Apache 访问控制 #
访问控制概述 #
什么是访问控制? #
text
┌─────────────────────────────────────────────────────────────┐
│ 访问控制概念 │
├─────────────────────────────────────────────────────────────┤
│ │
│ 访问控制:决定谁可以访问什么资源 │
│ │
│ 控制方式: │
│ ├── 基于 IP 地址 │
│ │ 允许或拒绝特定 IP 访问 │
│ │ │
│ ├── 基于用户认证 │
│ │ 用户名密码验证 │
│ │ │
│ ├── 基于主机名 │
│ │ 根据域名允许或拒绝 │
│ │ │
│ └── 组合条件 │
│ 多种条件组合 │
│ │
│ 应用场景: │
│ ├── 保护管理后台 │
│ ├── 限制内部资源 │
│ ├── API 访问控制 │
│ └── 防止恶意访问 │
│ │
└─────────────────────────────────────────────────────────────┘
Apache 2.4 访问控制 #
Require 指令 #
apache
# ============================================
# Require 指令语法
# ============================================
# 允许所有访问
Require all granted
# 拒绝所有访问
Require all denied
# 允许特定 IP
Require ip 192.168.1.100
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
# 允许特定主机
Require host example.com
Require host .example.com
# 允许本地访问
Require local
# 允许已认证用户
Require valid-user
目录级别控制 #
apache
# ============================================
# 目录级别访问控制
# ============================================
# 允许所有访问
<Directory /var/www/html>
Require all granted
</Directory>
# 拒绝所有访问
<Directory /var/www/html/private>
Require all denied
</Directory>
# 仅允许特定 IP
<Directory /var/www/html/admin>
Require ip 192.168.1.0/24
</Directory>
# 仅允许本地访问
<Directory /var/www/html/internal>
Require local
</Directory>
# 允许多个 IP 段
<Directory /var/www/html/api>
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
Require ip 172.16.0.0/12
</Directory>
文件级别控制 #
apache
# ============================================
# 文件级别访问控制
# ============================================
# 保护配置文件
<Files ".htaccess">
Require all denied
</Files>
<Files ".htpasswd">
Require all denied
</Files>
# 保护敏感文件
<Files "config.php">
Require ip 192.168.1.0/24
</Files>
# 使用正则表达式
<FilesMatch "\.(log|bak|sql|conf)$">
Require all denied
</FilesMatch>
<FilesMatch "^\.">
Require all denied
</FilesMatch>
URL 路径控制 #
apache
# ============================================
# URL 路径访问控制
# ============================================
# 保护特定 URL
<Location /admin>
Require ip 192.168.1.0/24
</Location>
<Location /api/internal>
Require ip 10.0.0.0/8
</Location>
# 服务器状态页面
<Location /server-status>
SetHandler server-status
Require local
</Location>
# 服务器信息页面
<Location /server-info>
SetHandler server-info
Require ip 192.168.1.0/24
</Location>
# 使用正则表达式
<LocationMatch "^/api/v[0-9]+/admin">
Require ip 192.168.1.0/24
</LocationMatch>
组合条件 #
RequireAll(全部满足) #
apache
# ============================================
# RequireAll - 全部条件必须满足
# ============================================
<Directory /var/www/html/secure>
<RequireAll>
Require all granted
Require not ip 192.168.1.100
Require not ip 192.168.1.101
</RequireAll>
</Directory>
# 允许所有访问,但排除特定 IP
<Directory /var/www/html/public>
<RequireAll>
Require all granted
Require not ip 10.0.0.0/8
</RequireAll>
</Directory>
RequireAny(任一满足) #
apache
# ============================================
# RequireAny - 任一条件满足即可
# ============================================
<Directory /var/www/html/admin>
<RequireAny>
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
Require host trusted.example.com
</RequireAny>
</Directory>
# 允许多个 IP 段或主机
<Directory /var/www/html/api>
<RequireAny>
Require ip 192.168.1.0/24
Require ip 172.16.0.0/12
Require host .example.com
</RequireAny>
</Directory>
复杂组合 #
apache
