“Apache”的版本间差异

来自Shiyin's note
跳到导航 跳到搜索
 
(未显示同一用户的5个中间版本)
第23行: 第23行:


===允许Userdir下的public_html模式===
===允许Userdir下的public_html模式===
1. 修改配置文件/etc/httpd/conf/httpd.conf (在fc21中这个配置在 /etc/httpd/conf.d/userdir.conf 文件当中
<IfModule mod_userdir.c>
<IfModule mod_userdir.c>
UserDir enabled ;这个很重要
UserDir enabled ;这个很重要
UserDir public_html
UserDir public_html
</IfModule>
</IfModule>
在fc21中这个配置在 /etc/httpd/conf.d/userdir.conf 文件当中


2. Apply the proper permissions:
==[[SElinux]]的配置==
# chmod 711 ~<username>
# chmod 755 -R ~<username>/public_html/


3.Run the following commands so SELinux wouldn’t bother you:
*设置某目录http可访问
#setsebool -P httpd_enable_homedirs true
chcon -R -t httpd_sys_content_t your_directory
#restorecon -R -v ~/public_html
(这一步骤的原因如下)


===Selinux的配置===
*在SElinux enable的时候不能读~/public_html 目录下的内容
setsebool -P httpd_read_user_content 1 (不知道对不对)
setsebool -P httpd_enable_homedirs true (这个是对的)
chcon -R -t httpd_sys_content_t /home/*/public_html (对已经存在的目录需要这么做)


===tips===
* Often you only need to toggle the httpd_enable_homedirs boolean.
The default file context specification for ~/public_html is:
The default file context specification for ~/public_html is:
# matchpathcon /home/dgrift/public_html
matchpathcon /home/dgrift/public_html
/home/dgrift/public_html staff_u:object_r:httpd_user_content_t:s0
/home/dgrift/public_html staff_u:object_r:httpd_user_content_t:s0
Apache can read that. No need to use type: httpd_sys_content_t.
Apache can read that. No need to use type: httpd_sys_content_t.
第56行: 第53行:


Using httpd_sys_content_t might in some cases work but it is a wrong type to use because (confined) users do not have permission to interact with that type. You will not notice this in default configurations because users are unconfined (unrestricted).
Using httpd_sys_content_t might in some cases work but it is a wrong type to use because (confined) users do not have permission to interact with that type. You will not notice this in default configurations because users are unconfined (unrestricted).

====备用命令====
*设置某目录http可访问 (在上面设置不起作用的情况下,临时起作用,重启后失效)
chcon -R -t httpd_sys_content_t your_directory

2021年12月14日 (二) 13:11的最新版本

常见httpd.conf的配置

增加某个目录可以访问

<Directory "/var/www/html">
Options FollowSymLinks #该目录下允许文件系统使用符号连接。
Options Indexes #允许列出目录中的所有内容
AllowOverride  AuthConfig #允许存在于.htaccess文件中的指令类型
Order allow,deny #Order:控制在访问时Allow和Deny两个访问规则哪个优先
Allow from all #A允许访问的主机列表(可用域名或子网,例如:Allow from 192.168.0.0/16)。
#Deny:拒绝访问的主机列表。
</Directory>
  • AllowOverride 的选项
None: 当AllowOverride被设置为None时。不搜索该目录下的.htaccess文件(可以减小服务器开销)。
All: 在.htaccess文件中可以使用所有的指令。
  • .htaccess是默认的AccessFileNam (文件名是可以改变的,其文件名由AccessFileName指令决定):内容如下
authname "password required" #要求输入密码的对话框上的显示,可以任意
authtype basic
authuserfile /var/www/html/wiki/.htpasswd #这个指向存储密码的文件(其实最好不要在同一目录下)
require valid-user
  • .httpasswd 可以用htpasswd -b -c filepath username password 生成

允许Userdir下的public_html模式

1. 修改配置文件/etc/httpd/conf/httpd.conf (在fc21中这个配置在 /etc/httpd/conf.d/userdir.conf 文件当中)

<IfModule mod_userdir.c>
  UserDir enabled ;这个很重要
  UserDir public_html
</IfModule>

2. Apply the proper permissions:

# chmod 711 ~<username>
# chmod 755 -R ~<username>/public_html/

3.Run the following commands so SELinux wouldn’t bother you:

#setsebool -P httpd_enable_homedirs true
#restorecon -R -v ~/public_html

(这一步骤的原因如下)

Selinux的配置

The default file context specification for ~/public_html is:

 matchpathcon /home/dgrift/public_html
/home/dgrift/public_html staff_u:object_r:httpd_user_content_t:s0

Apache can read that. No need to use type: httpd_sys_content_t.

There is one consideration: In a Gnome environment a program called restorecond is running in the gnome session. This program monitors objects in your $HOME and restores file contexts to the contexts specified if required.

So if you create directory ~public_html and do ls -alZ ~/public_html it should have type httpd_user_content_t. (the directory is created with type user_home_t (the generic type for user home content), but restorecond -u immediately notices a directory with a context that does not match directory/context defined, and restores it to defined file context (httpd_user_content_t)

If you run in a text only environment, then there is no restorecond -u to watch, and so you or your users should run the restorecon command on ~/public_html. That will reset the context of the location to what is specified system wide.

restorecon -R -v ~/public_html

Using httpd_sys_content_t might in some cases work but it is a wrong type to use because (confined) users do not have permission to interact with that type. You will not notice this in default configurations because users are unconfined (unrestricted).

备用命令

  • 设置某目录http可访问 (在上面设置不起作用的情况下,临时起作用,重启后失效)
chcon -R -t httpd_sys_content_t your_directory