Common Apache Misconfigurations

This page will describe common misconfigurations as seen in #apache as well as describe why these are wrong.

# 注释 :本页面将会介绍那些常见的配置错误

  1. Common Apache Misconfigurations

    1. Name Based Virtual Host

      1. Not matching the value of NameVirtualHost with a corresponding <VirtualHost> block.
      2. Not setting a ServerName in a virtual host.
      3. Mixing non-port and port name based virtual hosts.
      4. Using the same Listen and/or NameVirtualHost multiple times.
      5. Multiple SSL name based virtual hosts on the same interface.
    2. Scope           
      1. Adding/Restricting access and options in <Directory />
      2. Changing the DocumentRoot value without updating the old DocumentRoot's <Directory> block
      3. Trying to set directory and index options in a script aliased directory.

Name Based Virtual Host Not matching the value of NameVirtualHost with a corresponding <VirtualHost> block.

# 注释 :Name-based 虚拟主机定义中的 <Virtual XXX> 和 NameVirtualHost 指定的 ip 地址/端口不匹配

Example:

NameVirtualHost *:80  # 注释 :规定了在所有地址的 80 端口上监听

# This is wrong. No matching NameVirtualHost some.domain.com line.<VirtualHost some.domain.com>     # 注释 :但这里的 some.domain.com 是一个外界的地址  # Options and stuff defined here.</VirtualHost>

# This would be correct.<VirtualHost *:80>   # 注释 :象这个才是和 NameVirtualHost 匹配的  ServerName some.domain.com  # Options and stuff defined here.</VirtualHost>

Why is the first virtual host wrong? It's wrong on a couple of levels. The most obvious is that some.domain.com used in the first <VirtualHost> block doesn't match *:80 used in NameVirtualHost. The other being that NameVirtualHost refers to an interface, not a domain. For instance using *:80, means catch all interfaces on port 80. NameVirtualHost 1.1.1.1:80, would mean to catch the interface defined as 1.1.1.1 on port 80. While you can use a "NameVirtualHost some.domain.com/<VirtualHost some.domain.com>" combination, it doesn't really make sense and is not used... at least not used by anyone who's experienced with Apache administration.

# 注释 :其实在上面的例子中有两个地方是错误的 :

#      -)1、很明显,some.domain.com 不匹配 NameVirtualHost 指定的 *:80

#      -)2、NameVirtualHost 是错误的,因为它并不是指向一个固定的域名,而是用 * 代替,而 NameVirtualHost 最好是给出一个明确的ip地址或者域名

#   注释 :当然你可以用 NameVirtualHost <some.domain.com:80> 和 <VirtualHost some.domain.com:80></VirtualHost> ,不过很明显,这是没有任何意义的,

# 因为你不能控制一个不属于你管理范围的主机,也就是说这只是语法上正确而已,但没有任何实际效果

Not setting a ServerName in a virtual host

# 注释 :在 VirtualHost 的定义中没有指定 ServerName

Example:

NameVirtualHost *:80 

# This would be correct.<VirtualHost *:80>  ServerName some.domain.com  # Options and stuff defined here.</VirtualHost>

# This is wrong.<VirtualHost *:80>  # Options and stuff defined here, but no ServerName</VirtualHost>

The second virtual host is wrong because when using name based virtual hosts, the ServerName is used by Apache to determine which virtual host configuration to use. Without it, Apache will never use the second virtual host configuration and will use the default virtual host. The default virtual host when using name based virtual hosts is the first defined virtual host.

# 注释 :既然是 Name-based 虚拟主机,自然需要指定 ServerName 了,因为 Apache 就是根据 HTTP 请求中的 Host: header 来查找和它匹配

# 的虚拟主机的(ServerName 的值等于 Host: header 的值)。如果没有指定一个虚拟主机的 ServerName ,则 Apache 永远不会使用上面例子中的

# 第2个虚拟主机的配置,而是使用默认的虚拟主机(当使用了 Name-based 虚拟主机,第1个虚拟主机也就自动称为默认的虚拟主机)

Mixing non-port and port name based virtual hosts.

# 注释 :在 Name-based 虚拟主机的定义中,有些指定了端口,有些没有指定端口

Example:

NameVirtualHost * NameVirtualHost *:80

<VirtualHost *>  ServerName some.domain.com  # Options and stuff defined here.</VirtualHost>

<VirtualHost *:80>  ServerName some.domain2.com  # Options and stuff defined here.</VirtualHost>

Because NameVirtualHost * means catch all interfaces on all ports, the *:80 virtual host will never be caught. Every request to Apache will result in the some.domain.com virtual host being used.

