本帖最后由 m.chang 于 2016-3-15 14:44 编辑
虚拟机ip:eth0 192.168.3.100 Bcast:192.168.3.255 Mask:255.255.255.0
eth0:1 192.168.3.67 Bcast:192.168.3.255 Mask:255.255.255.0
lo 127.0.0.1 Mask:255.0.0.0
宿主机ip:wlp3s0 192.168.3.17 Bcast:192.168.3.255 Mask:255.255.255.0
疑问:为什么通过网站别名的方式访问,就可以突破访问控制限制。而直接访问网站的域名而不是别名,则访问控制就可以生效
apache虚拟主机配置文件
############## BEDIN ... ##################################
NameVirtualHost *:80
DocumentRoot "/tmp/unrachable"
ServerName unrachable.com
ServerAdmin m.ch@gmail.com
DocumentRoot "/data/www/"
ServerName www.cf.cc
ServerAlias www.aaa.cc
ServerAlias www.bbb.cc
#### 访问控制
AllowOverride None
Options None
Order allow,deny
Allow from all
Deny from 192.168.3.67
Deny from 192.168.3.100
#### 针对URI来做访问控制
Order deny,allow
Deny from all
Allow from 192.168.3.67
Allow from 192.168.3.17
Allow from 127.0.0.1
SetEnvIf Request_URI ".*\.gif$" partten
SetEnvIf Request_URI ".*\.css$" partten
SetEnvIf Request_URI ".*\.png$" partten
SetEnvIf Request_URI ".*\.bmp$" partten
ErrorLog "|/usr/local/apache2/bin/rotatelogs -l /usr/local/apache2/logs/www.cf.cc-error_%Y%m%d_log 86400"
CustomLog "|/usr/local/apache2/bin/rotatelogs -l /usr/local/apache2/logs/www.cf.cc-access_%Y%m%d_log 5M" combined env=!image-request
#make static cached
ExpiresActive on
ExpiresByType image/gif "access plus 1 days"
ExpiresByType image/jpeg "access plus 24 hours"
ExpiresByType image/png "access plus 48 hours"
ExpiresByType text/css "now plus 2 hours"
ExpiresByType application/x-javascript "now plus 2 hours"
ExpiresByType applicatio/x-shockwave-flash "now plus 2 hours"
ExpiresDefault "now plus 0 min"
#配置防盗链
#SetEnvIfNoCase Referer表示的是白名单,即允许这些网站
SetEnvIfNoCase Referer "^http://.*\.cf\.cc" local_ref
SetEnvIfNoCase Referer ".*\.aaa\.cc" local_ref
SetEnvIfNoCase Referer ".*\.bbb\.cc" local_ref
SetEnvIfNoCase Referer "^$" local_ref
Order Deny,Allow
Deny from all 写在上面和写在下面一样,和顺序无关
Allow from env=local_ref
#### 301跳转
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.aaa.cc$ [OR]
RewriteCond %{HTTP_HOST} ^www.bbb.cc$
RewriteRule ^/(.*)$ http://www.cf.cc/$1 [R=301,L]
AllowOverride AuthConfig
AuthName "Please input the correct username and password. Thank you!"
AuthType Basic
AuthUserFile /data/.htpasswd
require valid-user
################## END ... #############################
TEST RESULT:
1. [root@100 ~]# curl -x192.168.3.100:80 www.cf.cc/admin.php -I
HTTP/1.1 403 Forbidden
[root@100 ~]# curl -x192.168.3.67:80 www.cf.cc -I
HTTP/1.1 403 Forbidden
2. [root@100 ~]# curl -x192.168.3.100:80 www.aaa.cc -I
HTTP/1.1 301 Moved Permanently
[root@100 ~]# curl -x192.168.3.100:80 www.bbb.cc -I
HTTP/1.1 301 Moved Permanently
[root@100 ~]# curl -x192.168.3.67:80 www.aaa.cc -I
HTTP/1.1 301 Moved Permanently
[root@100 ~]# curl -x192.168.3.67:80 www.bbb.cc -I
HTTP/1.1 301 Moved Permanently
3. [root@100 ~]# curl -x192.168.3.100:80 www.cf.cc/admin.php -I
HTTP/1.1 403 Forbidden
[root@100 ~]# curl -x192.168.3.100:80 www.aaa.cc/admin.php -I
HTTP/1.1 301 Moved Permanently
[root@100 ~]# curl -x192.168.3.100:80 www.bbb.cc/admin.php -I
HTTP/1.1 301 Moved Permanently
RESOLVED AND GUESS:
a)结合1和2的测试结果说明,如果有301跳转,则访问控制无效
b)测试结果3说明,如果不使用网站别名,也就是不经过301跳转,则通过URI限制访问控制是生效的,如果通过
