Apache配置文件详解

配置文件目录

conf/                          # apache配置conf配置文件目录
├── extra                        # 额外的apache配置文件目录 如:httpd-vhost.conf
│   ├── httpd-autoindex.conf                 # 配置目录列表的辅配置文件
│   ├── httpd-dav.conf               # dav支持配置
│   ├── httpd-default.conf             # 这个文件里配置的是apache的相关服务参数:超时时间、保持链接
│   ├── httpd-info.conf                      # 配置用于服务器信息和状态显示的辅配置文件
│   ├── httpd-languages.conf             # 语言支持
│   ├── httpd-manual.conf                    # 配置提供Apache文档访问的辅配置文件
│   ├── httpd-mpm.conf                       # 服务器池管理,也是优化apache的一个配置文件(apache的模式以及配置链接数,常用模式为worker模式和profork模式,默认porfork)
│   ├── httpd-multilang-errordoc.conf        # 配置多语言错误应答的辅配置文件
│   ├── httpd-ssl.conf                       # 提供apache ssl支持配置文件
│   ├── httpd-userdir.conf                   # 配置用户主目录的辅配置文件
│   ├── httpd-vhosts.conf                    # 虚拟机的配置文件
│   └── proxy-html.conf
├── httpd.conf                               # apache主配置文件
├── magic
├── mime.types
└── original
    ├── extra
    │   ├── httpd-autoindex.conf
    │   ├── httpd-dav.conf
    │   ├── httpd-default.conf
    │   ├── httpd-info.conf
    │   ├── httpd-languages.conf
    │   ├── httpd-manual.conf
    │   ├── httpd-mpm.conf
    │   ├── httpd-multilang-errordoc.conf
    │   ├── httpd-ssl.conf
    │   ├── httpd-userdir.conf
    │   ├── httpd-vhosts.conf
    │   └── proxy-html.conf
    └── httpd.conf

原版httpd.conf

# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 
# will be interpreted as '/logs/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local/apache/"

#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:logs

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_form_module modules/mod_auth_form.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule allowmethods_module modules/mod_allowmethods.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
#LoadModule cache_socache_module modules/mod_cache_socache.so
#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
#LoadModule socache_memcache_module modules/mod_socache_memcache.so
#LoadModule socache_redis_module modules/mod_socache_redis.so
#LoadModule watchdog_module modules/mod_watchdog.so
#LoadModule macro_module modules/mod_macro.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule dumpio_module modules/mod_dumpio.so
#LoadModule buffer_module modules/mod_buffer.so
#LoadModule ratelimit_module modules/mod_ratelimit.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule request_module modules/mod_request.so
#LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule sed_module modules/mod_sed.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule log_debug_module modules/mod_log_debug.so
#LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
#LoadModule remoteip_module modules/mod_remoteip.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
#LoadModule session_module modules/mod_session.so
#LoadModule session_cookie_module modules/mod_session_cookie.so
#LoadModule session_dbd_module modules/mod_session_dbd.so
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
#LoadModule ssl_module modules/mod_ssl.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule info_module modules/mod_info.so
#LoadModule cgid_module modules/mod_cgid.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
#LoadModule actions_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so

<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User daemon
Group daemon

</IfModule>

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin you@example.com

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other 
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/apache//htdocs"
<Directory "/usr/local/apache//htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "logs/access_log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to 
    # exist in your server's namespace, but do not anymore. The client 
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts. 
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/usr/local/apache//cgi-bin/"

</IfModule>

<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock cgisock
</IfModule>

#
# "/usr/local/apache//cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/apache//cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig conf/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile conf/magic

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited

#
# EnableMMAP and EnableSendfile: On systems that support it, 
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted 
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on

# Supplemental configuration
#
# The configuration files in the conf/extra/ directory can be 
# included to add extra features or to modify the default configuration of 
# the server, or you may simply copy their contents here and change as 
# necessary.