# 注释 :在上面的例子中,第1个 NameVritualHost 表示监听所有接口上的所有接接口,所以第2个 NameVirtualHost 永远不会被用到。

# 所以每个请求都会导致 Apache 使用第一个虚拟主机的配置来响应

Using the same Listen and/or NameVirtualHost multiple times.

# 注释 :重复使用 Listen 且(或者)NameVirtualHost 指令,通常是出现在多个配置文件的情况中

Example:

# Can happen when using multiple config files. # In one config file:Listen 80 # In another config file:Listen 80 

# Like above, can happen when using multiple config files.# In one config file:NameVirtualHost *:80# In another config file: NameVirtualHost *:80

In the case of multiple Listen directives, Apache will bind to port 80 the first time and then try to bind to port 80 a second time. This yields a nice "Could not bind to port" error on start up. This seems to happen with newbies and Debian based distros, where Debian based distros have Listen 80 defined in ports.conf. Newbies don't realize this and create another Listen 80 line in apache2.conf.

# 注释 :你可能认为这不会有什么问题,不过很遗憾,Apache 会尝试重复把自己绑定到 80 端口上,这会在 Apache 启动时产生一个 "Could not bind to port" 的错误

# 消息,这对于使用 Debian 发行版的新手来说可能会比较常见,因为 Debina 发行版在 ports.conf 中已经有定义 Listen 80 了,新手不注意的话会在 apache2.conf

# 中再定义一次

Multiple NameVirtualHost lines will yield a "NameVirtualHost *:80 has no VirtualHosts" warning. Apache will ignore the second directive and use the first defined NameVirtualHost line, though. This seems to happen when one is using multiple virtual host configuration files and doesn't understand that you only need to define a particular NameVirtualHost line once.

# 注释 :多个 NameVirtualHost 同样也不行,也会产生 ‘NameVirtualHost *:80 has no VirtualHosts" 的错误,Apache 会忽略第2个指令,并只使用第1个 NameVirutalHost

# 补充 :如果多个 NameVirtualHost 是在不同地址上监听,这种情况是允许的。

Multiple SSL name based virtual hosts on the same interface.

# 注释 :对使用同一个地址(域名)的多个 Name-based 虚拟主机启用 SSL

Example:

NameVirtualHost *:443 

<VirtualHost *:443>  ServerName some.domain.com  # SSL options, other options, and stuff defined here.</VirtualHost>

<VirtualHost *:443>  ServerName some.domain2.com  # SSL options, other options, and stuff defined here.</VirtualHost>

Because of the nature of SSL, host information isn't used when first establishing a SSL connection. Apache will always use the certificate of the default virtual host, which is the first defined virtual host in name based virtual hosts. While this doesn't mean that you won't ever be able to access the second virtual host, it does mean your users will always get a certificate mismatch popup warning when trying to access some.domain2.com. Read more about this at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2.

# 注释 :这也是一个很常见的问题,因为 SSL 是”横在“ HTTP 和 TCP 之间的一个中间层,它把两端的通信数据进行加密,

# 所以在建立 SSL 连接之前,是无法看到其中的 HTTP 请求的 Host: 的,看不到 Host: header 的值,Apache 就不知道应该

# 用那个 Name-based 虚拟主机来响应,所以 Apache 会象上面一样,固定使用一个 Name-based 虚拟主机来响应(包括

# 该虚拟主机所定义的 SSL 证书)。具体可以看下面这段话 :

Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?

Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.

It comes as rather a shock to learn that it is impossible.

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.

You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.

NameVirtualHost 192.168.1.1:80

Other workaround solutions include:

Using separate IP addresses for different SSL hosts. Using different port numbers for different SSL hosts.

Also, note that the configuration above isn't something someone would normally use for SSL, which requires a static, non-shared IP address -- NameVirtualHost 127.124.3.53:80 is a more likely format. However, using NameVirtualHost *:443 is commonly seen in howtos for Debian/Ubuntu.

# 注释 :还有一点,既然要使用 SSL ,一般不会使用这种共享 ip 的方式,都是每台 SSL 服务器对应一个 ip 的。

# 具体的含义可以看上面粗体的部分

#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Scope Adding/Restricting access and options in <Directory />

# 注释 :在 <Directory /> 中增加访问控制语句

Example:

<Directory />   # This was changed from the default of AllowOverride None.  AllowOverride FileInfo Indexes  # Default directives defined below.</Directory>

<Directory /> is not a URL path. It is a filesystem path. Making changes in this <Directory> block will have no effect on your website DocumentRoot. In the example above, what m

what might have been attempted was being able to use htaccess in the DocumentRoot. The problem being that the htaccess file will still be ignored because the AllowOverride   is set in the wrong <Directory> block.

