本文详细解析了Apache服务器的主配置文件及扩展配置文件,包括监听设置、权限控制、日志记录等核心配置项,并介绍了如何进行安全优化。
1、主配置文件讲解
grep -Ev "#|^$" httpd.conf >httpd.conf.ori 排除注释和空行
vi httpd.conf.ori
ServerRoot "/soft/apache" 安装目录
Listen 80 监听
LoadModule vhost_alias_module modules/mod_vhost_alias.so
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
User daemon 编译安装默认用户是daemon
Group daemon
</IfModule>
</IfModule>
ServerAdmin you@example.com 管理员邮箱
ServerName localhost:80
DocumentRoot "/soft/apache/htdocs" 默认站点目录
<Directory /> 根目录权限控制(根目录禁止访问)
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory "/soft/apache/htdocs"> 新创建一个网站需要新增加这段(把目录改为使用的目录)
Options Indexes FollowSymLinks 此行Indexes为不安全因素,对外展示目录结构。一般要去掉(下面演示)
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule dir_module> 首页
DirectoryIndex wolf.html index.html
</IfModule>
<FilesMatch "^\.ht"> 文件匹配
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
ErrorLog "logs/error_log" 错误log配置
LogLevel warn
<IfModule log_config_module> 访问log的类型
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" common
</IfModule>
#<IfModule alias_module> 支持cgi的配置,已过时,可以删掉
# ScriptAlias /cgi-bin/ "/soft/apache/cgi-bin/"
#</IfModule>
#<IfModule cgid_module>
#</IfModule>
#<Directory "/soft/apache/cgi-bin">
# AllowOverride None
# Options None
# Order allow,deny
# Allow from all
#</Directory> 一直到这里可以删掉
DefaultType text/plain 缺省的类型
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z 压缩
AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
2、安全优化(此项为防止别人看到目录结构)
[root@python htdocs]# ls
wolf.html
[root@python htdocs]# mv wolf.html laolang.html
[root@python conf]# vi httpd.conf
下面这段去掉Indexes或者-Indexes
<Directory "/soft/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
网页打开能看到目录结构,所以把Indexes 去掉,此时报403错误
192.168.3.41 - - [03/Nov/2016:23:32:13 +0800] "GET / HTTP/1.1" 403 202
192.168.3.41 - - [03/Nov/2016:23:32:13 +0800] "GET / HTTP/1.1" 403 202
3、扩展配置文件讲解
[root@python extra]# ll
total 56
-rw-r--r-- 1 root root 2833 Nov 3 22:19 httpd-autoindex.conf
-rw-r--r-- 1 root root 1688 Nov 3 22:19 httpd-dav.conf
-rw-r--r-- 1 root root 2344 Nov 3 22:19 httpd-default.conf 了解
-rw-r--r-- 1 root root 1103 Nov 3 22:19 httpd-info.conf
-rw-r--r-- 1 root root 5078 Nov 3 22:19 httpd-languages.conf
-rw-r--r-- 1 root root 923 Nov 3 22:19 httpd-manual.conf
-rw-r--r-- 1 root root 3789 Nov 3 22:19 httpd-mpm.conf 重点
-rw-r--r-- 1 root root 2168 Nov 3 22:19 httpd-multilang-errordoc.conf
-rw-r--r-- 1 root root 12171 Nov 3 22:19 httpd-ssl.conf
-rw-r--r-- 1 root root 817 Nov 3 22:19 httpd-userdir.conf
-rw-r--r-- 1 root root 1481 Nov 3 22:19 httpd-vhosts.conf 重点
先过滤出来
[root@python extra]# grep -Ev "#|^$" httpd-vhosts.conf >httpd-vhosts.conf.ori
[root@python extra]# vi httpd-vhosts.conf.ori
NameVirtualHost *:80 基于域名的虚拟主机
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/soft/apache/docs/dummy-host.example.com"
ServerName dummy-host.example.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/soft/apache/docs/dummy-host2.example.com"
ServerName dummy-host2.example.com
ErrorLog "logs/dummy-host2.example.com-error_log"
CustomLog "logs/dummy-host2.example.com-access_log" common
