Apache常见配置错误
Common Apache Misconfigurations
This page will describe common misconfigurations as seen in #apache as well as describe why these are wrong.
# 注釋 :本頁面將會介紹那些常見的配置錯誤
Name Based Virtual Host Not matching the value of NameVirtualHost with a corresponding <VirtualHost> block.
# 注釋 :Name-based 虛擬主機定義中的 <Virtual XXX> 和 NameVirtualHost 指定的 ip 地址/端口不匹配Example:
NameVirtualHost *:80 # 注釋 :規定了在所有地址的 80 端口上監聽# This is wrong. No matching NameVirtualHost some.domain.com line.
<VirtualHost some.domain.com> # 注釋 :但這里的 some.domain.com 是一個外界的地址 # Options and stuff defined here.</VirtualHost># This would be correct.
<VirtualHost *:80> # 注釋 :象這個才是和 NameVirtualHost 匹配的 ServerName some.domain.com # Options and stuff defined here.</VirtualHost>Why is the first virtual host wrong? It's wrong on a couple of levels. The most obvious is that some.domain.com used in the first <VirtualHost> block doesn't match *:80 used in NameVirtualHost. The other being that NameVirtualHost refers to an interface, not a domain. For instance using *:80, means catch all interfaces on port 80. NameVirtualHost 1.1.1.1:80, would mean to catch the interface defined as 1.1.1.1 on port 80. While you can use a "NameVirtualHost some.domain.com/<VirtualHost some.domain.com>" combination, it doesn't really make sense and is not used... at least not used by anyone who's experienced with Apache administration.
# 注釋 :其實在上面的例子中有兩個地方是錯誤的 :
#????? -)1、很明顯,some.domain.com 不匹配 NameVirtualHost 指定的 *:80
#????? -)2、NameVirtualHost 是錯誤的,因為它并不是指向一個固定的域名,而是用 * 代替,而 NameVirtualHost 最好是給出一個明確的ip地址或者域名
#?? 注釋 :當然你可以用 NameVirtualHost <some.domain.com:80> 和 <VirtualHost some.domain.com:80></VirtualHost> ,不過很明顯,這是沒有任何意義的,
# 因為你不能控制一個不屬于你管理范圍的主機,也就是說這只是語法上正確而已,但沒有任何實際效果
Not setting a ServerName in a virtual host
# 注釋 :在 VirtualHost 的定義中沒有指定 ServerNameExample:
NameVirtualHost *:80# This would be correct.
<VirtualHost *:80> ServerName some.domain.com # Options and stuff defined here.</VirtualHost># This is wrong.
<VirtualHost *:80> # Options and stuff defined here, but no ServerName</VirtualHost>The second virtual host is wrong because when using name based virtual hosts, the ServerName is used by Apache to determine which virtual host configuration to use. Without it, Apache will never use the second virtual host configuration and will use the default virtual host. The default virtual host when using name based virtual hosts is the first defined virtual host.
# 注釋 :既然是 Name-based 虛擬主機,自然需要指定 ServerName 了,因為 Apache 就是根據 HTTP 請求中的 Host: header 來查找和它匹配
# 的虛擬主機的(ServerName 的值等于 Host: header 的值)。如果沒有指定一個虛擬主機的 ServerName ,則 Apache 永遠不會使用上面例子中的
# 第2個虛擬主機的配置,而是使用默認的虛擬主機(當使用了 Name-based 虛擬主機,第1個虛擬主機也就自動稱為默認的虛擬主機)
?
Mixing non-port and port name based virtual hosts.
# 注釋 :在 Name-based 虛擬主機的定義中,有些指定了端口,有些沒有指定端口Example:
NameVirtualHost * NameVirtualHost *:80<VirtualHost *>
ServerName some.domain.com # Options and stuff defined here.</VirtualHost><VirtualHost *:80>
ServerName some.domain2.com # Options and stuff defined here.</VirtualHost>Because NameVirtualHost * means catch all interfaces on all ports, the *:80 virtual host will never be caught. Every request to Apache will result in the some.domain.com virtual host being used.