# 注释 :因为 <Directory /> 不是 DocumentRoot 所指的那个目录,而是真正的文件系统 / 目录。所以你在这里设置并不会对 DocumentRoot 指定的目录有什么影响。

# 如果要限制 DocumentRoot 的访问,应该在 <Directory /var/www/html> 中进行,或者在 /var/www/html/.htaccess 中进行

# 补充 :下面是 httpd.conf 中关于这两个目录的默认配置

# First, we configure the "default" to be a very restrictive set of

# features.

#

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

#

# Note that from this point forward you must specifically allow

# particular features to be enabled - so if something's not working as

# you might expect, make sure that you have specifically enabled it

# below.

#

#

# This should be changed to whatever you set DocumentRoot to.

#

<Directory "/var/www/html">

#

# Possible values for the Options directive are "None", "All",

# or any combination of:

#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

#

# Note that "MultiViews" must be named *explicitly* --- "Options All"

# doesn't give it to you.

#

# The Options directive is both complicated and important. Please see

# http://httpd.apache.org/docs-2.0/mod/core.html#options

# for more information.

#

Options Indexes FollowSymLinks

#

# AllowOverride controls what directives may be placed in .htaccess files.

# It can be "All", "None", or any combination of the keywords:

#   Options FileInfo AuthConfig Limit

#

AllowOverride None

#

# Controls who can get stuff from this server.

#

Order allow,deny

Allow from all

</Directory>

Changing the DocumentRoot value without updating the old DocumentRoot's <Directory> block

# 注释 :修改了 DocumentRoot 的值,但却没有更新旧的 DocumentRoot 的 <Directory></Directory> 配置段

Example:

# Your old DocumentRoot value was /usr/local/apache2/htdocs DocumentRoot /var/www/html## This should be changed to whatever you set DocumentRoot to.#<Directory /usr/local/apache2/htdocs>  # Options and access set here.</Directory>

Access and options in Apache must be expressly given. Since there is no <Directory> block for the new document root that grants any access or options, you will get a permission error when you try to access your site.

# 注释 :上面的 DocumentRoot 指向 /var/www/html ,但却没有针对改目录的 <Direcotry></Directory> 配置段,

# 所以可能会得到一个 403 (Forbiden)的错误

Trying to set directory and index options in a script aliased directory.

# 注释 :尝试在一个 ScriptAlias 指定的目录中启动 Index 功能,或者定义 DirectoryIndex

Example:

ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory /var/www/cgi-bin>  AllowOverride None  Options Indexes ExecCGI  DirectoryIndex index.cgi  # Other options defined.</Directory>

Script aliased directories do not allow for directory listings specified with Options Indexes. This is a security feature. Also, script aliased directories automatically try and execute everything in them. So, Options ExecCGI is unnecessary. The DirectoryIndex directive also does not work in a script aliased directory. The workaround for this if you really need directory listings or other directory indexing options is to use Alias instead of ScriptAlias.

# 注释 :要注意,ScriptAlias 所指定的目录不允许启用 index 功能或者设定默认的 index 页面。这很明显是出于安全方面的考虑, 否则所有人都可以下载 CGI 脚本了。

# 同时 ScriptAlias 所指定的目录下的所有文件都会被当成 CGI 程序来尝试执行,所以不需要手工指定 ExecCGI 选项了,如果你真的需要这么作,用 Alias 代替

# ScriptAlias 命令,不过还是建议不要这么作

# 补充 :下面是关于 cgi-bin/ 目录的默认配置

# ScriptAlias: This controls which directories contain server scripts.

# ScriptAliases are essentially the same as Aliases, except that

# documents in the realname directory are treated as applications and

# run by the server when requested rather than as documents sent to the client.

# The same rules about trailing "/" apply to ScriptAlias directives as to

# Alias.

#

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

#

# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased

# CGI directory exists, if you have that configured.

#

<Directory "/var/www/cgi-bin">

    AllowOverride None

Options None

Order allow,deny

Allow from all

</Directory>

Example:

Alias /cgi-bin/ /var/www/cgi-bin/ <Directory /var/www/cgi-bin>  AllowOverride None  Options Indexes ExecCGI  AddHandler cgi-script .cgi  DirectoryIndex index.cgi  # Other options defined.</Directory>

The options above will now work.