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf

# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf

# Language settings
#Include conf/extra/httpd-languages.conf

# User home directories
#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf

# Virtual hosts
#Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf

# Various default settings
#Include conf/extra/httpd-default.conf

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

配置文件详解

# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 
# will be interpreted as '/logs/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
# 用于指定Apache的运行目录,服务启动之后自动将目录改变为当前目录,在后面使用到的所有相对路径都是想对这个目录下
ServerRoot "/usr/local/apache/"

#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:logs

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
# 加载特定的DSO模块。Apache默认将已编译的DSO模块存放于4.1目录结构小节中所示的动态加载模块目录中。
# 语法 :LoadModule module filename 如果filename使用相对路径,则路径是相对于ServerRoot所指示的相对路径。
# Apache配置文件默认加载所有已编译的DSO模块,笔者建议只加载如下模块:authn_file、authn_default、 authz_host、authz_user、authz_default、auth_basic、dir、alias
、filter、speling、 log_config、env、vhost_alias、setenvif、mime、negotiation、rewrite、deflate、 expires、headers、cache、file-cache、disk-cache、mem-cache。
# 各模块说明详解https://httpd.apache.org/docs/2.4/mod/
# 如果需要提供基于文本文件的认证,加载此模块,否则注释掉
LoadModule authn_file_module modules/mod_authn_file.so
# 如果需要提供基于DBM文件的认证,加载此模块,否则注释掉
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
# 如果需要提供匿名用户认证,加载此模块,否则注释掉
#LoadModule authn_anon_module modules/mod_authn_anon.so
# 如果需要提供基于SQL数据库的认证,加载此模块,否则注释掉
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
# 
#LoadModule authn_socache_module modules/mod_authn_socache.so
# 
LoadModule authn_core_module modules/mod_authn_core.so
# 此模块提供基于主机名、IP地址、请求特征的访问控制,Allow、Deny指令需要,推荐加载。
LoadModule authz_host_module modules/mod_authz_host.so
# 如果需要使用纯文本文件为组提供授权支持,加载此模块,否则注释掉
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
# 如果需要提供基于每个用户的授权支持,加载此模块,否则注释掉
LoadModule authz_user_module modules/mod_authz_user.so
# 如果需要使用DBM文件为组提供授权支持,加载此模块,否则注释掉
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
# 如果需要基于文件的所有者进行授权,加载此模块,否则注释掉
#LoadModule authz_owner_module modules/mod_authz_owner.so
# 如果需要使用DBD文件为组提供授权支持,加载此模块,否则注释掉
#LoadModule authz_dbd_module modules/mod_authz_dbd.so

LoadModule authz_core_module modules/mod_authz_core.so

LoadModule access_compat_module modules/mod_access_compat.so
# 如果需要提供基本的HTTP认证,加载此模块,否则注释掉,此模块至少需要同时加载一个认证支持模块和一个授权支持模块
LoadModule auth_basic_module modules/mod_auth_basic.so

#LoadModule auth_form_module modules/mod_auth_form.so
# 如果需要提供HTTP MD5摘要认证,加载此模块,否则注释掉,此模块至少需要同时加载一个认证支持模块和一个授权支持模块
#LoadModule auth_digest_module modules/mod_auth_digest.so

#LoadModule allowmethods_module modules/mod_allowmethods.so
# 此模块提供文件描述符缓存支持,从而提高Apache性能,推荐加载,但请小心使用
#LoadModule file_cache_module modules/mod_file_cache.so
# 此模块提供基于URI键的内容动态缓存(内存或磁盘),从而提高Apache性能,必须与mod_disk_cache/mod_mem_cache同时使用,推荐加载
#LoadModule cache_module modules/mod_cache.so
# 此模块为mod_cache提供基于磁盘的缓存管理,推荐加载
#LoadModule cache_disk_module modules/mod_cache_disk.so
# 此模块为mod_cache提供基于内存的缓存管理,推荐加载
#LoadModule cache_socache_module modules/mod_cache_socache.so

#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

#LoadModule socache_dbm_module modules/mod_socache_dbm.so

#LoadModule socache_memcache_module modules/mod_socache_memcache.so

#LoadModule watchdog_module modules/mod_watchdog.so

#LoadModule macro_module modules/mod_macro.so
# 如果需要管理SQL数据库连接,为需要数据库功能的模块提供支持,加载此模块,否则注释掉(推荐)
#LoadModule dbd_module modules/mod_dbd.so
# 此模块将所有I/O操作转储到错误日志中,会导致在日志中写入及其海量的数据,只建议在发现问题并进行调试的时候使用
#LoadModule dumpio_module modules/mod_dumpio.so

