安全機制

1. 防火牆設定–任何網域皆可使用 http

   [root@kvm8 ~]# vim /etc/sysconfig/iptables
   
   *filter
   :INPUT ACCEPT [0:0]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [0:0]
   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   -A INPUT -p icmp -j ACCEPT
   -A INPUT -i lo -j ACCEPT
   ######################################################
   -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
   ######################################################
   -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
   -A INPUT -j REJECT --reject-with icmp-host-prohibited
   -A FORWARD -j REJECT --reject-with icmp-host-prohibited
   COMMIT
   

2. 防火牆設定–只有 192.168.122.0/24 網域可使用 http

   [root@kvm8 ~]# vim /etc/sysconfig/iptables
   
   ######################################################
   -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 192.168.122.0/24 -j ACCEPT
   ######################################################
   

3. 防火牆重新啟動

   [root@kvm8 ~]# /etc/init.d/iptables restart
   

4. 開機啟動防火牆

   [root@kvm8 ~]# chkconfig iptables on
   

5. 測試主機 kvm8.deyu.wang 網頁

   [root@kvm8 ~]# echo 'kvm8.deyu.wang test' > /var/www/html/index.html
   
   ## selinux 管制
   ## 1. 直接產生檔案於 /var/www/html 目錄下，其 selinux type 自動為 
   ####  httpd_sys_content_t，可以不用變更 type，就可存取。
   ## 2. 若從某一目錄，例如 /root，複製檔案到 /var/www/html 下， 
   ####  selinux type 為原先設定，必須變更 type，才能存取。
   [root@kvm8 ~]# chcon -R -t httpd_sys_content_t /var/www/html/  
   
   ## 從 deyu.wang 測試網頁
   [root@dyH ~]# wget http://kvm8.deyu.wang
   
   100%[======================================>] 20          --.-K/s   in 0s      
   
   2013-08-01 18:50:59 (2.39 MB/s) - “index.html” saved [20/20]
   
   [root@dyH ~]# cat index.html 
   kvm8.deyu.wang test
   

6. 測試主機 www.deyu.wang 網頁

   [root@kvm8 ~]# echo 'www.deyu.wang test' > /var/www/virtual/index.html
   
   ## 從 deyu.wang 測試網頁， www.deyu.wang 只有kvm8.deyu.wang 能存取
   [root@dyH ~]# wget http://www.deyu.wang
   --2013-08-01 18:53:26--  http://www.deyu.wang/
   Resolving www.deyu.wang... 192.168.122.8
   Connecting to www.deyu.wang|192.168.122.8|:80... connected.
   HTTP request sent, awaiting response... 403 Forbidden
   2013-08-01 18:53:26 ERROR 403: Forbidden.
   
   ## 從 kvm8.deyu.wang 測試網頁
   [root@kvm8 ~]# wget http://www.deyu.wang
   
   100%[======================================>] 19          --.-K/s   in 0s      
   
   [root@kvm8 ~]# cat index.html 
   www.deyu.wang test
   

7. 測試個人網頁

   [root@kvm8 ~]# mkdir /home/deyu1/public_html
   [root@kvm8 ~]# echo 'userdir test' > /home/deyu1/public_html/index.html
   [root@kvm8 ~]# chown deyu1.deyu1 -R /home/deyu1/public_html
   
   ## 目錄權限放寬
   [root@kvm8 ~]# ll -d /home/deyu1
   drwx------. 5 deyu1 deyu1 1024 Aug  1 19:49 /home/deyu1
   [root@kvm8 ~]# chmod a+r /home/deyu1
   [root@kvm8 ~]# ll -d /home/deyu1
   drwxr-xr-x. 5 deyu1 deyu1 1024 Aug  1 19:49 /home/deyu1
   
   ## selinux type
   [root@kvm8 ~]# getenforce 
   Enforcing
   [root@kvm8 ~]# ll -Z /home/deyu1/public_html/
   -rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 index.html
   
   ## selinux 管控，無法存取
   [root@kvm8 ~]# wget http://www.deyu.wang/~deyu1
   --2013-08-01 19:51:57--  http://www.deyu.wang/~deyu1
   Resolving www.deyu.wang... 192.168.122.8
   Connecting to www.deyu.wang|192.168.122.8|:80... connected.
   HTTP request sent, awaiting response... 403 Forbidden
   2013-08-01 19:51:57 ERROR 403: Forbidden.
   
   ## 變更 selinux type
   [root@kvm8 ~]# chcon -R -t httpd_sys_content_t /home/deyu1/public_html
   [root@kvm8 ~]# ll -Z /home/deyu1/public_html/
   -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
   
   ## 從 kvm8.deyu.wang 測試網頁，
   [root@kvm8 ~]# wget http://www.deyu.wang/~deyu1
   
   100%[======================================>] 13          --.-K/s   in 0s      
   
   [root@kvm8 ~]# cat index.html 
   userdir test
   

8. SELinux 有關 http 的設定

   [root@kvm8 ~]# getsebool -a | grep http
   allow_httpd_anon_write --> off
   allow_httpd_mod_auth_ntlm_winbind --> off
   allow_httpd_mod_auth_pam --> off
   allow_httpd_sys_script_anon_write --> off
   httpd_builtin_scripting --> on
   httpd_can_check_spam --> off
   httpd_can_network_connect --> off
   httpd_can_network_connect_cobbler --> off
   httpd_can_network_connect_db --> off
   httpd_can_network_memcache --> off
   httpd_can_network_relay --> off
   httpd_can_sendmail --> off
   httpd_dbus_avahi --> on
   httpd_enable_cgi --> on
   httpd_enable_ftp_server --> off
   httpd_enable_homedirs --> off
   httpd_execmem --> off
   httpd_read_user_content --> off
   httpd_setrlimit --> off
   httpd_ssi_exec --> off
   httpd_tmp_exec --> off
   httpd_tty_comm --> on
   httpd_unified --> on
   httpd_use_cifs --> off
   httpd_use_gpg --> off
   httpd_use_nfs --> off