apache设置禁止恶意域名绑定和直接ip访问方法
httpd.conf配置设置
1.启用虚拟主机、ssl、重写模块
LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule ssl_module modules/mod_ssl.so
2.禁用根目录访问
<Directory /> AllowOverride None Require all denied </Directory>
3.允许htdocs目录访问
DocumentRoot "/usr/local/httpd/htdocs" <Directory "/usr/local/httpd/htdocs"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # AllowOverride FileInfo AuthConfig Limit # # cache AllowOverride None # # Controls who can get stuff from this server. # Require all denied </Directory>
httpd-vhosts.conf中配置
将所有未知的域名访问和直接的ip访问独立一个虚拟主机,并将该主机设置为拒绝访问。对于正式域名访问独立一个虚拟主机访问,并设置为允许访问。注意必须将拒绝的虚拟主机放在第一个。
<VirtualHost *:80> ServerAdmin unAllowedDomain DocumentRoot "/usr/local/httpd/htdocs" ErrorLog "/home/logs/apache/unAllowedDomain-error_log" CustomLog "/home/logs/apache/unAllowedDomain-access_log" common <Directory "/usr/local/httpd/htdocs"> AllowOverride None Require all denied </Directory> </VirtualHost> <VirtualHost *:80> ServerAdmin xxxx.cn ServerName www.xxxx.cn ServerAlias xxxx.cn DocumentRoot "/usr/local/httpd/htdocs" ErrorLog "/home/logs/apache/xxxx-error_log" CustomLog "/home/logs/apache/xxxx-access_log" common <Directory "/usr/local/httpd/htdocs"> AllowOverride all Require all granted </Directory> </VirtualHost>
httpd-ssl.conf中配置
如果使用了ssl证书访问,这个时候像拒绝https://ip访问需要做如下操作。仍然需要创建一个不允许域名访问虚拟主机站点,并设置为拒绝状态,并且放在第一个。ssl虚拟主机需要注意以下两点:
*** serverName必须带上端口号,80端口是默认的因此不需要带端口号
*** xxxx.cn无法作为别名进行访问,ServerAlias xxxx.cn:443是无效的,因此需要单独一个虚拟主机站点访问
<VirtualHost *:443> DocumentRoot "/usr/local/httpd/htdocs" ServerAdmin unAllowedDomain ErrorLog "/usr/local/httpd/logs/error_log" TransferLog "/usr/local/httpd/logs/access_log" SSLEngine on SSLCertificateFile "/usr/local/httpd/conf/server.crt" SSLCertificateKeyFile "/usr/local/httpd/conf/server.key" SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/httpd/htdocs"> SSLOptions +StdEnvVars AllowOverride None Require all denied </Directory> <Directory "/usr/local/httpd/cgi-bin"> SSLOptions +StdEnvVars AllowOverride None Require all denied </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "/usr/local/httpd/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> <VirtualHost *:443> DocumentRoot "/usr/local/httpd/htdocs" ServerName www.xxxx.cn:443 ServerAdmin you@example.com ErrorLog "/usr/local/httpd/logs/error_log" TransferLog "/usr/local/httpd/logs/access_log" SSLEngine on SSLCertificateFile "/usr/local/httpd/conf/server.crt" SSLCertificateKeyFile "/usr/local/httpd/conf/server.key" SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/httpd/htdocs"> AllowOverride all Require all granted </Directory> <Directory "/usr/local/httpd/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0CustomLog "/usr/local/httpd/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> <VirtualHost *:443> DocumentRoot "/usr/local/httpd/htdocs" ServerName xxxx.cn:443 ServerAdmin you@example.com ErrorLog "/usr/local/httpd/logs/error_log" TransferLog "/usr/local/httpd/logs/access_log" SSLEngine onSSLCertificateFile "/usr/local/httpd/conf/server.crt" SSLCertificateKeyFile "/usr/local/httpd/conf/server.key" SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars</FilesMatch> <Directory "/usr/local/httpd/htdocs"> <pre name="code" class="html"> AllowOverride all Require all granted </Directory>
<Directory "/usr/local/httpd/cgi-bin"> SSLOptions +StdEnvVars</Directory>
BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/usr/local/httpd/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
"%r\" %b"
</VirtualHost>