</VirtualHost>
[root@python extra]# grep -Ev "#|^$" httpd-mpm.conf >httpd-mpm.conf.ori
[root@python extra]# cat httpd-mpm.conf.ori
<IfModule !mpm_netware_module>
PidFile "logs/httpd.pid"
</IfModule>
<IfModule !mpm_winnt_module>
<IfModule !mpm_netware_module>
LockFile "logs/accept.lock"
</IfModule>
</IfModule>
<IfModule mpm_prefork_module> prefork模式(默认)
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_worker_module> worker模式(编译时指定的)
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_beos_module>
StartThreads 10
MaxClients 50
MaxRequestsPerThread 10000
</IfModule>
<IfModule mpm_netware_module>
ThreadStackSize 65536
StartThreads 250
MinSpareThreads 25
MaxSpareThreads 250
MaxThreads 1000
MaxRequestsPerChild 0
MaxMemFree 100
</IfModule>
<IfModule mpm_mpmt_os2_module>
StartServers 2
MinSpareThreads 5
MaxSpareThreads 10
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_winnt_module>
ThreadsPerChild 150
MaxRequestsPerChild 0
[root@python extra]# grep -Ev "#|^$" httpd-default.conf >httpd-default.conf.conf.ori
[root@python extra]# cat httpd-default.conf.conf.ori
Timeout 300 连接超时
KeepAlive On 保持连接状态
MaxKeepAliveRequests 100 最大能接收多少个连接
KeepAliveTimeout 5 同一个连接上等待下一个请求请求
UseCanonicalName Off
AccessFileName .htaccess 开发用的(主配置文件AllowOverride None改为all,程序员方可使用)
ServerTokens Full 隐藏版本
ServerSignature On 隐藏版本
HostnameLookups Off
[root@python extra]# curl -I 192.168.3.40
HTTP/1.1 403 Forbidden
Date: Thu, 03 Nov 2016 15:54:27 GMT
Server: Apache/2.2.31 (Unix)
Content-Type: text/html; charset=iso-8859-1
grep -Ev "#|^$" httpd.conf >httpd.conf.ori 排除注释和空行
vi httpd.conf.ori
ServerRoot "/soft/apache" 安装目录
Listen 80 监听
LoadModule vhost_alias_module modules/mod_vhost_alias.so
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
User daemon 编译安装默认用户是daemon
Group daemon
</IfModule>
</IfModule>
ServerAdmin you@example.com 管理员邮箱
ServerName localhost:80
DocumentRoot "/soft/apache/htdocs" 默认站点目录
<Directory /> 根目录权限控制(根目录禁止访问)
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory "/soft/apache/htdocs"> 新创建一个网站需要新增加这段(把目录改为使用的目录)
Options Indexes FollowSymLinks 此行Indexes为不安全因素,对外展示目录结构。一般要去掉(下面演示)
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule dir_module> 首页
DirectoryIndex wolf.html index.html
</IfModule>
<FilesMatch "^\.ht"> 文件匹配
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
ErrorLog "logs/error_log" 错误log配置
LogLevel warn
<IfModule log_config_module> 访问log的类型
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" common
</IfModule>
#<IfModule alias_module> 支持cgi的配置,已过时,可以删掉
# ScriptAlias /cgi-bin/ "/soft/apache/cgi-bin/"
#</IfModule>
#<IfModule cgid_module>
#</IfModule>
#<Directory "/soft/apache/cgi-bin">
# AllowOverride None
# Options None
# Order allow,deny
# Allow from all
#</Directory> 一直到这里可以删掉
DefaultType text/plain 缺省的类型
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z 压缩
AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
2、安全优化(此项为防止别人看到目录结构)
[root@python htdocs]# ls
wolf.html
[root@python htdocs]# mv wolf.html laolang.html
[root@python conf]# vi httpd.conf