# ============================================
# 复杂条件组合
# ============================================
<Directory /var/www/html/admin>
<RequireAll>
# 必须满足以下任一条件
<RequireAny>
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
</RequireAny>
# 排除特定 IP
Require not ip 192.168.1.100
</RequireAll>
</Directory>
# 认证或 IP 访问
<Directory /var/www/html/protected>
<RequireAny>
Require ip 192.168.1.0/24
Require valid-user
</RequireAny>
</Directory>
Basic 认证 #
创建密码文件 #
bash
# ============================================
# 创建密码文件
# ============================================
# 创建新密码文件并添加用户
sudo htpasswd -c /etc/apache2/.htpasswd user1
# 添加更多用户
sudo htpasswd /etc/apache2/.htpasswd user2
# 删除用户
sudo htpasswd -D /etc/apache2/.htpasswd user1
# 修改密码
sudo htpasswd /etc/apache2/.htpasswd user1
# 查看密码文件
cat /etc/apache2/.htpasswd
配置 Basic 认证 #
apache
# ============================================
# Basic 认证配置
# ============================================
# 目录认证
<Directory /var/www/html/admin>
AuthType Basic
AuthName "Admin Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
# 文件认证
<Files "secret.txt">
AuthType Basic
AuthName "Restricted File"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Files>
# URL 认证
<Location /private>
AuthType Basic
AuthName "Private Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
特定用户访问 #
apache
# ============================================
# 特定用户访问
# ============================================
# 仅允许特定用户
<Directory /var/www/html/admin>
AuthType Basic
AuthName "Admin Area"
AuthUserFile /etc/apache2/.htpasswd
Require user admin
</Directory>
# 允许多个用户
<Directory /var/www/html/staff>
AuthType Basic
AuthName "Staff Area"
AuthUserFile /etc/apache2/.htpasswd
Require user admin manager staff1
</Directory>
用户组认证 #
apache
# ============================================
# 用户组认证
# ============================================
# 创建组文件
# /etc/apache2/.htgroups
# admins: admin user1 user2
# editors: editor user3 user4
# staff: admin editor user1 user2 user3 user4
<Directory /var/www/html/admin>
AuthType Basic
AuthName "Admin Area"
AuthUserFile /etc/apache2/.htpasswd
AuthGroupFile /etc/apache2/.htgroups
Require group admins
</Directory>
<Directory /var/www/html/editor>
AuthType Basic
AuthName "Editor Area"
AuthUserFile /etc/apache2/.htpasswd
AuthGroupFile /etc/apache2/.htgroups
Require group admins editors
</Directory>
IP 与认证组合 #
IP 或认证 #
apache
# ============================================
# IP 或认证(任一即可)
# ============================================
<Directory /var/www/html/admin>
AuthType Basic
AuthName "Admin Area"
AuthUserFile /etc/apache2/.htpasswd
<RequireAny>
Require ip 192.168.1.0/24
Require valid-user
</RequireAny>
</Directory>
# 内网直接访问,外网需要认证
<Directory /var/www/html/internal>
AuthType Basic
AuthName "Internal Area"
AuthUserFile /etc/apache2/.htpasswd
<RequireAny>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
Require valid-user
</RequireAny>
</Directory>
IP 且认证 #
apache
# ============================================
# IP 且认证(两者都要)
# ============================================
<Directory /var/www/html/secure>
AuthType Basic
AuthName "Secure Area"
AuthUserFile /etc/apache2/.htpasswd
<RequireAll>
Require ip 192.168.1.0/24
Require valid-user
</RequireAll>
</Directory>
.htaccess 认证 #
启用 .htaccess #
apache
# ============================================
# 启用 .htaccess 支持
# ============================================
<Directory /var/www/html>
AllowOverride All
# 或仅允许认证相关
AllowOverride AuthConfig
