基于客户端 IP 地址实现访问控制
针对各种资源,可以基于以下两种方式的访问控制:
客户端来源地址
用户账号
基于客户端的IP地址的访问控制:
无明确授权的目录,默认拒绝
允许所有主机访问:Require all granted
拒绝所有主机访问:Require all denied
控制特定的IP访问:
Require ip IPADDR:授权指定来源的IP访问
Require not ip IPADDR:拒绝特定的IP访问
控制特定的主机访问:
Require host HOSTNAME:授权特定主机访问
Require not host HOSTNAME:拒绝
HOSTNAME:
FQDN:特定主机
domin.tld:指定域名下的所有主机
黑名单, 不能有失败,至少有一个成功匹配才成功,即失败优先
<RequireAll>
Require all granted
Require not ip 172.31.1.100 #拒绝特定IP
</RequireAll>
白名单, 多个语句有一个成功,则成功,即成功优先
<RequireAny>
Require all denied
require ip 172.31.1.188 #允许特定IP
</RequireAny>
范例:
<directory /var/www/html/dir>
<requireany>
require all denied
Require ip 172.31.0.0/16
</requireany>
</directory>
日志设定
httpd有两种日志类型
访问日志
错误日志
错误日志:
LogLevel warn #LogLevel 可选值: debug, info, notice, warn,error, crit, alert,
emerg
ErrorLog logs/error_log
访问日志:
定义日志格式:
LogFormat format nickname
使用日志格式:
CustomLog file nickname
范例:
LogFormat "%h %l %u [%{%F %T}t] \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" testlog
参考帮助:http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
%h #客户端IP地址
%l #远程用户,启用mod_ident才有效,通常为减号"-”
%u #验证(basic,digest)远程用户,非登录访问时,为一个减号"-”
%t #服务器收到请求时的时间
%r #First line of request,即表示请求报文的首行;记录了此次请求的"方法”,"URL”以及协
议版本
%>s #响应状态码
%b #响应报文的大小,单位是字节;不包括响应报文http首部
%{Referer}i #请求报文中首部"referer”的值;即从哪个页面中的超链接跳转至当前页面的
%{User-Agent}i #请求报文中首部"User-Agent”的值;即发出请求的应用程序
%{VARNAME}i #The contents of VARNAME: header line(s) in the request sent to
the server
范例: 通过自定义访问日志格式,实现自定义时间格式
[root@centos8 ~]# vim /etc/httpd/conf/httpd.conf
logFormat "%h \"%{%F %T}t\" %>s \"%{User-Agent}i\"" testlog
CustomLog "logs/access_log" testlog
[root@centos8 ~]# tail -f /var/log/httpd/access_log
172.31.0.7 "2021-05-29 10:26:51" 200 "curl/7.29.0"
基于用户的访问控制
认证质询:WWW-Authenticate,响应码为401,拒绝客户端请求,并说明要求客户端需要提供账号和
密码
认证:Authorization,客户端用户填入账号和密码后再次发送请求报文;认证通过时,则服务器发送响
应的资源
认证方式两种:
basic:明文
digest:消息摘要认证,兼容性差
安全域:需要用户认证后方能访问的路径;应该通过名称对其进行标识,以便于告知用户认证的原因用户的账号和密码
虚拟账号:仅用于访问某服务时用到的认证标识
存储:文本文件,SQL数据库,ldap目录存储,nis等
基于用户账号进行认证
(1) 定义安全域
<Directory "/path">
Options None
AllowOverride None
AuthType Basic
AuthName "String" #浏览器不同,可能这字符不一定能显示出来
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"
Require valid-user #允许账号文件中的所有用户登录访问
#Require user username1 username2 ... 指定用户
</Directory>
(2) 提供账号和密码存储(文本文件)使用专用命令完成此类文件的创建及用户管理
htpasswd [options] /PATH/HTTPD_PASSWD_FILE username password
#示例
[root@centos7 ~]# htpasswd -cb /apps/httpd24/conf.d/.httpuser xiaoming 123456
Adding password for user xiaoming
#需要确保apache用户对此文件要有read权限
setfacl -m u:apache:r /PATH/HTTPD_PASSWD_FILE
选项:
-c 自动创建文件,仅应该在文件不存在时使用
-b 非交互方式创建用户,命令后面可以接密码
-p 明文密码
-d CRYPT格式加密,默认
-m md5格式加密
-s sha格式加密
-D 删除指定用户
范例:
[root@centos8 html]# mkdir admin
[root@centos8 html]# echo /var/www/html/admin/index.html > admin/index.html
[root@centos8 ~]# cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/admin>
AuthType Basic
AuthName "FBI warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
#Require user xiaoming xiaohong
require valid-user
</directory>
[root@centos8 ~]# htpasswd -c /etc/httpd/conf.d/.httpuser xiaoming
New password:
Re-type new password:
Adding password for user xiaoming
[root@centos8 ~]# htpasswd /etc/httpd/conf.d/.httpuser xiaohong
New password:
Re-type new password:
Adding password for user xiaohong
[root@centos8 ~]# cat /etc/httpd/conf.d/.httpuser
xiaoming:$apr1$UWsEVknf$pR2fwEGRq/k8Xt0p3zolZ0
xiaohong:$apr1$PLPPnYtJ$tZ9yYwYh6h44nyRxBDMOJ.
