next up previous contents
Next: AB test Up: Apache 2.2 HTTP Server Previous: 存取限制   Contents

安全機制

  1. 防火牆設定-任何網域皆可使用 http
    [root@kvm8 ~]# vim /etc/sysconfig/iptables
    
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    ######################################################
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
    ######################################################
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    

  2. 防火牆設定-只有 192.168.122.0/24 網域可使用 http
    [root@kvm8 ~]# vim /etc/sysconfig/iptables
    
    ######################################################
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 192.168.122.0/24 -j ACCEPT
    ######################################################
    

  3. 防火牆重新啟動
    [root@kvm8 ~]# /etc/init.d/iptables restart
    

  4. 開機啟動防火牆
    [root@kvm8 ~]# chkconfig iptables on
    

  5. 測試主機 kvm8.deyu.wang 網頁
    [root@kvm8 ~]# echo 'kvm8.deyu.wang test' > /var/www/html/index.html
    
    ## selinux 管制
    ## 1. 直接產生檔案於 /var/www/html 目錄下,其 selinux type 自動為 
    ####  httpd_sys_content_t,可以不用變更 type,就可存取。
    ## 2. 若從某一目錄,例如 /root,複製檔案到 /var/www/html 下, 
    ####  selinux type 為原先設定,必須變更 type,才能存取。
    [root@kvm8 ~]# chcon -R -t httpd_sys_content_t /var/www/html/  
    
    ## 從 deyu.wang 測試網頁
    [root@dyH ~]# wget http://kvm8.deyu.wang
    
    100%[======================================>] 20          --.-K/s   in 0s      
    
    2013-08-01 18:50:59 (2.39 MB/s) - “index.html” saved [20/20]
    
    [root@dyH ~]# cat index.html 
    kvm8.deyu.wang test
    

  6. 測試主機 www.deyu.wang 網頁
    [root@kvm8 ~]# echo 'www.deyu.wang test' > /var/www/virtual/index.html
    
    ## 從 deyu.wang 測試網頁, www.deyu.wang 只有kvm8.deyu.wang 能存取
    [root@dyH ~]# wget http://www.deyu.wang
    --2013-08-01 18:53:26--  http://www.deyu.wang/
    Resolving www.deyu.wang... 192.168.122.8
    Connecting to www.deyu.wang|192.168.122.8|:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    2013-08-01 18:53:26 ERROR 403: Forbidden.
    
    ## 從 kvm8.deyu.wang 測試網頁
    [root@kvm8 ~]# wget http://www.deyu.wang
    
    100%[======================================>] 19          --.-K/s   in 0s      
    
    [root@kvm8 ~]# cat index.html 
    www.deyu.wang test
    

  7. 測試個人網頁
    [root@kvm8 ~]# mkdir /home/deyu1/public_html
    [root@kvm8 ~]# echo 'userdir test' > /home/deyu1/public_html/index.html
    [root@kvm8 ~]# chown deyu1.deyu1 -R /home/deyu1/public_html
    
    ## 目錄權限放寬
    [root@kvm8 ~]# ll -d /home/deyu1
    drwx------. 5 deyu1 deyu1 1024 Aug  1 19:49 /home/deyu1
    [root@kvm8 ~]# chmod a+r /home/deyu1
    [root@kvm8 ~]# ll -d /home/deyu1
    drwxr-xr-x. 5 deyu1 deyu1 1024 Aug  1 19:49 /home/deyu1
    
    ## selinux type
    [root@kvm8 ~]# getenforce 
    Enforcing
    [root@kvm8 ~]# ll -Z /home/deyu1/public_html/
    -rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 index.html
    
    ## selinux 管控,無法存取
    [root@kvm8 ~]# wget http://www.deyu.wang/~deyu1
    --2013-08-01 19:51:57--  http://www.deyu.wang/~deyu1
    Resolving www.deyu.wang... 192.168.122.8
    Connecting to www.deyu.wang|192.168.122.8|:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    2013-08-01 19:51:57 ERROR 403: Forbidden.
    
    ## 變更 selinux type
    [root@kvm8 ~]# chcon -R -t httpd_sys_content_t /home/deyu1/public_html
    [root@kvm8 ~]# ll -Z /home/deyu1/public_html/
    -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
    
    ## 從 kvm8.deyu.wang 測試網頁,
    [root@kvm8 ~]# wget http://www.deyu.wang/~deyu1
    
    100%[======================================>] 13          --.-K/s   in 0s      
    
    [root@kvm8 ~]# cat index.html 
    userdir test
    
  8. SELinux 有關 http 的設定
    [root@kvm8 ~]# getsebool -a | grep http
    allow_httpd_anon_write --> off
    allow_httpd_mod_auth_ntlm_winbind --> off
    allow_httpd_mod_auth_pam --> off
    allow_httpd_sys_script_anon_write --> off
    httpd_builtin_scripting --> on
    httpd_can_check_spam --> off
    httpd_can_network_connect --> off
    httpd_can_network_connect_cobbler --> off
    httpd_can_network_connect_db --> off
    httpd_can_network_memcache --> off
    httpd_can_network_relay --> off
    httpd_can_sendmail --> off
    httpd_dbus_avahi --> on
    httpd_enable_cgi --> on
    httpd_enable_ftp_server --> off
    httpd_enable_homedirs --> off
    httpd_execmem --> off
    httpd_read_user_content --> off
    httpd_setrlimit --> off
    httpd_ssi_exec --> off
    httpd_tmp_exec --> off
    httpd_tty_comm --> on
    httpd_unified --> on
    httpd_use_cifs --> off
    httpd_use_gpg --> off
    httpd_use_nfs --> off
    



2016-06-02