.com
(1) File configuration
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/docs/www.111.com"
ServerName www.111.com
ServerAlias 111.com
#访问控制-白名单
<Directory /usr/local/apache/docs/www.111.com>
<FileMatch admin.php(.*)>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FileMatch>
</Directory>
ErrorLog "logs/111.com-error_log"
CustomLog "logs/111.com-access_log" common
</VirtualHost>
[root@bogon www.111.com]# cd /usr/local/apache/docs/www.111.com
[root@bogon www.111.com]# cat admin.php
<?php
echo "www.111.com --123.php";
?>
(2) Restart the Apache service
[root@bogon extra]# /usr/local/apache/bin/apachectl -t
[root@bogon extra]# /usr/local/apache/bin/apachectl graceful
[root@bogon extra]# ps -ef | grep http
(3) Verify configuration
[root@bogon www.111.com]# curl -x127.0.0.1:80 www.111.com/admin.php?vcaf -I
#状态码200
Part10 Access Control-Prohibit parsing PHP
For websites written in PHP language, there are some directories that require uploading files. If there is a vulnerability in the website code and a hacker uploads a Trojan horse written in PHP, since the website can execute PHP programs, the hacker will eventually gain server permissions.
In order to prevent this from happening, we need to directly prohibit parsing PHP code in the directory where files can be uploaded.
(1) File configuration
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache2.4/docs/www.111.com"
ServerName www.111.com
ServerAlias 111.com
ErrorLog "logs/111.com-error_log"
#访问控制:禁止php解析
<Directory /usr/local/apache2.4/docs/www.111.com/upload>
php_admin_flag engine off
</Directory>
</Directory>
</VirtualHost>
(2) Restart the Apache service
[root@bogon extra]# /usr/local/apache/bin/apachectl -t
[root@bogon extra]# /usr/local/apache/bin/apachectl graceful
[root@bogon extra]# ps -ef | grep http
(3) Verify configuration
[root@bogon extra]# curl -xlocalhost:80 www.111.com/upload/123.php
<?php
echo "www.111.com --123.php";
?>
#只显示源码,未解析
Part11 Access control-user agent
(1) File configuration
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache2.4/docs/www.111.com"
ServerName www.111.com
ServerAlias 111.com
ErrorLog "logs/111.com-error_log"
#访问控制:user_agent
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
</VirtualHost>
(2) Restart the Apache service
[root@bogon extra]# /usr/local/apache/bin/apachectl -t
[root@bogon extra]# /usr/local/apache/bin/apachectl graceful
[root@bogon extra]# ps -ef | grep http
(3) Configuration verification
curl -xlocalhost:80 www.111.com/upload/123.php //状态码403