[root@centos8 ~]# systemctl reload httpd
[root@centos8 ~]# curl http://xiaoming:centos@10.0.0.7/secret/
/data/html/secret/index.html
[root@centos8 ~]# curl -u xiaohong:centos http://10.0.0.7/secret/
/data/html/secret/index.html
浏览器访问http://httpd服务器/admin 可以看到
使用wireshark 抓包软件,可以看到明文密码
查看访问日志文件/var/logs/httpd/access_log,可以观察到以下内容
172.31.0.7 - xiaohong [26/Oct/2020:18:03:45 +0800] "GET /admins/ HTTP/1.1" 401 381
"-" "curl/7.29.0"
172.31.0.7 - xiaohong [26/Oct/2020:18:03:51 +0800] "GET /admins/ HTTP/1.1" 401 381
"-" "curl/7.29.0"
172.31.0.7 - xiaoming [26/Oct/2020:18:04:01 +0800] "GET /admins/ HTTP/1.1" 200 32
"-" "curl/7.29.0"
172.31.0.7 - xiaoming [26/Oct/2020:18:06:45 +0800] "GET /admins/ HTTP/1.1" 200 32
"-" "curl/7.29.0"
范例:方法2
[root@centos8 ~]# mkdir /var/www/html/secret
[root@centos8 ~]# echo /var/www/html/secret/index.html >
/var/www/html/secret/index.html
[root@centos8 ~]# cd /var/www/html/secret/
[root@centos8 secret]#ls
index.html
[root@centos8 secret]# vim .htaccess
[root@centos8 ~]# cat /var/www/html/secret/.htaccess
AuthType Basic
AuthName "BB warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user xiaoming
[root@centos8 ~]# vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]# cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/admin>
AuthType Basic
AuthName "BB warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
#Require user xiaoming xiaohong
require valid-user
</directory>
<directory /var/www/html/secret>
allowoverride authconfig
</directory>
[root@centos8 ~]# systemctl reload httpd
基于组账号进行认证
(1) 定义安全域
<Directory "/path">
AuthType Basic
AuthName "String"
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"
AuthGroupFile "/PATH/HTTPD_GROUP_FILE"
Require group grpname1 grpname2 ...
</Directory>
(2) 创建用户账号和组账号文件
组文件:每一行定义一个组
GRP_NAME: username1 username2 ...
范例:
[root@centos8 ~]# cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/secret>
allowoverride authconfig
</directory>
[root@centos8 ~]# cat /var/www/html/secret/.htaccess
AuthType Basic
AuthName "BB warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group webadmins
[root@centos8 ~]# cat /etc/httpd/conf.d/.httpuser
xiaoming:$apr1$UWsEVknf$pR2fwEGRq/k8Xt0p3zolZ0
xiaohong:$apr1$PLPPnYtJ$tZ9yYwYh6h44nyRxBDMOJ.