下面这段去掉Indexes或者-Indexes
<Directory "/soft/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
网页打开能看到目录结构,所以把Indexes 去掉,此时报403错误
192.168.3.41 - - [03/Nov/2016:23:32:13 +0800] "GET / HTTP/1.1" 403 202
192.168.3.41 - - [03/Nov/2016:23:32:13 +0800] "GET / HTTP/1.1" 403 202
3、扩展配置文件讲解
[root@python extra]# ll
total 56
-rw-r--r-- 1 root root 2833 Nov 3 22:19 httpd-autoindex.conf
-rw-r--r-- 1 root root 1688 Nov 3 22:19 httpd-dav.conf
-rw-r--r-- 1 root root 2344 Nov 3 22:19 httpd-default.conf 了解
-rw-r--r-- 1 root root 1103 Nov 3 22:19 httpd-info.conf
-rw-r--r-- 1 root root 5078 Nov 3 22:19 httpd-languages.conf
-rw-r--r-- 1 root root 923 Nov 3 22:19 httpd-manual.conf
-rw-r--r-- 1 root root 3789 Nov 3 22:19 httpd-mpm.conf 重点
-rw-r--r-- 1 root root 2168 Nov 3 22:19 httpd-multilang-errordoc.conf
-rw-r--r-- 1 root root 12171 Nov 3 22:19 httpd-ssl.conf
-rw-r--r-- 1 root root 817 Nov 3 22:19 httpd-userdir.conf
-rw-r--r-- 1 root root 1481 Nov 3 22:19 httpd-vhosts.conf 重点
先过滤出来
[root@python extra]# grep -Ev "#|^$" httpd-vhosts.conf >httpd-vhosts.conf.ori
[root@python extra]# vi httpd-vhosts.conf.ori
NameVirtualHost *:80 基于域名的虚拟主机
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/soft/apache/docs/dummy-host.example.com"
ServerName dummy-host.example.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/soft/apache/docs/dummy-host2.example.com"
ServerName dummy-host2.example.com
ErrorLog "logs/dummy-host2.example.com-error_log"
CustomLog "logs/dummy-host2.example.com-access_log" common
</VirtualHost>
[root@python extra]# grep -Ev "#|^$" httpd-mpm.conf >httpd-mpm.conf.ori
[root@python extra]# cat httpd-mpm.conf.ori
<IfModule !mpm_netware_module>
PidFile "logs/httpd.pid"
</IfModule>
<IfModule !mpm_winnt_module>
<IfModule !mpm_netware_module>
LockFile "logs/accept.lock"
</IfModule>
</IfModule>
<IfModule mpm_prefork_module> prefork模式(默认)
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_worker_module> worker模式(编译时指定的)
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_beos_module>
StartThreads 10
MaxClients 50
MaxRequestsPerThread 10000
</IfModule>
<IfModule mpm_netware_module>
ThreadStackSize 65536
StartThreads 250
MinSpareThreads 25
MaxSpareThreads 250
MaxThreads 1000
MaxRequestsPerChild 0
MaxMemFree 100
</IfModule>
<IfModule mpm_mpmt_os2_module>
StartServers 2
MinSpareThreads 5
MaxSpareThreads 10
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_winnt_module>
ThreadsPerChild 150
MaxRequestsPerChild 0
[root@python extra]# grep -Ev "#|^$" httpd-default.conf >httpd-default.conf.conf.ori
[root@python extra]# cat httpd-default.conf.conf.ori
Timeout 300 连接超时
KeepAlive On 保持连接状态
MaxKeepAliveRequests 100 最大能接收多少个连接
KeepAliveTimeout 5 同一个连接上等待下一个请求请求
UseCanonicalName Off
AccessFileName .htaccess 开发用的(主配置文件AllowOverride None改为all,程序员方可使用)
ServerTokens Full 隐藏版本
ServerSignature On 隐藏版本
HostnameLookups Off
[root@python extra]# curl -I 192.168.3.40
HTTP/1.1 403 Forbidden
Date: Thu, 03 Nov 2016 15:54:27 GMT
Server: Apache/2.2.31 (Unix)
Content-Type: text/html; charset=iso-8859-1
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
