Apache安全性設定

前一篇說明apache基本設定，本篇說明安全性的部分
1.一般可使用TCP_wrapper與apache本身的allow,deny來阻擋來源ip
2.另外可使用htaccess方式來限制能讀取該網頁的使用者
   (1)[root@localhost ~]#vim /etc/httpd/conf/httpd.conf
     ＜Directory "/opt/mis/"＞
          AllowOverride all
     ＜/Directory＞

   (2)[root@localhost ~]#cd /opt/mis
       [root@localhost mis]#vim .htaccess
           Options Indexes
           AuthUserFile /opt/mis/.htpasswd  #指定密碼檔放置位置
           AuthName "mis"
           AuthType Basic
           require valid-user   #表示要正確登入的user才可存取
       [root@localhost mis]#htpasswd -c .htpasswd max
       New passward:
       Re-type new password:

       [root@localhost mis]#htpasswd  .htpasswd marcus

3.HTTPS(SSL)--一般憑證須由公正CA核發,這邊只為測試自己產生
   (1)[root@localhost ~]#rpm -qa |grep ssl   #確定有安裝module
       [root@localhost ~]#cat /etc/httpd/conf/httpd.conf |grep mod_ssl 確定apache 有load module
   (2)[root@localhost ~]#cd /etc/pki/tls/certs
       產生金鑰:max.key
       [root@localhost ~]#openssl genrsa -out max.key 1024  #表示用rsa方式產生1024位元的key

       產生CSR憑證:max.csr--正確流程為csr完成後將key與csr交給CA產生crt
       [root@localhost certs]# openssl req -new -key max.key -out max.key
       You are about to be asked to enter information that will be incorporated into your certificate request.
       What you are about to enter is what is called a Distinguished Name or a DN.
       There are quite a few fields but you can leave some blank For some fields there will be a default value,
       If you enter '.', the field will be left blank.
       -----
       Country Name (2 letter code) [GB]:TW
       State or Province Name (full name) [Berkshire]:none
       Locality Name (eg, city) [Newbury]:Taipei
       Organization Name (eg, company) [My Company Ltd]:Max com.
       Organizational Unit Name (eg, section) []:Sales
       Common Name (eg, your name or your server's hostname) []:www.max.com
       Email Address []:max@max.com

       Please enter the following 'extra' attributes
       to be sent with your certificate request
       A challenge password []:
       An optional company name []:
      
       產生crt憑證
       [root@localhost certs]# openssl x509 -req -days 365 -in max.csr -signkey max.key -out max.crt
       #上列紅字表示憑證有效期限
       處理max.key
       [root@localhost certs]# mv max.key /etc/pki/tls/private/

       修改ssl config
       [root@localhost certs]# vim /etc/httpd/conf.d/ssl.conf
       修改成:
       SSLCertificateFile /etc/pki/tls/certs/max.crt
       SSLCertificateKeyFile /etc/pki/tls/private/max.key