Тут показані розбіжності між вибраною ревізією та поточною версією сторінки.
Both sides previous revision Попередня ревізія Наступна ревізія | Попередня ревізія | ||
lighttpd [2013/11/07 14:16] wombat [mod_access] |
lighttpd [2016/02/18 22:26] (поточний) wombat SSL & virtual hosts |
||
---|---|---|---|
Рядок 1: | Рядок 1: | ||
+ | ====== Lighttpd ====== | ||
+ | |||
+ | ===== SSL ===== | ||
+ | |||
+ | http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL FIXME | ||
+ | |||
+ | ===== Виртуальные серверы ===== | ||
+ | |||
+ | FIXME | ||
+ | |||
+ | ====== Запрет доступа к определённым файлам ====== | ||
+ | |||
+ | |||
+ | [[http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToAllowAccessToOnlyCertainFileTypes|How To Allow Access to only Certain File Types]] | ||
+ | |||
+ | It is easy in lighttpd to deny access to a few types of files using mod_access: | ||
+ | |||
+ | url.access-deny = ( "~", ".inc") | ||
+ | |||
+ | But what if you want to allow access to only a few types of files, and deny access to all others? In the example below, we allow access to common static file types, and deny access to all other files: | ||
+ | |||
+ | |||
+ | $HTTP["url"] !~ "\.(jpg|gif|png|ico|js|css)$" { | ||
+ | url.access-deny = ( "" ) | ||
+ | } | ||
+ | |||
+ | This will cause all URLs that don't match the pattern to be denied. Note that all non-matching URLs will return 403 Forbidden, non-existent files will not return 404 Not Found. | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== mod_access ===== | ||
+ | |||
+ | |||
+ | [[http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAccess|Module mod_access]] | ||
+ | |||
+ | == Description == | ||
+ | |||
+ | The access module is used to deny access to files. | ||
+ | |||
+ | == Options == | ||
+ | |||
+ | **url.access-deny** | ||
+ | |||
+ | Denies access to all files with any of given trailing path names. | ||
+ | |||
+ | Default value:empty | ||
+ | |||
+ | **access.deny-all** | ||
+ | |||
+ | Denies access to all files. | ||
+ | |||
+ | Note: access.deny-all should be used with a conditional to limit it (only from lighty 1.5x) | ||
+ | |||
+ | == Usage examples == | ||
+ | |||
+ | You might want to deny access to all files ending with a tilde (~) or .inc because of: | ||
+ | |||
+ | Text editors often use a trailing tilde for backup files. | ||
+ | And the .inc extension is often used for include files with code. | ||
+ | url.access-deny | ||
+ | |||
+ | |||
+ | url.access-deny = ( "~", ".inc") | ||
+ | |||
+ | access.deny-all usage | ||
+ | |||
+ | |||
+ | $PHYSICAL["path"] =~ "(~|\.inc)$" { | ||
+ | access.deny-all = "enable" | ||
+ | } | ||
+ | |||
+ | Directory deny access | ||
+ | |||
+ | |||
+ | $PHYSICAL["path"] !~ "^/srv/example.org/" { | ||
+ | access.deny-all = "enable" | ||
+ | } | ||
+ | |||
+ | Directory deny access (1.4x versions) | ||
+ | |||
+ | |||
+ | $HTTP["url"] =~ "^/libraries" { | ||
+ | url.access-deny = ("") | ||
+ | } | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Серверные сценарии ====== | ||
+ | |||
+ | === Module: mod_cgi === | ||
+ | |||
+ | [[http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModCGI|The CGI-Module]] | ||
+ | |||
+ | The CGI-Module | ||
+ | Description | ||
+ | Options | ||
+ | Examples | ||
+ | |||
+ | == Description == | ||
+ | |||
+ | CGI programs allow you to enhance the functionality of the server in a very straight-forward and simple way. | ||
+ | |||
+ | Note that to see stderr output from CGI processes, you need to set | ||
+ | |||
+ | server.breakagelog = "/var/log/lighttpd/breakage.log" | ||
+ | or similar. | ||
+ | |||
+ | == Options == | ||
+ | |||
+ | **cgi.execute-x-only** | ||
+ | |||
+ | requires +x for cgi scripts if enabled. | ||
+ | |||
+ | **cgi.assign** | ||
+ | |||
+ | file-extensions that are handled by a CGI program | ||
+ | |||
