至顶网›网络频道 ›使用mod_proxy改进LAMP安全

使用mod_proxy改进LAMP安全

扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条

在本文中，Nick Maynard 描述了一种使用 Apache 的 mod_proxy 模块改进 LAMP 设置的安全性的方法。

作者：51cto 2007年10月11日

关键字：

表 1. 示例应用程序中使用的 Apache 版本

元素	Apache 版本	原因
facade 服务器	Apache 2，运行 worker 或 event MPM	Apache 2 对 mod_proxy 模块做了重要的改进。worker 和 event MPM 是线程化的，有助于减少 facade 服务器的内存开销。
后端服务器	Apache 1.3，或运行 prefork MPM 的 Apache 2	Apache 管理员必须意识到 PHP 模块不应该运行在线程化环境中。这两个解决方案为 PHP 模块提供了基于进程的环境。

后端 Apache 实例的配置

清单 2 和清单 3 中的代码片段说明了与标准 Apache 配置的基本差异。应该根据需要将它们添加到适当的配置中，比如这里忽略的 PHP 功能配置。

清单 2. 在线创业企业的 Apache 配置

# Stuff every Apache configuration needs
ServerType standalone
LockFile /var/lock/apache/accept.startup.lock
PidFile /var/run/apache.startup.pid
ServerName necessaryevil.startup.tld
DocumentRoot "/home/startup/web"
# Essential modules
LoadModule access_module /usr/lib/apache/1.3/mod_access.so
# Which user to run this Apache configuration as
User startup
Group startup
# This must be off else the host isn't passed correctly
UseCanonicalName Off
# The IP/port combination to listen on
Listen 127.0.0.2:10000
# Using name-based virtual hosting allows you to host multiple sites per IP/port combo
NameVirtualHost 127.0.0.2:10000
    ServerName www.startup.tld    

# You can add aliases so long as the facade server is aware of them!    

ServerAlias startup.tld    DocumentRoot "/home/startup/web/www.startup.tld"            

Options Indexes FollowSymLinks MultiViews ExecCGI Includes       

AllowOverride All        Order allow,deny        Allow from all

清单 3. 个人客户的 Apache 配置

# Stuff every Apache configuration needs
ServerType standalone
LockFile /var/lock/apache/accept.nimrod.lock
PidFile /var/run/apache.nimrod.pid
ServerName necessaryevil.nimrod.tld
DocumentRoot "/home/nimrod/web"
# Essential modules
LoadModule access_module /usr/lib/apache/1.3/mod_access.so
# Which user to run this Apache configuration as
User nimrod
Group nimrod
# This must be off else the host isn't passed correctly
UseCanonicalName Off
# The IP/port combination to listen on
Listen 127.0.0.2:10001
# Using name-based virtual hosting allows you to host multiple sites per IP/port combo
NameVirtualHost 127.0.0.2:10001
    ServerName www.reckless.tld   

# You can add aliases so long as the facade server is aware of them!   

ServerAlias reckless.tld    DocumentRoot "/home/nimrod/web/www.reckless.tld"         

Options Indexes FollowSymLinks MultiViews ExecCGI Includes       

AllowOverride All        Order allow,deny        Allow from all

清单 4 说明了门面 Apache 实例的配置。

清单 4. 门面 Apache 实例的 Apache 配置

# Stuff every Apache configuration needs
LockFile /var/lock/apache/accept.www-data.lock
PidFile /var/run/apache.www-data.pid
ServerName necessaryevil.facade.server
DocumentRoot "/home/www-data"
# Essential modules
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
# Which user to run this Apache configuration as
User www-data
Group www-data
# These must be set else the host isn't passed correctly
UseCanonicalName Off
ProxyVia On
ProxyRequests Off
# This must also be set, though it's only an option in Apache2
ProxyPreserveHost On
# The IP/port combination to listen on
Listen 9.20.1.1:80
# Using name-based virtual hosting allows you to host multiple sites per IP/port combo
NameVirtualHost 9.20.1.1:80
# Configuration to forward requests for startup.tld
    ServerName www.startup.tld    ServerAlias startup.tld    

ProxyPass / http://127.0.0.2:10000/    ProxyPassReverse / http://127.0.0.2:10000/   

ProxyPassReverse / http://www.startup.tld:10000/    ProxyPassReverse / http://startup.tld:10000/

# Configuration to forward requests for reckless.tld
    ServerName www.reckless.tld    ServerAlias reckless.tld    

ProxyPass / http://127.0.0.2:10001/    ProxyPassReverse / http://127.0.0.2:10001/  

ProxyPassReverse / http://www.reckless.tld:10001/    

ProxyPassReverse / http://reckless.tld:10001/

VIP专区

VIP用户

普通用户

邮件订阅

如果您非常迫切的想了解IT领域最新产品与技术信息，那么订阅至顶网技术邮件将是您的最佳途径之一。

重磅专题

往期文章

使用mod_proxy改进LAMP安全

业界热点: