“Apache”的版本间差异
(未显示同一用户的13个中间版本) | |||
第1行: | 第1行: | ||
==常见httpd.conf的配置== |
==常见httpd.conf的配置== |
||
*允许.htaccess和.htpasswd密码保护 |
|||
⚫ | |||
===增加某个目录可以访问=== |
|||
*允许符号链接 |
|||
<Directory "/var/www/html"> |
|||
Options FollowSymLinks |
|||
Options FollowSymLinks #该目录下允许文件系统使用符号连接。 |
|||
:*但是符号链接对应的目录应该有明确的<Directory>定义,另外还有注意[[SELinux]]的设置。 |
|||
⚫ | |||
AllowOverride AuthConfig #允许存在于.htaccess文件中的指令类型 |
|||
Order allow,deny #Order:控制在访问时Allow和Deny两个访问规则哪个优先 |
|||
Allow from all #A允许访问的主机列表(可用域名或子网,例如:Allow from 192.168.0.0/16)。 |
|||
#Deny:拒绝访问的主机列表。 |
|||
</Directory> |
|||
⚫ | |||
⚫ | |||
:None: 当AllowOverride被设置为None时。不搜索该目录下的.htaccess文件(可以减小服务器开销)。 |
|||
Options Indexes |
|||
:All: 在.htaccess文件中可以使用所有的指令。 |
|||
*.htaccess是默认的AccessFileNam (文件名是可以改变的,其文件名由AccessFileName指令决定):内容如下 |
|||
⚫ | |||
authname "password required" #要求输入密码的对话框上的显示,可以任意 |
|||
authtype basic |
|||
authuserfile /var/www/html/wiki/.htpasswd #这个指向存储密码的文件(其实最好不要在同一目录下) |
|||
require valid-user |
|||
*.httpasswd 可以用htpasswd -b -c filepath username password 生成 |
|||
⚫ | |||
1. 修改配置文件/etc/httpd/conf/httpd.conf (在fc21中这个配置在 /etc/httpd/conf.d/userdir.conf 文件当中) |
|||
<IfModule mod_userdir.c> |
<IfModule mod_userdir.c> |
||
UserDir enabled ;这个很重要 |
|||
UserDir public_html |
|||
</IfModule> |
</IfModule> |
||
2. Apply the proper permissions: |
|||
# chmod 711 ~<username> |
|||
# chmod 755 -R ~<username>/public_html/ |
|||
3.Run the following commands so SELinux wouldn’t bother you: |
|||
#setsebool -P httpd_enable_homedirs true |
|||
#restorecon -R -v ~/public_html |
|||
(这一步骤的原因如下) |
|||
===Selinux的配置=== |
|||
The default file context specification for ~/public_html is: |
|||
matchpathcon /home/dgrift/public_html |
|||
/home/dgrift/public_html staff_u:object_r:httpd_user_content_t:s0 |
|||
Apache can read that. No need to use type: httpd_sys_content_t. |
|||
There is one consideration: In a Gnome environment a program called restorecond is running in the gnome session. This program monitors objects in your $HOME and restores file contexts to the contexts specified if required. |
|||
So if you create directory ~public_html and do ls -alZ ~/public_html it should have type httpd_user_content_t. (the directory is created with type user_home_t (the generic type for user home content), but restorecond -u immediately notices a directory with a context that does not match directory/context defined, and restores it to defined file context (httpd_user_content_t) |
|||
If you run in a text only environment, then there is no restorecond -u to watch, and so you or your users should run the restorecon command on ~/public_html. That will reset the context of the location to what is specified system wide. |
|||
restorecon -R -v ~/public_html |
|||
Using httpd_sys_content_t might in some cases work but it is a wrong type to use because (confined) users do not have permission to interact with that type. You will not notice this in default configurations because users are unconfined (unrestricted). |
|||
====备用命令==== |
|||
*设置某目录http可访问 (在上面设置不起作用的情况下,临时起作用,重启后失效) |
|||
chcon -R -t httpd_sys_content_t your_directory |
2021年12月14日 (二) 13:11的最新版本
常见httpd.conf的配置
增加某个目录可以访问
<Directory "/var/www/html"> Options FollowSymLinks #该目录下允许文件系统使用符号连接。 Options Indexes #允许列出目录中的所有内容 AllowOverride AuthConfig #允许存在于.htaccess文件中的指令类型 Order allow,deny #Order:控制在访问时Allow和Deny两个访问规则哪个优先 Allow from all #A允许访问的主机列表(可用域名或子网,例如:Allow from 192.168.0.0/16)。 #Deny:拒绝访问的主机列表。 </Directory>
- AllowOverride 的选项
- None: 当AllowOverride被设置为None时。不搜索该目录下的.htaccess文件(可以减小服务器开销)。
- All: 在.htaccess文件中可以使用所有的指令。
- .htaccess是默认的AccessFileNam (文件名是可以改变的,其文件名由AccessFileName指令决定):内容如下
authname "password required" #要求输入密码的对话框上的显示,可以任意 authtype basic authuserfile /var/www/html/wiki/.htpasswd #这个指向存储密码的文件(其实最好不要在同一目录下) require valid-user
- .httpasswd 可以用htpasswd -b -c filepath username password 生成
允许Userdir下的public_html模式
1. 修改配置文件/etc/httpd/conf/httpd.conf (在fc21中这个配置在 /etc/httpd/conf.d/userdir.conf 文件当中)
<IfModule mod_userdir.c> UserDir enabled ;这个很重要 UserDir public_html </IfModule>
2. Apply the proper permissions:
# chmod 711 ~<username> # chmod 755 -R ~<username>/public_html/
3.Run the following commands so SELinux wouldn’t bother you:
#setsebool -P httpd_enable_homedirs true #restorecon -R -v ~/public_html
(这一步骤的原因如下)
Selinux的配置
The default file context specification for ~/public_html is:
matchpathcon /home/dgrift/public_html /home/dgrift/public_html staff_u:object_r:httpd_user_content_t:s0
Apache can read that. No need to use type: httpd_sys_content_t.
There is one consideration: In a Gnome environment a program called restorecond is running in the gnome session. This program monitors objects in your $HOME and restores file contexts to the contexts specified if required.
So if you create directory ~public_html and do ls -alZ ~/public_html it should have type httpd_user_content_t. (the directory is created with type user_home_t (the generic type for user home content), but restorecond -u immediately notices a directory with a context that does not match directory/context defined, and restores it to defined file context (httpd_user_content_t)
If you run in a text only environment, then there is no restorecond -u to watch, and so you or your users should run the restorecon command on ~/public_html. That will reset the context of the location to what is specified system wide.
restorecon -R -v ~/public_html
Using httpd_sys_content_t might in some cases work but it is a wrong type to use because (confined) users do not have permission to interact with that type. You will not notice this in default configurations because users are unconfined (unrestricted).
备用命令
- 设置某目录http可访问 (在上面设置不起作用的情况下,临时起作用,重启后失效)
chcon -R -t httpd_sys_content_t your_directory