当前位置:首页 > 技术经验 > 正文内容

apache设置禁止恶意域名绑定和直接ip访问方法

qushubin44年前 (2018-08-11)技术经验1067

httpd.conf配置设置

1.启用虚拟主机、ssl、重写模块

LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so

2.禁用根目录访问

<Directory />
    AllowOverride None
    Require all denied
</Directory>

3.允许htdocs目录访问

DocumentRoot "/usr/local/httpd/htdocs"
<Directory "/usr/local/httpd/htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks
 
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
 
    # cache 
       
 
    AllowOverride None
 
    #
    # Controls who can get stuff from this server.
    #
    Require all denied
</Directory>

httpd-vhosts.conf中配置

将所有未知的域名访问和直接的ip访问独立一个虚拟主机,并将该主机设置为拒绝访问。对于正式域名访问独立一个虚拟主机访问,并设置为允许访问。注意必须将拒绝的虚拟主机放在第一个。

<VirtualHost *:80>
    ServerAdmin unAllowedDomain
    DocumentRoot "/usr/local/httpd/htdocs"
    ErrorLog "/home/logs/apache/unAllowedDomain-error_log"
    CustomLog "/home/logs/apache/unAllowedDomain-access_log" common
    <Directory "/usr/local/httpd/htdocs">
        AllowOverride None
        Require all denied
    </Directory>
</VirtualHost>
 
<VirtualHost *:80>
    ServerAdmin xxxx.cn
    ServerName www.xxxx.cn
    ServerAlias xxxx.cn
    DocumentRoot "/usr/local/httpd/htdocs"
    ErrorLog "/home/logs/apache/xxxx-error_log"
    CustomLog "/home/logs/apache/xxxx-access_log" common
 
    <Directory "/usr/local/httpd/htdocs">
        AllowOverride all
        Require all granted
    </Directory>
</VirtualHost>

httpd-ssl.conf中配置

如果使用了ssl证书访问,这个时候像拒绝https://ip访问需要做如下操作。仍然需要创建一个不允许域名访问虚拟主机站点,并设置为拒绝状态,并且放在第一个。ssl虚拟主机需要注意以下两点:

***  serverName必须带上端口号,80端口是默认的因此不需要带端口号

***  xxxx.cn无法作为别名进行访问,ServerAlias xxxx.cn:443是无效的,因此需要单独一个虚拟主机站点访问

<VirtualHost *:443>
DocumentRoot "/usr/local/httpd/htdocs"
ServerAdmin unAllowedDomain
ErrorLog "/usr/local/httpd/logs/error_log"
TransferLog "/usr/local/httpd/logs/access_log"
 
SSLEngine on
 
SSLCertificateFile "/usr/local/httpd/conf/server.crt"
SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt"
 
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
 
<Directory "/usr/local/httpd/htdocs">
    SSLOptions +StdEnvVars
    AllowOverride None
    Require all denied
</Directory>
 
<Directory "/usr/local/httpd/cgi-bin">
    SSLOptions +StdEnvVars
    AllowOverride None
            Require all denied
</Directory>
 
BrowserMatch "MSIE [2-5]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 
CustomLog "/usr/local/httpd/logs/ssl_request_log" \
  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>                                                                       
  
<VirtualHost *:443>
DocumentRoot "/usr/local/httpd/htdocs"
ServerName www.xxxx.cn:443
ServerAdmin you@example.com
ErrorLog "/usr/local/httpd/logs/error_log"
TransferLog "/usr/local/httpd/logs/access_log"
 
SSLEngine on
SSLCertificateFile "/usr/local/httpd/conf/server.crt"
SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt"
 
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
 
        <Directory "/usr/local/httpd/htdocs">
            AllowOverride all
            Require all granted
        </Directory>
        <Directory "/usr/local/httpd/cgi-bin"> 
            SSLOptions +StdEnvVars
        </Directory>
 
        BrowserMatch "MSIE [2-5]" \ 
        nokeepalive ssl-unclean-shutdown \ 
        downgrade-1.0 force-response-1.0CustomLog "/usr/local/httpd/logs/ssl_request_log" \ 
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "/usr/local/httpd/htdocs"
    ServerName xxxx.cn:443
    ServerAdmin you@example.com
    ErrorLog "/usr/local/httpd/logs/error_log"
    TransferLog "/usr/local/httpd/logs/access_log"
    SSLEngine onSSLCertificateFile "/usr/local/httpd/conf/server.crt"
    SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
    SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt"
    <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars</FilesMatch>
    <Directory "/usr/local/httpd/htdocs">
<pre name="code" class="html">         AllowOverride all
         Require all granted
    </Directory>

<Directory "/usr/local/httpd/cgi-bin"> SSLOptions +StdEnvVars</Directory>

BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ 

downgrade-1.0 force-response-1.0

CustomLog "/usr/local/httpd/logs/ssl_request_log" \ 

"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \

"%r\" %b"

</VirtualHost>

扫描二维码推送至手机访问。

版权声明:本文由笨笨神发布,如需转载请注明出处。

本文链接:https://www.benbenshen.com/post/7.html

标签: apache
分享给朋友: