Apache IPv6配置:双重堆叠的IPv4和IPv6虚拟主机
如何在UNIX/Linux/BSD操作系统下配置Apache IPv6网络?
如何在RHEL/CentOS/Fedora/Debian/Ubuntu Linux下配置httpd IPv6和IPv4?
您需要使用Listen指令更新httpd.conf文件。
它指示Apache仅侦听特定的IPv4和IPv6地址或端口。
默认情况下,它响应所有IP接口(包括IPv4和IPv6地址)上的请求。
我们的示例设置如下:
- theitroad.local地址为10.16.48.99
- theitroad.local的IPv6地址为2607:f0d0:1002:11 :: 4
在UNIX/BSD和Linux操作系统下,Apache httpd.conf配置文件保持不变。
Linux Apache IPv6配置
打开httpd.conf文件,执行:
# vi httpd.conf
要使服务器接受10.16.48.99和端口80上的连接,请使用:
Listen 10.16.48.99:80
IPv6地址必须用方括号和端口80括起来,使用
Listen [2607:f0d0:1002:11::4]:80
保存并关闭文件。
重新启动或重新加载Apache服务器:
# service httpd restart
或者
# systemctl restart httpd.service
验证Apache是否在双堆栈模式下工作
使用netstat命令,如下所示:
# netstat -tulpn | grep :80
输出示例:
tcp 0 0 10.16.48.99:80 0.0.0.0:* LISTEN 4473/httpd tcp 0 0 2607:f0d0:1002:11::4:80 :::* LISTEN 4473/httpd
配置iptables以允许通过IPv6访问Web服务器
默认的Ip6tables配置不允许入站访问Web服务器使用的HTTP(80)和HTTPS(443)端口。
此修改允许该访问,同时使服务器上的其他端口保持其默认保护状态。
编辑/etc/sysconfig/ip6tables文件(CentOS/RHEL/Fedora Linux下的IPv6防火墙配置文件):
# vi /etc/sysconfig/ip6tables
添加以下行,并确保它们出现在RH-Firewall-1-INPUT链的最终LOG和DROP行之前(在RHEL/CentOS 6.x或更早版本上):
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
如果已配置HTTPS端口,请添加以下内容:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
关于CentOS/RHEL v7.x或更高版本的注释
规则如下:
-A INPUT -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
保存并关闭文件。
重新启动防火墙,执行:
# service ip6tables restart
或者
# systemctl ip6tables restart
双堆叠IPv4和IPv6虚拟主机配置
对于双重堆叠的httpd虚拟主机,您需要按以下方式更新httpd.conf:
#IPv4 configuration <VirtualHost 10.16.48.99> ServerAdmin [email protected] DocumentRoot /home/httpd/theitroad.local/http ServerName theitroad.local ServerAlias www.theitroad.local ErrorLog logs/theitroad.local-error_log TransferLog logs/theitroad.local-access_log ErrorLog "/home/httpd/theitroad.local/logs/error.log" CustomLog "/home/httpd/theitroad.local/logs/access.log" common ScriptAlias /cgi-bin/ "/home/httpd/theitroad.local/cgi-bin/" # For php5 fastcgi add +ExecCGI <Directory "/home/httpd/theitroad.local/http"> Options -Indexes FollowSymLinks +ExecCGI AllowOverride AuthConfig FileInfo AddHandler php5-fastcgi .php Action php5-fastcgi /cgi-bin/php.fcgi Order allow,deny Allow from all </Directory> # Default cgi-bin perms <Directory "/home/httpd/theitroad.local/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> </VirtualHost> # Ipv6 config, note down log files <VirtualHost [2607:f0d0:1002:11::4]> ServerAdmin [email protected] DocumentRoot /home/httpd/theitroad.local/http ServerName theitroad.local ServerAlias www.theitroad.local ErrorLog logs/theitroad.local-error_log TransferLog logs/theitroad.local-access_log ErrorLog "/home/httpd/theitroad.local/logs/ipv6.error.log" CustomLog "/home/httpd/theitroad.local/logs/ipv6.access.log" common ScriptAlias /cgi-bin/ "/home/httpd/theitroad.local/cgi-bin/" # For php5 fastcgi add +ExecCGI <Directory "/home/httpd/theitroad.local/http"> Options -Indexes FollowSymLinks +ExecCGI AllowOverride AuthConfig FileInfo AddHandler php5-fastcgi .php Action php5-fastcgi /cgi-bin/php.fcgi Order allow,deny Allow from all </Directory> # Default cgi-bin perms <Directory "/home/httpd/theitroad.local/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> </VirtualHost>
保存并关闭文件。
重新启动Apache Web服务器:
# service httpd restart
或者
# systemctl restart httpd
关于BSD PF防火墙的注意事项
您需要在OpenBSD/FreeBSD操作系统下按以下方式更新/etc/pf.conf:
# define Ipv6 ips
apache_ipv6 = "{ 2607:f0d0:1002:11::4 }"
# Open port 80
pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port http keep state
# Open port 443
pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port https keep state
保存并关闭文件。
重新加载防火墙:
# /etc/rc.d/pf reload
或者
# /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
