需求说明
生产环境下,对于某些服务器资源,需要进行访问控制来保证安全性。使用基础的用户认证对于某些需求不能很好的满足;如果设置认证为某个组的用户可以做到简单的部门访问限定。
模拟实验
设定服务器下的a目录访问者为运维部门,b目录访问者为开发部门,且运维人员可以访问b目录,公司其他用户无法访问a或b目录。
apache服务器配置代码为:
<VirtualHost *:80>
DocumentRoot "/data/www/test"
ServerName test.com
ServerAlias www.admin.com
<Directory /data/www/test/a>
AllowOverride AuthConfig
AuthName "user auth"
AuthType Basic
AuthUserFile "/data/.passwd"
AuthGroupFile "/data/.passwd1"
Require group admin
</Directory>
<Directory /data/www/test/b>
AllowOverride AuthConfig
AuthName "user auth"
AuthType Basic
AuthUserFile "/data/.passwd"
AuthGroupFile "/data/.passwd2"
Require group admin dev
</Directory>
ErrorLog "logs/test.com-error_log"
CustomLog "logs/test.com-access_log" common
</VirtualHost>
修改好代码重启apache服务使之生效
创建测试目录及网页
# mkdir -p /data/www/test/{a,b}
# echo -e "<?php\necho a;\n?>" > /data/www/test/a/a.php
# echo -e "<?php\necho b;\n?>" > /data/www/test/b/b.php
创建group成员信息文件
# vim /data/.passwd1
admin: root admin1 admin2
# vim /data/.passwd2
admin: root admin1 admin2
dev: dev1 dev2 dev3
为这些成员创建密码
# -c参数只在第一次创建时使用
# /usr/local/apache/bin/htpasswd -c /data/.passwd root
# /usr/local/apache/bin/htpasswd /data/.passwd admin1
# /usr/local/apache/bin/htpasswd /data/.passwd admin2
# /usr/local/apache/bin/htpasswd /data/.passwd dev1
# /usr/local/apache/bin/htpasswd /data/.passwd dev2
# /usr/local/apache/bin/htpasswd /data/.passwd dev3
效果测试
查看相应是否已进行用户认证
[root@localhost ~]# curl -x 127.0.0.1:80 test.com/a -I
HTTP/1.1 401 Unauthorized
Date: Sat, 30 Dec 2017 07:29:53 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
WWW-Authenticate: Basic realm="user auth"
Content-Type: text/html; charset=iso-8859-1
[root@localhost ~]# curl -x 127.0.0.1:80 test.com/b -I
HTTP/1.1 401 Unauthorized
Date: Sat, 30 Dec 2017 07:29:59 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
WWW-Authenticate: Basic realm="user auth"
Content-Type: text/html; charset=iso-8859-1
对于只有admin组能访问的a目录
[root@localhost ~]# curl -x 127.0.0.1:80 -udev1:1 test.com/a/a.php -I
HTTP/1.1 401 Unauthorized
Date: Sat, 30 Dec 2017 07:30:13 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
WWW-Authenticate: Basic realm="user auth"
Content-Type: text/html; charset=iso-8859-1
[root@localhost ~]# curl -x 127.0.0.1:80 -uadmin1:1 test.com/a/a.php -I
HTTP/1.1 200 OK
Date: Sat, 30 Dec 2017 07:30:27 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
对于只有admin组或dev组能访问的b目录
[root@localhost ~]# curl -x 127.0.0.1:80 -udev1:1 test.com/b/b.php -I
HTTP/1.1 200 OK
Date: Sat, 30 Dec 2017 07:30:36 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
[root@localhost ~]# curl -x 127.0.0.1:80 -uadmin1:1 test.com/b/b.php -I
HTTP/1.1 200 OK
Date: Sat, 30 Dec 2017 07:30:46 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
测试/data/.passwd内的其他用户是否能够访问b目录
[root@localhost ~]# /usr/local/apache/bin/htpasswd /data/.passwd test
New password:
Re-type new password:
Adding password for user test
[root@localhost ~]# curl -x 127.0.0.1:80 -utest:1 test.com/b/b.php -I
HTTP/1.1 401 Unauthorized
Date: Sat, 30 Dec 2017 07:33:18 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
WWW-Authenticate: Basic realm="user auth"
Content-Type: text/html; charset=iso-8859-1
[root@localhost ~]# curl -x 127.0.0.1:80 -utest:1 test.com/a/a.php -I
HTTP/1.1 401 Unauthorized
Date: Sat, 30 Dec 2017 07:36:46 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
WWW-Authenticate: Basic realm="user auth"
Content-Type: text/html; charset=iso-8859-1
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