#LoadModule buffer_module modules/mod_buffer.so

#LoadModule ratelimit_module modules/mod_ratelimit.so

LoadModule reqtimeout_module modules/mod_reqtimeout.so
# 如果需要使用外部程序作为过滤器,加载此模块(不推荐),否则注释掉
#LoadModule ext_filter_module modules/mod_ext_filter.so

#LoadModule request_module modules/mod_request.so
# 如果需要实现服务端包含文档(SSI)处理,加载此模块(不推荐),否则注释掉
#LoadModule include_module modules/mod_include.so
# 如果需要根据上下文实际情况对输出过滤器进行动态配置,加载此模块,否则注释掉
LoadModule filter_module modules/mod_filter.so

#LoadModule substitute_module modules/mod_substitute.so

#LoadModule sed_module modules/mod_sed.so
# 如果需要服务器在将输出内容发送到客户端以前进行压缩以节约带宽,加载此模块(推荐),否则注释掉
#LoadModule deflate_module modules/mod_deflate.so
# 如果需要根据文件扩展名决定应答的行为(处理器/过滤器)和内容(MIME类型/语言/字符集/编码),加载此模块,否则注释掉
LoadModule mime_module modules/mod_mime.so
# 如果需要记录日志和定制日志文件格式,加载此模块(推荐),否则注释掉
LoadModule log_config_module modules/mod_log_config.so

#LoadModule log_debug_module modules/mod_log_debug.so
# 如果需要对每个请求的输入/输出字节数以及HTTP头进行日志记录,加载此模块,否则注释掉
#LoadModule logio_module modules/mod_logio.so
# 如果允许Apache修改或清除传送到CGI脚本和SSI页面的环境变量,加载此模块,否则注释掉
LoadModule env_module modules/mod_env.so
# 如果允许通过配置文件控制HTTP的"Expires:"和"Cache-Control:"头内容,加载此模块(推荐),否则注释掉
#LoadModule expires_module modules/mod_expires.so
# 如果允许通过配置文件控制任意的HTTP请求和应答头信息,加载此模块,否则注释掉
LoadModule headers_module modules/mod_headers.so

#LoadModule unique_id_module modules/mod_unique_id.so
# 如果需要根据客户端请求头字段设置环境变量,加载此模块,否则注释掉
LoadModule setenvif_module modules/mod_setenvif.so

LoadModule version_module modules/mod_version.so

#LoadModule remoteip_module modules/mod_remoteip.so

#LoadModule proxy_module modules/mod_proxy.so

#LoadModule proxy_connect_module modules/mod_proxy_connect.so

#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

#LoadModule proxy_http_module modules/mod_proxy_http.so

#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so

#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so

#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so

#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so

#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
# 此模块是mod_proxy的扩展,提供Apache JServ Protocol支持,只在必要时加载
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
# 此模块是mod_proxy的扩展,提供负载均衡支持,只在必要时加载
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

