科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道使用mod_proxy改进LAMP安全

使用mod_proxy改进LAMP安全

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

在本文中,Nick Maynard 描述了一种使用 Apache 的 mod_proxy 模块改进 LAMP 设置的安全性的方法。

作者:51cto 2007年10月11日

关键字:

  • 评论
  • 分享微博
  • 分享邮件

在本页阅读全文(共2页)

表 1. 示例应用程序中使用的 Apache 版本

元素 Apache 版本 原因
facade 服务器 Apache 2,运行 worker 或 event MPM Apache 2 对 mod_proxy 模块做了重要的改进。worker 和 event MPM 是线程化的,有助于减少 facade 服务器的内存开销。
后端服务器 Apache 1.3,或运行 prefork MPM 的 Apache 2 Apache 管理员必须意识到 PHP 模块不应该运行在线程化环境中。这两个解决方案为 PHP 模块提供了基于进程的环境。
后端 Apache 实例的配置

清单 2 和 清单 3 中的代码片段说明了与标准 Apache 配置的基本差异。应该根据需要将它们添加到适当的配置中,比如这里忽略的 PHP 功能配置。

清单 2. 在线创业企业的 Apache 配置
# Stuff every Apache configuration needs
ServerType standalone
LockFile /var/lock/apache/accept.startup.lock
PidFile /var/run/apache.startup.pid
ServerName necessaryevil.startup.tld
DocumentRoot "/home/startup/web"
# Essential modules
LoadModule access_module /usr/lib/apache/1.3/mod_access.so
# Which user to run this Apache configuration as
User startup
Group startup
# This must be off else the host isn't passed correctly
UseCanonicalName Off
# The IP/port combination to listen on
Listen 127.0.0.2:10000
# Using name-based virtual hosting allows you to host multiple sites per IP/port combo
NameVirtualHost 127.0.0.2:10000
    ServerName www.startup.tld    

# You can add aliases so long as the facade server is aware of them!

ServerAlias startup.tld DocumentRoot "/home/startup/web/www.startup.tld"

Options Indexes FollowSymLinks MultiViews ExecCGI Includes

AllowOverride All Order allow,deny Allow from all


清单 3. 个人客户的 Apache 配置

# Stuff every Apache configuration needs
ServerType standalone
LockFile /var/lock/apache/accept.nimrod.lock
PidFile /var/run/apache.nimrod.pid
ServerName necessaryevil.nimrod.tld
DocumentRoot "/home/nimrod/web"
# Essential modules
LoadModule access_module /usr/lib/apache/1.3/mod_access.so
# Which user to run this Apache configuration as
User nimrod
Group nimrod
# This must be off else the host isn't passed correctly
UseCanonicalName Off
# The IP/port combination to listen on
Listen 127.0.0.2:10001
# Using name-based virtual hosting allows you to host multiple sites per IP/port combo
NameVirtualHost 127.0.0.2:10001
    ServerName www.reckless.tld   

# You can add aliases so long as the facade server is aware of them!

ServerAlias reckless.tld DocumentRoot "/home/nimrod/web/www.reckless.tld"

Options Indexes FollowSymLinks MultiViews ExecCGI Includes

AllowOverride All Order allow,deny Allow from all


清单 4 说明了门面 Apache 实例的配置。

清单 4. 门面 Apache 实例的 Apache 配置
# Stuff every Apache configuration needs
LockFile /var/lock/apache/accept.www-data.lock
PidFile /var/run/apache.www-data.pid
ServerName necessaryevil.facade.server
DocumentRoot "/home/www-data"
# Essential modules
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
# Which user to run this Apache configuration as
User www-data
Group www-data
# These must be set else the host isn't passed correctly
UseCanonicalName Off
ProxyVia On
ProxyRequests Off
# This must also be set, though it's only an option in Apache2
ProxyPreserveHost On
# The IP/port combination to listen on
Listen 9.20.1.1:80
# Using name-based virtual hosting allows you to host multiple sites per IP/port combo
NameVirtualHost 9.20.1.1:80
# Configuration to forward requests for startup.tld
    ServerName www.startup.tld    ServerAlias startup.tld    

ProxyPass / http://127.0.0.2:10000/ ProxyPassReverse / http://127.0.0.2:10000/

ProxyPassReverse / http://www.startup.tld:10000/ ProxyPassReverse / http://startup.tld:10000/
# Configuration to forward requests for reckless.tld ServerName www.reckless.tld ServerAlias reckless.tld

ProxyPass / http://127.0.0.2:10001/ ProxyPassReverse / http://127.0.0.2:10001/

ProxyPassReverse / http://www.reckless.tld:10001/

ProxyPassReverse / http://reckless.tld:10001/
    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章