# 注釋 :在上面的例子中,第1個 NameVritualHost 表示監聽所有接口上的所有接接口,所以第2個 NameVirtualHost 永遠不會被用到。
# 所以每個請求都會導致 Apache 使用第一個虛擬主機的配置來響應
?
Using the same Listen and/or NameVirtualHost multiple times.
# 注釋 :重復使用 Listen 且(或者)NameVirtualHost 指令,通常是出現在多個配置文件的情況中Example:
# Can happen when using multiple config files. # In one config file:Listen 80 # In another config file:Listen 80# Like above, can happen when using multiple config files.
# In one config file:NameVirtualHost *:80# In another config file: NameVirtualHost *:80In the case of multiple Listen directives, Apache will bind to port 80 the first time and then try to bind to port 80 a second time. This yields a nice "Could not bind to port" error on start up. This seems to happen with newbies and Debian based distros, where Debian based distros have Listen 80 defined in ports.conf. Newbies don't realize this and create another Listen 80 line in apache2.conf.
# 注釋 :你可能認為這不會有什么問題,不過很遺憾,Apache 會嘗試重復把自己綁定到 80 端口上,這會在 Apache 啟動時產生一個 "Could not bind to port" 的錯誤
# 消息,這對于使用 Debian 發行版的新手來說可能會比較常見,因為 Debina 發行版在 ports.conf 中已經有定義 Listen 80 了,新手不注意的話會在 apache2.conf
# 中再定義一次
Multiple NameVirtualHost lines will yield a "NameVirtualHost *:80 has no VirtualHosts" warning. Apache will ignore the second directive and use the first defined NameVirtualHost line, though. This seems to happen when one is using multiple virtual host configuration files and doesn't understand that you only need to define a particular NameVirtualHost line once.
# 注釋 :多個 NameVirtualHost 同樣也不行,也會產生 ‘NameVirtualHost *:80 has no VirtualHosts" 的錯誤,Apache 會忽略第2個指令,并只使用第1個 NameVirutalHost
# 補充 :如果多個 NameVirtualHost 是在不同地址上監聽,這種情況是允許的。
Multiple SSL name based virtual hosts on the same interface.
# 注釋 :對使用同一個地址(域名)的多個 Name-based 虛擬主機啟用 SSLExample:
NameVirtualHost *:443<VirtualHost *:443>
ServerName some.domain.com # SSL options, other options, and stuff defined here.</VirtualHost><VirtualHost *:443>
ServerName some.domain2.com # SSL options, other options, and stuff defined here.</VirtualHost>?
Because of the nature of SSL, host information isn't used when first establishing a SSL connection. Apache will always use the certificate of the default virtual host, which is the first defined virtual host in name based virtual hosts. While this doesn't mean that you won't ever be able to access the second virtual host, it does mean your users will always get a certificate mismatch popup warning when trying to access some.domain2.com. Read more about this at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2.
???? # 注釋 :這也是一個很常見的問題,因為 SSL 是”橫在“ HTTP 和 TCP 之間的一個中間層,它把兩端的通信數據進行加密,
???? # 所以在建立 SSL 連接之前,是無法看到其中的 HTTP 請求的 Host: 的,看不到 Host: header 的值,Apache 就不知道應該
???? # 用那個 Name-based 虛擬主機來響應,所以 Apache 會象上面一樣,固定使用一個 Name-based 虛擬主機來響應(包括
???? # 該虛擬主機所定義的 SSL 證書)。具體可以看下面這段話 :
Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.
It comes as rather a shock to learn that it is impossible.
The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.
You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.
NameVirtualHost 192.168.1.1:80
Other workaround solutions include:
Using separate IP addresses for different SSL hosts. Using different port numbers for different SSL hosts.
Also, note that the configuration above isn't something someone would normally use for SSL, which requires a static, non-shared IP address -- NameVirtualHost 127.124.3.53:80 is a more likely format. However, using NameVirtualHost *:443 is commonly seen in howtos for Debian/Ubuntu.