+ | cgi.assign = ( ".pl" => "/usr/bin/perl", | ||
+ | ".cgi" => "/usr/bin/perl" ) | ||
+ | For PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini. | ||
+ | |||
+ | To get the old cgi-bin behavior of apache: | ||
+ | |||
+ | #Note: make sure that mod_alias is loaded if you use this: | ||
+ | alias.url += ( "/cgi-bin" => server_root + "/cgi-bin" ) | ||
+ | $HTTP["url"] =~ "^/cgi-bin" { | ||
+ | cgi.assign = ( "" => "" ) | ||
+ | } | ||
+ | | ||
+ | **cgi.execute-all** | ||
+ | |||
+ | In 1.5.0 and later you can use: | ||
+ | |||
+ | $PHYSICAL["existing-path"] =~ "^/var/www/myvhost/cgi-bin/" { | ||
+ | cgi.execute-all = "enable" | ||
+ | } | ||
+ | which does the same thing as cgi.assign = ("" => "") but is more obvious to use. | ||
+ | Examples | ||
+ | To setup an executable which can run on its own (e.g. binaries, scripts with a shebang line) you just don't specify a handler for the extension: | ||
+ | |||
+ | cgi.assign = ( ".sh" => "" ) | ||
+ | If the file has no extension keep in mind that lighttpd matches not the extension itself but the right part of the URL: | ||
+ | |||
+ | cgi.assign = ( "/testfile" => "" ) | ||
+ | |||
+ | redmine.lighttpd.net | ||
+ | |||
+ | ====== Доступ по паролю ====== | ||
+ | |||
+ | Согласно [[http://redmine.lighttpd.net/projects/1/wiki/Docs_ModAuth#Limitations | документации lighttpd]], модуль **mod_auth** должен быть загружен раньше модуля **mod_fastcgi**. | ||
+ | Поэтому поскольку в нашей конфигурации модуль **mod_fastcgi** загружается в файле | ||
+ | ''/etc/lighttpd/conf-enabled/10-fastcgi.conf'', загрузку модуля **mod_auth** мы поместим в файл | ||
+ | ''/etc/lighttpd/conf-enabled/05-auth.conf'', который имеет меньший порядковй номер, а поэтому будет загружен раньше. | ||
+ | |||
+ | <file conf "/etc/lighttpd/conf-enabled/05-auth.conf"> | ||
+ | # Из файла: | ||
+ | # /usr/share/doc/lighttpd/authentication.txt.gz | ||
+ | |||
+ | server.modules += ( "mod_auth" ) | ||
+ | |||
+ | auth.backend = "htdigest" | ||
+ | auth.backend.htdigest.userfile = "/etc/lighttpd/lighttpd.user.htdigest" | ||
+ | </file> | ||
+ | |||
+ | В файле ''/etc/lighttpd/lighttpd.user.htdigest'' будут храниться данные аутентификации. | ||
+ | Чтобы добавить нового пользователя, выполняем следующую команду: | ||
+ | |||
+ | htdigest /etc/lighttpd/lighttpd.user.htdigest 'Enter password for mailing list admin access' admin | ||
+ | |||
+ | Эта команда создаст пользователя //admin// для запроса //"Enter password for mailing list admin access"//. | ||
+ | Т.е. когда веб-сервер будет выдавать указанную строку запроса пароля, авторизоваться можно будет, введя имя пользователя "admin" и пароль, указанный при его создании. | ||
+ | |||
+ | Следует иметь в виду, что пары "логин-пароль" создаются не для отдельных сайтов, расположенных на сервере, или виртуальных серверов, я для определённых "//областей//" ("realm" в терминологии веб-серверов). При этом уже в конфигурации самого сайта можно указать, к какой //области// он относится. Это позволяет использовать одни и те же пары "логин-пароль" для разных сайтов на сервере или разные пары "логин-пароль" для одного и того же сайта. Кому как удобно. | ||
+ | |||
+ | Ниже показан пример такой настройки для адреса ''/mlmmj/admin/'' на виртуальном сервере ''wombat.org.ua''. | ||
+ | |||
+ | <file conf "/etc/lighttpd/virtual-servers/wombat.org.ua.conf"> | ||
+ | $HTTP["host"] =~ "(^|www.)wombat\.org\.ua$" { | ||
+ | |||
+ | server.document-root = "/srv/www" | ||
+ | accesslog.filename = "/var/log/lighttpd/access.log" | ||
+ | server.error-handler-404 = "/e404.php" | ||
+ | |||
+ | $HTTP["url"] =~ "^/mlmmj/admin/(.*)" { | ||
+ | auth.require = ( "" => | ||
+ | ( | ||
+ | "method" => "digest", | ||
+ | "realm" => "Enter password for mailing list admin access", | ||
+ | "require" => "user=admin" | ||
+ | ) | ||
+ | ) | ||
+ | } | ||
+ | } | ||
+ | </file> | ||