转自: http://www.ubooo.com/Article/view-1259.html

Apache常见配置错误相关推荐

  1. (工作中)Apache常见配置

    # Apache配置 1.设置静态文件过期时间为1天 <ifmodule mod_expires.c>ExpiresActive onExpiresBytype text/css &quo ...

  2. Apache常见配置及问题

    1.Apache的配置由httpd.conf文件配置修改. 主站点的配置(基本配置) (1) 基本配置: ServerRoot "/mnt/software/apache2" #你 ...

  3. Apache配置错误AH00558:无法可靠地确定服务器的标准域名

    Common Apache Errors 常见的Apache错误 This tutorial series explains how to troubleshoot and fix some of t ...

  4. 云计算学习路线图课件:云计算中的常见的云配置错误

    随着云计算应用加速落地,越来越多的企业将业务迁移到云上.云计算安全措施是云计算客户必须采取的措施,当客户没有在云计算环境中正确配置和保护自己的工作负载和存储桶时,就会发生重大事故. 1.存储访问 在存 ...

  5. apache中配置404错误页的方法

    apache中配置404错误页的方法: 下载 apache配置文件/usr/local/apache2/conf/httpd.conf 修改 httpd.conf 找到: #ErrorDocument ...

  6. Apache配置错误日志

    可以通过查看apache配置文件:httpd.conf文件 来看日志错误文件存储位置: 效果如: 错误日志配置指令 :ErrorLog ErrorLog 指令指定了当服务器遇到错误时记录错误日志的文件 ...

  7. centos8 默认nginx路径_CentOS 8系统安装Nginx Web服务器及常见配置过程

    Nginx是一种快速.轻量级的Web服务器,优势是Nginx的配置文件非常简单易用.它是Apache Web服务器的绝佳替代品.在本文中,惠主机将简单介绍如何在CentOS 8上安装Nginx Web ...

  8. mybatis学习笔记--常见的错误

    原文来自:<mybatis学习笔记--常见的错误> 昨天刚学了下mybatis,用的是3.2.2的版本,在使用过程中遇到了些小问题,现总结如下,会不断更新. 1.没有在configurat ...

  9. apache php 500,apache出现500错误的原因是什么

    apache出现500错误的原因是:1.apache配置文件模块开启问题:2.php.ini文件设置问题:3.权限问题,如果文件没有权限进行读取就会抛出这个错误:4.没有开启rewrite_modul ...

最新文章

  1. source insight 常用设置及快捷键
  2. DataReceivedEventHandler 委托 接收调用执行进程返回数据
  3. Memcache缓存系统
  4. 【转】5G EN-DC/NE-DC/NGEN-DC构架
  5. XGBoost深度理解
  6. 项目经验少的怎么社招_想创业,但资金少,不知如何找项目?看看这些经验,你就知道了...
  7. 图像特征的匹配-OpenCV3.0
  8. Python开发Http代理服务器 - socketref,呆在autonavi.com - C++博客
  9. web前端三大主流框架
  10. 人工智能:一种现代方法 第四版 翻译序言
  11. 从论文pdf中复制粘贴文字时,空格变成回车的解决方法
  12. 计算机主板设置中的英语,技嘉主板bios设置教程,技嘉主板bios中英文对照表
  13. 利用场景法设计atm自动取款机的测试用例_黑盒测试之场景法
  14. 短暂的人生、脆弱的生命
  15. 小薛读论文04:预测、解决方案与滚动时域 (UTD24期刊MSOM重要综述)
  16. Armbian 配置 WiFi
  17. Vector-常用CAN工具(软件篇)-CANoe Trace
  18. 一阶电路实验报告心得_电路实训心得体会
  19. 初识AS3(十)——加载外部文件进度…
  20. Chromium硬件加速渲染的OpenGL命令执行过程分析

热门文章

  1. 笔记-信息化与系统集成技术-信息的质量属性
  2. 信息系统项目管理师-论文专题(三)范围管理论文写作
  3. ASP.NET中MVC添加Controller以及访问其Action
  4. Python中使用pip安装库时提示:远程主机强迫关闭了一个现有的连接
  5. SpringBoot中访问静态资源
  6. java utf-8格式,JAVA编写文件格式转换UTF-8
  7. 的数据湖_一文读懂云原生数据湖体系
  8. 职场求生:老板说,解决不了用户流失,就要解决我,咋办?
  9. 一文解读:如何从 0 到 1 打造小程序爆款裂变
  10. 神策 FM:每周成长 8%,企业用户增长四步骤——一个成功案例