#LoadModule proxy_express_module modules/mod_proxy_express.so

#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so

#LoadModule session_module modules/mod_session.so

#LoadModule session_cookie_module modules/mod_session_cookie.so

#LoadModule session_dbd_module modules/mod_session_dbd.so

#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so

#LoadModule ssl_module modules/mod_ssl.so

#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so

#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so

#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so

#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so

LoadModule unixd_module modules/mod_unixd.so
# 如果允许Apache提供DAV协议支持,加载此模块,否则注释掉
#LoadModule dav_module modules/mod_dav.so
# 此模块生成描述服务器状态的Web页面,只建议在追踪服务器性能和问题时加载
LoadModule status_module modules/mod_status.so
# 如果需要自动对目录中的内容生成列表(类似于"ls"或"dir"命令),加载此模块(会带来安全问题,不推荐),否则注释掉
LoadModule autoindex_module modules/mod_autoindex.so
# 如果需要生成Apache配置情况的Web页面,加载此模块(会带来安全问题,不推荐),否则注释掉
#LoadModule info_module modules/mod_info.so
# 此模块在线程型MPM(worker)上用一个外部CGI守护进程执行CGI脚本,如果正在多线程模式下使用CGI程序,推荐替换mod_cgi加载,否则注释掉  
#LoadModule cgid_module modules/mod_cgid.so
# 此模块为mod_dav访问服务器上的文件系统提供支持,如果加载mod_dav,则也应加载此模块,否则注释掉
#LoadModule dav_fs_module modules/mod_dav_fs.so
# 如果需要提供大批量虚拟主机的动态配置支持,加载此模块,否则注释掉
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
# 如果需要提供内容协商支持(从几个有效文档中选择一个最匹配客户端要求的文档),加载此模块(推荐),否则注释掉
#LoadModule negotiation_module modules/mod_negotiation.so
# 如果需要指定目录索引文件以及为目录提供"尾斜杠"重定向,加载此模块(推荐),否则注释掉
LoadModule dir_module modules/mod_dir.so
# 如果需要针对特定的媒体类型或请求方法执行CGI脚本,加载此模块,否则注释掉
#LoadModule actions_module modules/mod_actions.so
# 如果希望服务器自动纠正URL中的拼写错误,加载此模块(推荐),否则注释掉
#LoadModule speling_module modules/mod_speling.so
# 如果允许在URL中通过"/~username"形式从用户自己的主目录中提供页面,加载此模块,否则注释掉
#LoadModule userdir_module modules/mod_userdir.so
# 此模块提供从文件系统的不同部分到文档树的映射和URL重定向,推荐加载
LoadModule alias_module modules/mod_alias.so
# 如果需要基于一定规则实时重写URL请求,加载此模块(推荐),否则注释掉
#LoadModule rewrite_module modules/mod_rewrite.so

<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User daemon
Group daemon

</IfModule>

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin you@example.com

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
# 设置服务器用于辨识自己的主机名和端口号。
# 当没有指定ServerName时,服务器会尝试对IP地址进行反向查询来推断主机名。如果在ServerName中没有指定端口号,服务器会使用接受请求的那个端口。
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other 
# <Directory> blocks below.
#
# <Directory>和</Directory>用于封装一组指令,使之仅对某个目录及其子目录生效。
# 语法:<Directory Directory-path> ... </Directory>
# Directory-path可以是一个目录的完整路径,或是包含了Unix shell匹配语法的通配符字符串。
# <Directory>指令不可被嵌套使用,也不能出现在<Limit>或<LimitExcept>配置段中。
# 详解参数,见下文
<Directory />
    AllowOverride none
    Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/apache//htdocs"
<Directory "/usr/local/apache//htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    #  
    # for more information.
    # 参数下述详解
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    # 参数下述详解
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
# 封装根据指定的模块是否启用而决定是否生效的指令。
# 在<IfModule>配置段中的指令仅当测试结果为真的时候才进行处理,否则所有其间的指令都将被忽略。
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
# 提供基于文件名的访问控制,类似于<Directory>和<Location>指令。
# 语法:<Files filename> ... </Files>
# filename参数应当是一个文件名或是一个包含通配符的字符串,其中"?"匹配任何单个字符,"*"匹配任何字符串序列。在"~"字符之后可以使用正则表达式。
# 在此配置段中定义的指令将作用于其基本名称(不是完整的路径)与指定的文件名相符的对象。<Files>段将根据它们在配置文件中出现的顺序被处理:在<Directory>段和.htaccess
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
# 当指定了某个级别时,所有级别高于它的信息也会被同时记录。比如,指定 LogLevel info ,则所有notice和warn级别的信息也会被记录。
LogLevel warn
        可以选择下列level,依照重要性降序排列:
           emerg  紧急(系统无法使用)
           alert    必须立即采取措施
           crit      致命情况
           error    错误情况
           warn    警告情况
           notice  一般重要情况
           info     普通信息
           debug   调试信息
        
# 见下文有详解
<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "logs/access_log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    # 映射URL到文件系统的特定区域。
    # 语法:Alias URL-path file-path|directory-path
    # Alias指令使文档可以被存储在DocumentRoot以外的本地文件系统中。以(%已解码的)url-path路径开头的URL可以被映射到以directory-path开头的本地文件。
    # 如果对在DocumentRoot之外的某个目录建立了一个Alias ,则可能需要通过<Directory>段明确的对目标目录设定访问权限。
    