[root@centos8 ~]# cat /etc/httpd/conf.d/.httpgroup
webadmins: xiaoming xiaohong
status 状态页
httpd 提供了状态页,可以用来观察httpd的运行情况。此功能需要加载mod_status.so模块才能实现
LoadModule status_module modules/mod_status.so
<Location "/status">
SetHandler server-status
</Location>
ExtendedStatus On #显示扩展信息,httpd 2.3.6以后版默认为On
范例:启用状态页
#确认加载mod_status.so模块
[root@centos8 conf.d]# httpd -M |grep status
status_module (shared)
[root@centos8 ~]# vim /etc/httpd/conf.d/status.conf
<Location "/status">
SetHandler server-status
<RequireAny>
Require all denied
require ip 172.16.1.1 #允许特定IP
</RequireAny>
#Order Deny,Allow 此方式也可以控制访问
#Deny from all
#Allow from 192.168.100
</Location>
ExtendedStatus Off #是否详细的信息,默认值为on
[root@centos8 ~]# systemctl restart httpd
#打开浏览器访问http://httpd服务器IP/status可以看到
范例: 对status页面进行登录认证
[root@centos7 ~]# vim /apps/httpd24/conf.d/test.conf
<Location "/status">
AuthType Basic
AuthName "Please login"
AuthUserFile "/apps/httpd24/conf.d/.httpuser"
Require user xiaohong
SetHandler server-status
</Location>
多虚拟主机
httpd 支持在一台物理主机上实现多个网站,即多虚拟主机
网站的唯一标识:
IP相同,但端口不同
IP不同,但端口均为默认端口
FQDN不同, IP和端口都相同
多虚拟主机有三种实现方案:
基于ip:为每个虚拟主机准备至少一个ip地址
基于port:为每个虚拟主机使用至少一个独立的port
基于FQDN:为每个虚拟主机使用至少一个FQDN,请求报文中首部 Host: www.magedu.com
注意:httpd 2.4版本中,基于FQDN的虚拟主机不再需要NameVirutalHost指令
范例: 多虚拟主机
[root@centos8 ~]# host www.longxan.vip
www.longxan.vip has address 130.19.119.106
[root@centos8 ~]# host www.178ba.com
www.178ba.com has address 130.19.119.106
[root@centos8 ~]# host www.rneshengkou.com
www.rneshengkou.com has address 130.19.119.106
虚拟主机的基本配置方法:
<VirtualHost IP:PORT>
ServerName FQDN
DocumentRoot "/path"
</VirtualHost>
建议:上述配置存放在独立的配置文件中
其它常用可用指令:
ServerAlias:虚拟主机的别名;可多次使用
ErrorLog: 错误日志
CustomLog:访问日志
<Directory "/path"> </Directory>
范例:基于端口的虚拟主机
[root@centos8 ~]# echo /data/website1/index.html > /data/website1/index.html
[root@centos8 ~]# echo /data/website2/index.html > /data/website2/index.html
[root@centos8 ~]# echo /data/website3/index.html > /data/website3/index.html
[root@centos8 ~]# cat /etc/httpd/conf.d/test.conf
listen 8001
listen 8002
listen 8003
<virtualhost *:8001>
documentroot /data/website1/
CustomLog logs/website1_access.log combined
<directory /data/website1>
require all granted
</directory>
</virtualhost>
<virtualhost *:8002>
documentroot /data/website2/
CustomLog logs/website2_access.log combined
<directory /data/website2>
require all granted
</directory>
</virtualhost>
<virtualhost *:8003>
documentroot /data/website3/
CustomLog logs/website3_access.log combined
<directory /data/website3>
require all granted
</directory>
</virtualhost>
[root@centos8 ~]# ll /var/log/httpd/
total 44
-rw-r--r-- 1 root root 10679 Dec 10 12:00 access_log
-rw-r--r-- 1 root root 18883 Dec 10 11:59 error_log
-rw-r--r-- 1 root root 1969 Dec 10 12:00 website1_access.log
-rw-r--r-- 1 root root 482 Dec 10 12:00 website2_access.log
-rw-r--r-- 1 root root 482 Dec 10 12:00 website3_access.log
# 浏览器访问不同端口,得到不同的页面
http://172.31.0.8:8001/
http://172.31.0.8:8002/
http://172.31.0.8:8003/
范例:基于IP的虚拟主机
[root@centos8 ~]# ip a a 172.31.0.8/16 dev eth0 label eth0:1
[root@centos8 ~]# ip a a 172.31.0.18/16 dev eth0 label eth0:2
[root@centos8 ~]# ip a a 172.31.0.28/16 dev eth0 label eth0:3
[root@centos8 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
