In order to better control access to the site resources, we need to add access authorization for a particular Web site directories.
Client address restrictions:
By Require configuration item, you can decide whether to allow client access, in <Location> main configuration file httpd server, <Directory> according to the host name or IP address of the host, <Files>, <Limit> configuration section can be configured using the Require key to control access to the client.
Common format is as follows:
the Require All granted: Permits all hosts access
Require all denied: rejected all hosts accessing
Require local: allows only the local host to access
Require [not] host <host or domain name list>: represents a permit or deny specified host or domain access
Require [not] IP <IP address or network segment list>: Indicates allow or deny access to the development of IP network or
specific use:路径:/usr/local/httpd/conf/httpd.conf
1, allowing all
<Directory "/usr/local/httpd/htdocs">
…… // 省略部分内容
Require all granted #允许所有主机访问
</Directory>2, only allows a host
<Directory "/usr/local/httpd/htdocs">
…… //省略部分内容
Require ip 192.168.1.20 #允许单个主机访问
</Directory>3, only deny a host or network segments ( Note: To placed <RequireAll> not block access when using </ RequireAll> vessel disposed in the container corresponding policy ):
<Directory "/usr/local/httpd/htdocs">
…… //
<RequireAll>
Require all granted # 允许所有主机访问
Require not ip 192.168.0.0/24 192.168.1.20 # 拒绝0.0网段,1.20 主机
</RequireAll>
</Directory>When an unauthorized client access to the directory, will be rejected, displayed HTTP 403 error error
user authorization restrictions:
user-based access control includes authentication (Authentication) and authorization (Authorization) two processes, Apache is allowed to specified users One way to use the user name and password to access a particular resource.
Apache supports Digest Authentication (Digest) and basic authentication (Basic) in two ways. Note: Use the digest authentication need to add before compiling httpd "--enable-auth-Digest"
1, create a user authentication data file:
[root@www /]# cd /usr/local/httpd/
[root@www httpd]# bin/htpasswd -c /usr/local/httpd/conf/.awspwd zhangsan
New password: //-c 选项表示新建立此文件 //根据提示设置密码
Re-type new password: // 省略 -c,表示指定的用户数据文件已存在
Adding password for user zhangsan
[root@www httpd]# cat /usr/local/httpd/conf/.awspwd //确认用户数据文件
zhangsan:$apr1$ROjz961w$dafGJ0Uf2BRIIlaykDkJH/
lisi:$apr1$Zke/LK3e$zlTZ1W9zwt3u5w.91LDWd/2, add user authorization configuration:
[root@www /]# vim /usr/local/httpd/conf/httpd.conf
<Directory "/usr/local/httpd/htdocs">
…… // 省略部分内容
Require all denied
authname "webserver" # 定义受保护的领域名称
authtype basic # 设置认证类型
authuserfile /usr/local/httpd/conf/.awspwd #设置用于保护用户账号、密码的认证文件路径
require valid-user # 要求只有认证文件中的合法用户才能访问(若只授权给单个用户,可改指定的用户名:如 webadmin)
</Directory>
[root@www /]# systemctl restart httpd # 重启服务使新配置生效Note that, when a user access authorization and access control and set the host, host access control settings take precedence effect. It is necessary to deny all access to the use of an authorized user name to access the site