    # Redirect: Allows you to tell clients about documents that used to 
    # exist in your server's namespace, but do not anymore. The client 
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    # ScriptAlias 映射一个URL到文件系统并视之为CGI脚本目录
    # 语法:ScriptAlias URL-path file-path|directory-path
    # ScriptAlias指令的行为与Alias指令相同,但同时它又标明此目录中含有应该由cgi-script处理器处理的CGI脚本。以URL-path开头的(%已解码的)的URL会被映射到由第二个参数指定的具有完整路径名的本地文件系统中的脚本。
    # ScriptSock:在以线程式MPM(worker)运行的Apache中设置用来与CGI守护进程通信的套接字文件名前缀(其后附加父进程 PID组成完整的文件名)。这个套接字将会用启动Apache服
        # 务器的父进程用户权限(通常是root)打开。为了维护与CGI脚本通讯的安全性,不允许其他用户拥有写入套接字所在目录的权限是很重要的。
    # ScriptAlias: This controls which directories contain server scripts. 
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    # 设定默认CGI脚本目录及别名
    ScriptAlias /cgi-bin/ "/usr/local/apache//cgi-bin/"

</IfModule>

<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    # 在以线程式MPM(worker)运行的Apache中设置用来与CGI守护进程通信的套接字文件名前缀
    #Scriptsock cgisock
</IfModule>

#
# "/usr/local/apache//cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/apache//cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig conf/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile conf/magic

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
# 批示当遇到错误的时候服务器将给客户端什么样的应答
# 语法:ErrorDocument error-code document
    # error-code 服务器返回的错误代码 
    # document  可以由一个斜杠(/)开头来指示一个本地URL(相对于DocumentRoot),或是提供一个能被客户端解释的完整的URL
    # 此外还能提供一个可以被浏览器显示的消息。
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited

# 指示httpd在递送中如果需要读取一个文件的内容,它是否可以使用内存映射
# 语法:EnableMMAP On|Off
""" 当处理一个需要访问文件中的数据的请求时,比如说当递送一个使用mod_include进行服务器端分析的文件时,如果操作系统支持,Apache将默认使用内存映射。
    这种内存映射有时会带来性能的提高,但在某些情况下,您可能会需要禁用内存映射以避免一些操作系统的问题:
    在一些多处理器的系统上,内存映射会减低一些httpd的性能;
    在挂载了NFS的DocumentRoot上,若已经将一个文件进行了内存映射,则删除或截断这个文件会造成httpd因为分段故障而崩溃。
    在可能遇到这些问题的服务器配置过程中,应当使用下面的命令来禁用内存映射
对于挂载了NFS的文件夹,可以单独在<directory>段中指定禁用内存映射:
     <Directory "/path-to-nfs-files"> 
         EnableMMAP Off
     </Directory>      
"""
# EnableMMAP and EnableSendfile: On systems that support it, 
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted 
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
"""
EnableSendfile
控制httpd是否可以使用操作系统内核的sendfile支持来将文件发送到客户端。
默认情况下,当处理一个请求并不需要访问文件内部的数据时(比如发送一个静态的文件内容),如果操作系统支持,Apache将使用sendfile将文件内容直接发送到客户端而并不读取文件。
这个sendfile机制避免了分开的读和写操作以及缓冲区分配,但是在一些平台或者一些文件系统上,最好禁止这个特性来避免一些问题:
    1、一些平台可能会有编译系统检测不到的有缺陷的sendfile支持,特别是将在其他平台上使用交叉编译得到的二进制文件运行于当前对sendfile支持有缺陷的平台时;
    2、在Linux上启用IPv6时,使用sendfile将会触发某些网卡上的TCP校验和卸载bug;
    3、当Linux运行在Itanium处理器上的时候,sendfile可能无法处理大于2GB的文件;
    4、对于一个通过网络挂载了NFS文件系统的DocumentRoot (比如:NFS或SMB),内核可能无法可靠的通过自己的缓冲区服务于网络文件。
如果出现以上情况,你应当禁用sendfile
针对NFS或SMB,可以单独在<directory>段中指定禁用:
    <Directory "/path-to-nfs-files">
        EnableSendfile Off
    </Directory>
"""
#EnableSendfile on

# Supplemental configuration
#
# The configuration files in the conf/extra/ directory can be 
# included to add extra features or to modify the default configuration of 
# the server, or you may simply copy their contents here and change as 
# necessary.