301跳转,则UIR访问限制不会生效
虚拟机ip:eth0 192.168.3.100 Bcast:192.168.3.255 Mask:255.255.255.0
eth0:1 192.168.3.67 Bcast:192.168.3.255 Mask:255.255.255.0
lo 127.0.0.1 Mask:255.0.0.0
宿主机ip:wlp3s0 192.168.3.17 Bcast:192.168.3.255 Mask:255.255.255.0
疑问:为什么通过网站别名的方式访问,就可以突破访问控制限制。而直接访问网站的域名而不是别名,则访问控制就可以生效
apache虚拟主机配置文件
############## BEDIN ... ##################################
NameVirtualHost *:80
DocumentRoot "/tmp/unrachable"
ServerName unrachable.com
ServerAdmin m.ch@gmail.com
DocumentRoot "/data/www/"
ServerName www.cf.cc
ServerAlias www.aaa.cc
ServerAlias www.bbb.cc
#### 访问控制
AllowOverride None
Options None
Order allow,deny
Allow from all
Deny from 192.168.3.67
Deny from 192.168.3.100
#### 针对URI来做访问控制
Order deny,allow
Deny from all
Allow from 192.168.3.67
Allow from 192.168.3.17
Allow from 127.0.0.1
SetEnvIf Request_URI ".*\.gif$" partten
SetEnvIf Request_URI ".*\.css$" partten
SetEnvIf Request_URI ".*\.png$" partten
SetEnvIf Request_URI ".*\.bmp$" partten
ErrorLog "|/usr/local/apache2/bin/rotatelogs -l /usr/local/apache2/logs/www.cf.cc-error_%Y%m%d_log 86400"
CustomLog "|/usr/local/apache2/bin/rotatelogs -l /usr/local/apache2/logs/www.cf.cc-access_%Y%m%d_log 5M" combined env=!image-request
#make static cached
ExpiresActive on
ExpiresByType image/gif "access plus 1 days"
ExpiresByType image/jpeg "access plus 24 hours"
ExpiresByType image/png "access plus 48 hours"
ExpiresByType text/css "now plus 2 hours"
ExpiresByType application/x-javascript "now plus 2 hours"
ExpiresByType applicatio/x-shockwave-flash "now plus 2 hours"
ExpiresDefault "now plus 0 min"
#配置防盗链
#SetEnvIfNoCase Referer表示的是白名单,即允许这些网站
SetEnvIfNoCase Referer "^http://.*\.cf\.cc" local_ref
SetEnvIfNoCase Referer ".*\.aaa\.cc" local_ref
SetEnvIfNoCase Referer ".*\.bbb\.cc" local_ref
SetEnvIfNoCase Referer "^$" local_ref
Order Deny,Allow
Deny from all 写在上面和写在下面一样,和顺序无关
Allow from env=local_ref
#### 301跳转
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.aaa.cc$ [OR]
RewriteCond %{HTTP_HOST} ^www.bbb.cc$
RewriteRule ^/(.*)$ http://www.cf.cc/$1 [R=301,L]
AllowOverride AuthConfig
AuthName "Please input the correct username and password. Thank you!"
AuthType Basic
AuthUserFile /data/.htpasswd
require valid-user
################## END ... #############################
TEST RESULT:
1. [root@100 ~]# curl -x192.168.3.100:80 www.cf.cc/admin.php -I
HTTP/1.1 403 Forbidden
[root@100 ~]# curl -x192.168.3.67:80 www.cf.cc -I
HTTP/1.1 403 Forbidden
2. [root@100 ~]# curl -x192.168.3.100:80 www.aaa.cc -I
HTTP/1.1 301 Moved Permanently
[root@100 ~]# curl -x192.168.3.100:80 www.bbb.cc -I
HTTP/1.1 301 Moved Permanently
[root@100 ~]# curl -x192.168.3.67:80 www.aaa.cc -I
HTTP/1.1 301 Moved Permanently
[root@100 ~]# curl -x192.168.3.67:80 www.bbb.cc -I
HTTP/1.1 301 Moved Permanently
3. [root@100 ~]# curl -x192.168.3.100:80 www.cf.cc/admin.php -I
HTTP/1.1 403 Forbidden
[root@100 ~]# curl -x192.168.3.100:80 www.aaa.cc/admin.php -I
HTTP/1.1 301 Moved Permanently
[root@100 ~]# curl -x192.168.3.100:80 www.bbb.cc/admin.php -I
HTTP/1.1 301 Moved Permanently
RESOLVED AND GUESS:
a)结合1和2的测试结果说明,如果有301跳转,则访问控制无效
b)测试结果3说明,如果不使用网站别名,也就是不经过301跳转,则通过URI限制访问控制是生效的,如果通过
301跳转,则UIR访问限制不会生效
编辑回复