# 注釋 :還有一點,既然要使用 SSL ,一般不會使用這種共享 ip 的方式,都是每臺 SSL 服務器對應一個 ip 的。
# 具體的含義可以看上面粗體的部分
? #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Scope Adding/Restricting access and options in <Directory />
# 注釋 :在 <Directory /> 中增加訪問控制語句Example:
<Directory /> # This was changed from the default of AllowOverride None. AllowOverride FileInfo Indexes # Default directives defined below.</Directory><Directory /> is not a URL path. It is a filesystem path. Making changes in this <Directory> block will have no effect on your website DocumentRoot. In the example above, what m
what might have been attempted was being able to use htaccess in the DocumentRoot. The problem being that the htaccess file will still be ignored because the AllowOverride?? is set in the wrong <Directory> block.
# 注釋 :因為 <Directory /> 不是 DocumentRoot 所指的那個目錄,而是真正的文件系統 / 目錄。所以你在這里設置并不會對 DocumentRoot 指定的目錄有什么影響。
# 如果要限制 DocumentRoot 的訪問,應該在 <Directory /var/www/html> 中進行,或者在 /var/www/html/.htaccess 中進行
?
# 補充 :下面是 httpd.conf 中關于這兩個目錄的默認配置
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
??? Options FollowSymLinks
??? AllowOverride None
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
#?? Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
??? Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#?? Options FileInfo AuthConfig Limit
#
??? AllowOverride None
#
# Controls who can get stuff from this server.
#
??? Order allow,deny
??? Allow from all
</Directory>
?
Changing the DocumentRoot value without updating the old DocumentRoot's <Directory> block
# 注釋 :修改了 DocumentRoot 的值,但卻沒有更新舊的 DocumentRoot 的 <Directory></Directory> 配置段Example:
# Your old DocumentRoot value was /usr/local/apache2/htdocs DocumentRoot /var/www/html## This should be changed to whatever you set DocumentRoot to.#<Directory /usr/local/apache2/htdocs> # Options and access set here.</Directory>Access and options in Apache must be expressly given. Since there is no <Directory> block for the new document root that grants any access or options, you will get a permission error when you try to access your site.
# 注釋 :上面的 DocumentRoot 指向 /var/www/html ,但卻沒有針對改目錄的 <Direcotry></Directory> 配置段,
# 所以可能會得到一個 403 (Forbiden)的錯誤
?
Trying to set directory and index options in a script aliased directory.
# 注釋 :嘗試在一個 ScriptAlias 指定的目錄中啟動 Index 功能,或者定義 DirectoryIndexExample:
ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory /var/www/cgi-bin> AllowOverride None Options Indexes ExecCGI DirectoryIndex index.cgi # Other options defined.</Directory>Script aliased directories do not allow for directory listings specified with Options Indexes. This is a security feature. Also, script aliased directories automatically try and execute everything in them. So, Options ExecCGI is unnecessary. The DirectoryIndex directive also does not work in a script aliased directory. The workaround for this if you really need directory listings or other directory indexing options is to use Alias instead of ScriptAlias.
# 注釋 :要注意,ScriptAlias 所指定的目錄不允許啟用 index 功能或者設定默認的 index 頁面。這很明顯是出于安全方面的考慮, 否則所有人都可以下載 CGI 腳本了。
# 同時 ScriptAlias 所指定的目錄下的所有文件都會被當成 CGI 程序來嘗試執行,所以不需要手工指定 ExecCGI 選項了,如果你真的需要這么作,用 Alias 代替
# ScriptAlias 命令,不過還是建議不要這么作
# 補充 :下面是關于 cgi-bin/ 目錄的默認配置
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
??? AllowOverride None
??? Options None
??? Order allow,deny
??? Allow from all
</Directory>
Example:
Alias /cgi-bin/ /var/www/cgi-bin/ <Directory /var/www/cgi-bin> AllowOverride None Options Indexes ExecCGI AddHandler cgi-script .cgi DirectoryIndex index.cgi # Other options defined.</Directory>The options above will now work.
?
?
轉自: http://www.ubooo.com/Article/view-1259.html
與50位技術專家面對面20年技術見證,附贈技術全景圖總結
以上是生活随笔為你收集整理的Apache常见配置错误的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 更改hostname后vnc无法进入图形
- 下一篇: vsftp实现只能上传不能下载、删除权限