Details of Apache configuration and application in CentOS 7

Apache connection hold

Apache connection retention parameters

  • KeepAlive

    • Open connection hold, OFF off, ON
  • KeepAlive' Timeout

    • The maximum interval time between multiple requests in a connection. The connection is disconnected when the two requests exceed this time
  • MaxKeepAliveRequests
    • The maximum number of requests that can be transmitted in one connection

Apache access control

  • Effect

    • Control access to site resources
    • Add access authorization for a specific site directory
  • Common access control methods
    • Client address restrictions
    • User authorization restrictions

Access control based on client address

  • Use the Require configuration item to implement access control and restrict in order

  • Available in & lt; location & gt;, & lt; Directory & gt;, & lt; files & gt;, & lt; limit & gt; configuration segments

  • Common syntax for Require configuration items
Require all granted
Require all denied
Require local
Require [not] host <Host name or domain name list>
//When not is used to prohibit access, it should be placed in the < requireall > < requireall > container and the corresponding restriction policy should be specified in the container
Require [not] ip <IP Address or segment list>

Configuration example

Install DNS and HTTP services in Linux system, and set up DNS services.

[root@localhost ~]# yum install bind httpd -y / / install the service
//Loaded plug-ins: faststmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
...//Omit parts
//Installed:
  bind.x86_64 32:9.11.4-9.P2.el7                    httpd.x86_64 0:2.4.6-90.el7.centos 
...//Omit parts  
//Complete!
[root@localhost conf]# vim /etc/named.conf / / edit DNS configuration file
...//Omit parts
options {
        listen-on port 53 { any; };            //Change IP address to any
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };             //Change listening host to any
...//Omit parts 
:wq
[root@localhost conf]# vim /etc/named.rfc1912.zones / / edit the zone configuration file
...//Omit parts
zone "kgc.com" IN {                      //rename domain
        type master;
        file "kgc.com.zone";         //Change area data file name
        allow-update { none; };
};
...//Omit parts
:wq
[root@localhost conf]# cd /var/named / / / enter the region data file directory
[root@localhost named]# ls / / view directory
data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves
[root@localhost named]# cp -p named.localhost kgc.com.zone / / copy the zone data file
[root@localhost named]# vim kgc.com.zone / / enter the edit file
$TTL 1D 
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
www IN  A       192.168.144.133                   //Set domain name resolution
:wq                                        //Save exit

Open two win 10 clients and check the IP address of the client

Enter HTTP service site directory in Linux system, edit the content of home page, turn on DNS and HTTP services, turn off firewall and enhanced security functions

[root@localhost named]# cd /var/www/html / / / enter http service site directory
[root@localhost html]# vim index.html / / edit default home page
<h1>this is kgc web</h1>             //Editorial content
:wq
[root@localhost html]# ls / / view
index.html              
[root@localhost html]# cat index.html / / view the content of the web page
<h1>this is kgc web</h1>
[root@localhost html]# systemctl start httpd.service / / start http service
[root@localhost html]# systemctl start named / / start DNS Service
[root@localhost html]# systemctl stop firewalld.service / / turn off the firewall
[root@localhost html]# setenforce 0 / / turn off enhanced security

Use two win 10 clients to visit the website information respectively to see if the service is provided normally

Configure HTTP service profile and set client access rights in Linux system

[root@localhost html]# vim /etc/httpd/conf/httpd.conf  
//Edit the content of the main profile (it is not recommended to modify the content of the main profile directly in the current network, you can add a sub profile to restrict it)
...//Omit parts
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
     <RequireALL>                          //Add child containers under this container
       Require not ip 192.168.144.128             
       //Add IP address of restricted access host (if 192.168.144.0/24 is directly added for restricted network segment, please fill in subnet mask for restricted network segment)
       Require all granted
    </RequireALL>
</Directory>
...//Omit parts
:wq
[root@localhost html]# systemctl restart httpd.service 

Check whether the restricted first win 10 client can also visit the website

User authorization restrictions

Configuration example

Create user authentication database

[root@localhost html]# htpasswd -c /etc/httpd/conf/pwd test01  
//Create user authentication database (- c is create, if there is already data authentication file, you can directly add it to the authentication file by using the command without - c)
New password:               //Enter the password for the setting
Re-type new password:         //Enter password again
Adding password for user test01  //Successfully created
[root@localhost html]# cd /etc/httpd/conf / / enter the directory
[root@localhost conf]# ls / / view
httpd.conf  magic  pwd            //File created successfully
[root@localhost conf]# cat pwd / / view the contents of the file
test01:$apr1$zDZ/54yz$rUCXaWixaltHE6ZBvjv0h/    //Created users and passwords

Add user authorization configuration

[root@localhost conf]# vim httpd.conf
...//Omit parts
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
   AuthName "DocumentRoot"                      //Change the access control entry above, which declares authentication information
   AuthType Basic                               //Verification type is basic verification
   AuthUserFile /etc/httpd/conf/pwd             //Verify file path
   Require valid-user                           //Set as authorized user authentication
</Directory>
...//Omit parts
:wq                                          //Save exit
[root@localhost conf]# systemctl restart httpd.service / / restart the service

Verifying the configuration in the client

Tags: Linux vim Apache DNS

Posted on Tue, 05 Nov 2019 03:17:10 -0800 by hucklebezzer