[root@centos8 ~]# vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]# cat /etc/httpd/conf.d/test.conf
<virtualhost 172.31.0.8:80>
documentroot /data/website1/
CustomLog logs/website1_access.log combined
<directory /data/website1>
require all granted
</directory>
</virtualhost>
<virtualhost 172.31.0.18:80>
documentroot /data/website2/
CustomLog logs/website2_access.log combined
<directory /data/website2>
require all granted
</directory>
</virtualhost>
<virtualhost 172.31.0.28:80>
documentroot /data/website3/
CustomLog logs/website3_access.log combined
<directory /data/website3>
require all granted
</directory>
</virtualhost>
[root@centos8 ~]# httpd -t
Syntax OK
[root@centos8 ~]# systemctl reload httpd
[root@centos8 ~]# curl 172.31.0.8
/data/website1/index.html
[root@centos8 ~]# curl 172.31.0.18
/data/website2/index.html
[root@centos8 ~]# curl 172.31.0.28
/data/website3/index.html
范例:基于FQDN虚拟主机
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
<Directory "/www/a.com/htdocs">
ErrorLog "logs/a_error_log"
CustomLog "logs/a_access_log" combined
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
<Directory "/www/b.net/htdocs">
ErrorLog "logs/b_error_log"
CustomLog "logs/b_access_log" combined
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
<Directory "/www/c.org/htdocs">
errorLog "logs/c_error_log"
CustomLog "logs/c_access_log" combined
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
注意:
任意目录下的页面只有显式授权才能被访问
三种方式的虚拟主机可以混和使用
基于主机头的第一个虚拟主机将成为默认站点
压缩
使用mod_deflate模块压缩页面优化传输速度
LoadModule deflate_module modules/mod_deflate.so SetOutputFilter
适用场景:
(1) 节约带宽,额外消耗CPU;同时,可能有些较老浏览器不支持
(2) 压缩适于压缩的资源,例如文本文件
压缩指令
# 可选项
SetOutputFilter DEFLATE
# 指定对哪种MIME类型进行压缩,必须指定项
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
# 压缩级别 (Highest 9 - Lowest 1)
DeflateCompressionLevel 9
# 排除特定旧版本的浏览器,不支持压缩
#Netscape 4.x 只压缩text/html
BrowserMatch ^Mozilla/4 gzip-only-text/html
#Netscape 4.06-08 三个版本 不压缩
BrowserMatch ^Mozilla/4\.0[678] no-gzip
#Internet Explorer标识本身为"Mozilla / 4”,但实际上是能够处理请求的压缩。如果用户代理首部匹
配字符串"MSIE”("B”为单词边界”),就关闭之前定义的限制
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
实现 https
https:http over ssl ,实现验证和加密功能
HTTPS 会话的简化过程
- 客户端发送可供选择的加密方式,并向服务器请求证书
- 服务器端发送证书以及选定的加密方式给客户端
- 客户端取得证书并进行证书验证,如果信任给其发证书的CA
(a) 验证证书来源的合法性;用CA的公钥解密证书上数字签名
(b) 验证证书的内容的合法性:完整性验证
(c) 检查证书的有效期限
(d) 检查证书是否被吊销
(e) 证书中拥有者的名字,与访问的目标主机要一致 - 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密
钥交换 - 服务用此密钥加密用户请求的资源,响应给客户端
注意:SSL是基于IP地址实现,单IP的httpd主机,仅可以使用一个https虚拟主机
apache实现https过程
- 为服务器申请数字证书
可以通过私建CA颁发证书实现
(a) 创建私有CA
(b) 在服务器创建证书签署请求
(c) CA签证
- 配置httpd支持使用ssl,及使用的证书
#安装mod_ssl包
yum -y install mod_ssl
#修改对应的配置文件:/etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile /path/file
SSLCertificateKeyFile /path/file
SSLCACertificateFile /path/file
- 测试基于https访问相应的主机
openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
范例:
[root@centos8 ssl]# openssl s_client -connect www.longxuan.com:443 -CAfile
3396856_longxuan.com_chain.crt
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption
Everywhere DV TLS CA - G1
verify error:num=2:unable to get issuer certificate
issuer= C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root CA
verify return:1
depth=0 CN = longxuan.com
issuer= C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption
Everywhere DV TLS CA - G1
verify return:1
...