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf

# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf

# Language settings
#Include conf/extra/httpd-languages.conf

# User home directories
#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf

# Virtual hosts
#Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf

# Various default settings
#Include conf/extra/httpd-default.conf

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

 配置文件访问控制

注意:使用require指令时,需要在指令外添加<RequireAll></RequireAll>标签对,否则重启Apache2.4加载规则时将出现错误:" negative Require directive has no effect in <RequireAny> directive "==========基于Httpd Version2.4的访问控制==========
Require 指令
Require all granted 无条件允许访问
Require all denied 无条件拒绝访问
Require env env-var [env-var] ... 仅当设置了给定的环境变量之一时才允许访问。
Require method http-method [http-method] ... 仅允许对给定的 HTTP 方法进行访问。
Require expr expression 如果表达式的计算结果为真,则允许访问。
Require user userid [userid] ... 只有指定用户才能访问资源。
Require group group-name [group-name] ... 只有命名组中的用户才能访问资源。
Require valid-user 所有有效用户都可以访问该资源。
Require ip 10 172.20 192.168.2 指定 IP 地址范围内的客户端可以访问该资源。
Require forward-dns dynamic.example.org 从名称 dynamic.example.org 解析出 IP 的客户端将被授予访问权限。

例:
# 表示,拒绝所有访问,只允许192.168.1.0/24网段访问
<RequireAll>
    Require all denied
    Require ip 192.168.1.0/24 
</RequireAll>

# 表示,允许所有访问,只拒绝192.168.1.0/24网段访问
<RequireAll>
    Require all granted
    Require not ip 192.168.1.0/24 
</RequireAll>

Options指令

Options指令
Options指令控制了在特定目录中将使用哪些服务器特性
    - All              除MultiViews之外的所有特性。这是默认设置
    - ExecCGI          允许在该目录下执行CGI脚本
    - FollowSymLinks   服务器会在此目录中使用符号连接(在当前目录下文件 test.html 链接至其它目录文件test.html)。如果此配置位于<Location>配置段中,则此设置会被忽略
    - Includes         许服务器端包含功能
    - IncludesNoExec   允许服务器端包含功能,但禁用执行CGI脚本
    - Indexes          如果一个映射到目录的URL被请求,如果没有index.html,那么服务器会返回一个格式化后的目录 列表
    - MultiViews       允许内容协商的多重视图 (MultiViews其实是Apache的一个智能特性。当客户访问目录 中一个不存在的对象时,如访问“http://192.168.16.177/icons/a”,则Apache会查找这个目录下所有a.*文件。由于 icons目录下存在a.gif文件,因此Apache会将a.gif文件返回给客户,而不是返回出错信息)
    - SymLinksIfOwnerMatch 服务器仅在符号连接与其目的目录或文件拥有者具有同样的用户id时才使用它
如果所有施用于  Options  指令的可选项前都加有+或-符号,此可选项将被合并。如下:
<Directory /web/docs>
  Options Indexes FollowSymLinks
</Directory>
<Directory /web/docs/spec>
  Options Includes  
</Directory>  
则只有Includes  设置到/web/docs/spec目录上。
<Directory /web/docs>
  Options Indexes FollowSymLinks
  </Directory>  
<Directory /web/docs/spec>
  Options +Includes -Indexes
</Directory>  
那么就会有 FollowSymLinks和Includes设置到/web/docs/spec目录上
############注意事项############
1、主目录设置了Indexes权限,且主目录中并不存在默认文档,但访问时并不会出现目录列表,而只出现Apache的测试页面。
2、一旦定义允许目录浏览,就会将Web站点的文件夹和文件名结构暴露给黑客。目录浏览还会允许黑客浏览文件并掌握服务器配置信息,所以指定该权限往往带来安全性上的隐患。除非有充足的理由要使用目录浏览,否则应该禁用它。
############----############

