Apache restrictions — различия между версиями

Материал из pNp Wiki
Перейти к: навигация, поиск
(Ограничение на основе хоста)
(Ограничение на основе аккаунта пользователя)
Строка 124: Строка 124:
 
</Directory>
 
</Directory>
 
<Directory "/content/private">
 
<Directory "/content/private">
    
+
     AuthType basic
     Require ip 192.168.1.2
+
AuthName "Private area! Restricted access"
 +
AuthUserFile "/etc/httpd/passwd"
 +
     Require valid-user
 
</Directory>
 
</Directory>
 
 
</VirtualHost>
 
</VirtualHost>
 
</syntaxhighlight>
 
</syntaxhighlight>

Версия 12:08, 24 января 2018

Конфигурирование Apache. Ограничение доступа к директориям

Предварительные требования

  • Виртуальная машина с двумя сетевыми интерфейсами
  • Установленные пакеты: bash-completion, policycoreutils, policycoreutils-python, policycoreutils-devel, setroubleshoot-server, httpd, elinks, curl

Конфигурирование ограничений

Ограничение на основе хоста

Создадим директорию /content/private и в ней файл index.html:

[root@vm-01 ~]# mkdir /content/private
[root@vm-01 ~]# printf "This is private directory.\n$(date)\n" > /content/private/index.html
[root@vm-01 ~]# restorecon -vR /content/
[root@vm-01 ~]# ls -lahiZ /content/private/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@vm-01 ~]#

Для директории /content/private в конфигурационном файле /etc/httpd/conf.d/vm-01.conf укажем адрес с которого разрешено обращаться к содержимому данной директории:

# Virtual Hosts
#
# Required modules: mod_log_config

# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at 
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
    ServerAdmin webmaster@vm-01.example.com
    DocumentRoot "/content"
    ServerName vm-01.example.com
    ServerAlias www.vm-01.example.com
    ErrorLog "/var/log/httpd/vm-01.example.com-error_log"
    CustomLog "/var/log/httpd/vm-01.example.com-access_log" common
	<Directory "/content">
    		AllowOverride None
    		# Allow open access:
    		Require all granted
	</Directory>
	<Directory "/content/private">
    		AllowOverride None
    		# Allow open access:
    		Require ip 192.168.1.2
	</Directory>
	
</VirtualHost>

Проверка

С виртуальной машины vm-02 обратимся к странице при помощи утилиты curl:

[root@vm-02 ~]# curl "http://192.168.1.1/private/"
This is private directory.
Tue Jan 23 16:28:33 MSK 2018
[root@vm-02 ~]#

Как только изменяем значение директивы Require виртуального хоста vm-01, получаем следующее:

[root@vm-02 ~]# curl "http://192.168.1.1/private/"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /private/
on this server.</p>
</body></html>
[root@vm-02 ~]#

Ограничение на основе аккаунта пользователя

Для директории /content/private в конфигурационном файле /etc/httpd/conf.d/vm-01.conf укажем способ аутентикации и путь к файлу с аккаунтами пользователей и их паролями, для доступа к содержимому данной директории:

# Virtual Hosts
#
# Required modules: mod_log_config

# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at 
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
    ServerAdmin webmaster@vm-01.example.com
    DocumentRoot "/content"
    ServerName vm-01.example.com
    ServerAlias www.vm-01.example.com
    ErrorLog "/var/log/httpd/vm-01.example.com-error_log"
    CustomLog "/var/log/httpd/vm-01.example.com-access_log" common
	<Directory "/content">
    		AllowOverride None
    		# Allow open access:
    		Require all granted
	</Directory>
	<Directory "/content/private">
    		AuthType basic
		AuthName "Private area! Restricted access"
		AuthUserFile "/etc/httpd/passwd"
    		Require valid-user
	</Directory>
</VirtualHost>

Создадим учетную запись andy и пароль для нее:

[root@vm-01 ~]# htpasswd -c /etc/httpd/
conf/           conf.d/         conf.modules.d/ logs/           modules/        run/            
[root@vm-01 ~]# htpasswd -c /etc/httpd/passwd andy 
New password: 
Re-type new password: 
Adding password for user andy
[root@vm-01 ~]#