</Directory>
.htaccess 认证配置 #
apache
# ============================================
# .htaccess 文件内容
# ============================================
# 文件位置:/var/www/html/admin/.htaccess
AuthType Basic
AuthName "Admin Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
# 或限制特定用户
# Require user admin
# 或使用组
# AuthGroupFile /etc/apache2/.htgroups
# Require group admins
IP 限制 .htaccess #
apache
# ============================================
# .htaccess IP 限制
# ============================================
# 仅允许特定 IP
Require ip 192.168.1.0/24
# 拒绝特定 IP
<RequireAll>
Require all granted
Require not ip 192.168.1.100
</RequireAll>
# 组合 IP 和认证
AuthType Basic
AuthName "Protected Area"
AuthUserFile /etc/apache2/.htpasswd
<RequireAny>
Require ip 192.168.1.0/24
Require valid-user
</RequireAny>
HTTP 方法限制 #
限制请求方法 #
apache
# ============================================
# 限制 HTTP 方法
# ============================================
# 仅允许 GET 和 POST
<Directory /var/www/html/api>
<Limit GET POST>
Require all granted
</Limit>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
</Directory>
# 禁止 DELETE 和 PUT
<Directory /var/www/html/content>
<Limit DELETE PUT>
Require all denied
</Limit>
</Directory>
# 仅允许特定 IP 使用 POST
<Directory /var/www/html/form>
<Limit POST>
Require ip 192.168.1.0/24
</Limit>
<Limit GET>
Require all granted
</Limit>
</Directory>
环境变量控制 #
基于环境变量控制 #
apache
# ============================================
# 基于环境变量访问控制
# ============================================
# 设置环境变量
SetEnvIf Remote_Addr ^192\.168\.1\. internal
SetEnvIf Request_URI ^/api/ api_request
SetEnvIf User-Agent "bot" is_bot
# 基于环境变量控制
<Directory /var/www/html>
<RequireAll>
Require all granted
Require not env is_bot
</RequireAll>
</Directory>
# 阻止特定 User-Agent
SetEnvIfNoCase User-Agent ".*(bot|crawl|spider).*" bad_bot
<Directory /var/www/html>
<RequireAll>
Require all granted
Require not env bad_bot
</RequireAll>
</Directory>
完整配置示例 #
管理后台保护 #
apache
# ============================================
# 管理后台保护配置
# ============================================
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html
# 管理后台 - IP + 密码双重保护
<Location /admin>
AuthType Basic
AuthName "Admin Area"
AuthUserFile /etc/apache2/.htpasswd
<RequireAll>
Require ip 192.168.1.0/24
Require valid-user
</RequireAll>
</Location>
# API - 仅内网访问
<Location /api/internal>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
# 服务器状态 - 仅本地
<Location /server-status>
SetHandler server-status
Require local
</Location>
# 保护敏感文件
<FilesMatch "\.(log|bak|sql|conf|env)$">
Require all denied
</FilesMatch>
# 保护隐藏文件
<FilesMatch "^\.">
Require all denied
</FilesMatch>
</VirtualHost>
API 访问控制 #
apache
# ============================================
# API 访问控制配置
# ============================================
<VirtualHost *:80>
ServerName api.example.com
DocumentRoot /var/www/api
# 公开 API
<Location /api/v1/public>
Require all granted
</Location>
# 内部 API
<Location /api/v1/internal>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
# 管理 API - 需要认证
<Location /api/v1/admin>
AuthType Basic
AuthName "Admin API"
AuthUserFile /etc/apache2/.htpasswd
<RequireAny>
Require ip 192.168.1.0/24
Require valid-user
</RequireAny>
</Location>
# 限制请求方法
<Location /api/v1/content>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
</Location>
</VirtualHost>
下一步 #
掌握了访问控制后,继续学习 日志管理,了解如何配置和管理 Apache 日志!
最后更新:2026-03-29