AllowOverride 指令

AllowOverride选项用于定义位于每个目录下.htaccess(访问控制)文件中的指令类型。基于安全和效率的原因,虽然可以通 过.htaccess来设置目录的访问权限,但应尽可能地避免使用.htaccess文件
所以一般将AllowOverride设置为”None”,即 禁止使用.htaccess文件,而将目录权限的设置放在主配置文件httpd.conf的<Directory> 和</Directory>语句之间。
    - None 网站 .htaccess 文件将被完全忽略
    - All 所有具有 .htaccess 作用域的指令都允许出现在 .htaccess 文件中
    - AuthConfig 允许使用与认证授权相关的指令(AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthType, AuthUserFile, Require, 等)
    - FileInfo 允许使用控制文档类型的指令(DefaultType, ErrorDocument, ForceType, LanguagePriority, SetHandler, SetInputFilter, SetOutputFilter,
                                 mod_mime中的 Add* 和 Remove* 指令等等)、控制文档元数据的指令(Header, RequestHeader, SetEnvIf, SetEnvIfNoCase, BrowserMatch, 
                                 CookieExpires, CookieDomain, CookieStyle, CookieTracking, CookieName)、mod_rewrite中的指令(RewriteEngine,
                                  RewriteOptions, RewriteBase, RewriteCond, RewriteRule)和mod_actions中的Action指令
    - Indexes 允许使用控制目录索引的指令(AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName,
                                 IndexIgnore, IndexOptions, ReadmeName, 等)
    - Limit 允许使用控制主机访问的指令(Allow, Deny, Order)。 一般 Apache 新安装 AllowOverride 默认为「None」

容器指令

容器相关指令:<Directory> <DirectoryMatch> <Files> <FilesMatch> <IfDefine> <IfModule> <Location> <LocationMatch> <Proxy> <ProxyMatch> <VirtualHost>

<Directory>文件系统容器
<Directory>和<Files>是针对文件系统的指令。<Directory>段中的指令作用于指定的文件系统目录及其所有子目录,.htaccess 文件可以达到同样的效果
例1: /var/web/dir1及其所有子目录被允许目录列表
<Directory /var/web/dir1>
    Options +Indexes 允许目录列表(加号允许、减号禁止)
</Directory>
例2: /var/web/dir1 目录下支持链接符号访问
<Directory /var/web/dir1>
    Options FollowSysLinks 允许符号链接(在当前目录下文件 test.html 链接至其它目录文件test.html)
</Directory>

<Files>段中的指令作用于特定的文件名,而无论这个文件实际存在于哪个目录 <Files>段将根据它们在配置文件中出现的顺序被处理,在<Directory>段和.htaccess文件被处理之后,但在<Location>段之前 请注意:<Files>能嵌入到<Directory>段中以限制它们作用的文件系统范围 例1: 下例中的配置指令如果出现在配置文件的主服务器段,则会拒绝对位于任何目录下的private.html的访问。 <Files private.html> Require all denied </Files> 例2: 下例中的配置指令 会拒绝对任何目录下 以 .ht 类型结尾的文件 <Files ".ht*">     Require all denied </Files> 例3: < Files>和<Directory>段的组合可以作用于文件系统中的特定文件 /var/web/dir1/private.html, /var/web/dir1/subdir2/private.html, /var/web/dir1/subdir3/private.html 拒绝任何/var/web/dir1/目录下的private.html的访问 <Directory /var/web/dir1> <Files private.html> Require all denied </Files> </Directory>
<Location>网络空间容器(将封装的指令作用于匹配的URL) 语法: <Location URL-path|URL> ... </Location> 例1: 配置会拒绝任何对以/private开头的URL的访问 http://yoursite.example.com/private,  http://yoursite.example.com/private123,  http://yoursite.example.com/private/dir/file.html <Location /private> Require all denied </Location>
<Directory>,<Files>, 和<Location>指令可以支持正则表达式 例1: 正则表达式一次性拒绝对多种图形文件的访问 <FilesMatch .(?i:gif|jpe?g|png)$> Require all denied </FilesMatch> 如何选择容器? 可以参考:当指令应该作用于文件系统时,总是用<Directory>或者<Files>;而当指令作用于不存在于文件系统的对象时,就用<Location>

 

posted @ 2022-03-17 10:15  总要做些什么  阅读(2709)  评论(0编辑  收藏  举报