实现https 实战案例
[root@centos8 ~]# yum -y install mod_ssl
[root@centos7 ~]# cd /etc/pki/tls/certs
[root@centos7 certs]# pwd
/etc/pki/tls/certs
[root@centos7 certs]# ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@centos7 certs]# vim Makefile
#/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
/usr/bin/openssl genrsa $(KEYLEN) > $@
[root@centos7 certs]# make longxuan.org.crt
umask 77 ; #/usr/bin/openssl genrsa -aes128 2048 > longxuan.org.key
/usr/bin/openssl genrsa 2048 > longxuan.org.key
Generating RSA private key, 2048 bit long modulus
......................+++
...+++
e is 65537 (0x10001)
umask 77 ; /usr/bin/openssl req -utf8 -new -key longxuan.org.key -x509 -days 365 -out
magedu.org.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:longxuan
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server‘s hostname) []:www.longxuan.org
Email Address []:
[root@centos7 certs]# ls
ca-bundle.crt ca-bundle.trust.crt longxuan.org.crt longxuan.org.key make-dummycert
Makefile renew-dummy-cert
范例2:互联网网站证书实现
基于编译安装实现证书加密
#编译安装过程略
#启用SSL模块
[root@centos7 ~]# vim /apps/httpd/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so #默认没有加载ssl模块,需要取消此行注释
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so #启用支持cache模块
[root@centos7 ~]# httpd -M |grep ssl
ssl_module (shared)
#启用ssl相关的子配置文件
[root@centos7 ~]# vim /apps/httpd/conf/httpd.conf
Include conf/extra/httpd-ssl.conf #默认没有加载ssl配置文件,需要取消此行注释
#准备证书相关文件及权限
[root@centos7 ~]# mkdir /apps/httpd/conf.d/ssl
[root@centos7 ~]# chown -R apache.apache /apps/httpd/conf.d/ssl/
[root@centos7 ~]# chmod 600 /apps/httpd/conf.d/ssl/longxuan.com.key
[root@centos7 ~]# ll /apps/httpd/conf.d/ssl
-rw-r--r-- 1 apache apache 1679 Mar 3 16:50 longxuan.com_chain.crt
-rw------- 1 apache apache 1679 Mar 3 16:50 longxuan.com.key
-rw-r--r-- 1 apache apache 1988 Mar 3 16:50 longxuan.com_public.crt
#修改子配置文件指向证书相关文件的路径
[root@centos7 ~]# vim /apps/httpd/conf/extra/httpd-ssl.conf
SSLCertificateFile "/apps/httpd/conf.d/ssl/longxuan.com_public.crt"
SSLCertificateKeyFile "/apps/httpd/conf.d/ssl/longxuan.com.key"
SSLCertificateChainFile "/apps/httpd/conf.d/ssl/longxuan.com_chain.crt"
[root@centos7 ~]# systemctl restart httpd
[root@ubuntu1804 ~]# curl https://www.longxuan.com
<h1> www.longxuan.com </h1>
范例3:互联网网站证书实现
基于yum 安装实现证书加密
[root@centos8 ~]# dnf -y install mod_ssl
[root@centos8 ~]# ll /etc/httpd/conf.d/ssl/
total 24
-rw-r--r-- 1 root root 1679 Dec 10 2019 www.longxuan.com_chain.crt
-rw-r--r-- 1 root root 1675 Dec 10 2019 www.longxuan.com.key
-rw-r--r-- 1 root root 2021 Dec 10 2019 www.longxuan.com_public.crt
[root@centos8 ~]# cd /etc/httpd/conf.d/ssl/
[root@centos8 ssl]# openssl x509 -in www.longxuan.com_public.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
[root@centos8 ~]# grep -Ev "^ *#|^$" /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/httpd/conf.d/ssl/www.longxuan.com_public.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/www.longxuan.com.key
SSLCertificateChainFile /etc/httpd/conf.d/ssl/www.longxuan.com_chain.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
URL重定向
URL重定向,即将httpd 请求的URL转发至另一个的URL
重定向指令
Redirect [status] URL-path URL
status状态:
permanent: 返回永久重定向状态码 301,此重定向信息进行缓存
temp:返回临时重定向状态码302. 此为默认值
范例:
[root@centos8 ~]# vim /etc/httpd/conf.d/test.conf
Redirect permanent / https://www.longxuan.com/
范例: 301状态码
[root@centos8 ~]# vim /etc/httpd/conf.d/test.conf
Redirect permanent / http://www.b.com/
范例: 302状态码
[root@centos8 ~]# vim /etc/httpd/conf.d/test.conf
Redirect temp / http://www.b.com/
范例: 用此方式实现http跳转到https会出现死循环的跳转
[root@centos7 conf.d]# vim test.conf
Redirect temp / https://www.longxuan.com
[root@ubuntu1804 ~]# curl -IkL www.longxuan.com
.......
HTTP/1.1 302 Found
...
http实现重定向https
#注意: RewriteEngine指令需要开启mod_rewrite.so模块
[root@centos8 ~]# vim /etc/httpd/conf.d/test.conf
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]