apache 限制IP访问

apache虚拟主机配置文件

less zcctest.conf

<VirtualHost *:80>

    SuexecUserGroup zcctest zcctest

    DocumentRoot /var/www/virtual/zcctest/home/wwwroot

    ServerName zcctest.w186.abc.com

    ServerAlias zcctest.w186.abc.com

    DirectoryIndex index.php index.html index.htm

    ScriptAlias /php5-cgi /var/www/virtual/zcctest/bin/php-cgi

    <Directory /var/www/virtual/zcctest/home/wwwroot>

        AddHandler php5-cgi .php

        Action php5-cgi /php5-cgi

        AllowOverride All

        Options -Indexes -ExecCGI Includes IncludesNOEXEC FollowSymLinks

        Allow from all

    </Directory>

    ScriptAlias /cgi-bin/ /var/www/virtual/zcctest/home/cgi-bin/

    <Directory /var/www/virtual/zcctest/home/cgi-bin/>

        Options -Indexes ExecCGI

        AllowOverride AuthConfig FileInfo

    Alias /error /var/www/virtual/zcctest/home/error

    <Directory /var/www/virtual/zcctest/home/error>

        AllowOverride None

        Options None

    ErrorDocument 404 /error/404.html

    ErrorDocument 403 /error/403.html

    ErrorDocument 500 /error/500.html

    CustomLog "|/usr/sbin/rotatelogs -l /var/www/virtual/zcctest/home/logs/zcctest-access_log.%Y.%m.%d 86400" common

    ErrorLog "|/usr/sbin/rotatelogs -l /var/www/virtual/zcctest/home/logs/zcctest-error_log.%Y.%m.%d 86400"

    CBandScoreboard /var/www/virtual/zcctest/home/logs/bandscore

    CBandExceededURL 

    CBandLimit 10240Mi

    CBandPeriod 30D

    CBandSpeed 0 0 1000

    <Location /cband-stat>

        SetHandler cband-status-me

    </Location>

</VirtualHost>

脚本

control.sh -a 主机名            （允许所有）

control.sh -d 主机名            （拒绝所有）    

control.sh -s 主机名 ip         （允许一些ip访问）

control.sh -x 主机名 ip         （拒绝一些ip访问）

control.sh -i 主机名 目录 ip    （允许ip访问目录）

control.sh -l 主机名 目录       （删除对目录访问的ip限制）

less control.sh

#!/bin/sh

#control.sh -a 主机名            （允许所有）

#control.sh -d 主机名            （拒绝所有）

#control.sh -s 主机名 ip         （允许一些ip访问）

#control.sh -x 主机名 ip         （拒绝一些ip访问）

#control.sh -i 主机名 目录 ip    （允许ip访问目录）

#control.sh -l 主机名 目录       （删除对目录访问的ip限制）

allowall ()

 {

 FILE=/etc/httpd/vhost.d/$1.conf

 a=$(head -n 13 $FILE | tail -n 1 | sed 's=\( *\)==' |awk '{print $1,$2}')

 if [ "$a" = "Deny from" ];then

  sed -i 's=Deny from .*=Allow from all=' $FILE

 elif

  ip=$(grep -B 1 "Deny from all" /etc/httpd/vhost.d/$1.conf | head -n 1 | sed 's=\( *\)==')

  [ "$ip" = "Options -Indexes -ExecCGI Includes IncludesNOEXEC FollowSymLinks" ];then

  sed -i '13s/Deny/Allow/' $FILE

 else

  grep -v "$ip" $FILE > /tmp/$$.tmp

  cat /tmp/$$.tmp > $FILE

  rm /tmp/$$.tmp

 fi

 }

denyall () 

 if [ "$a" = "Allow from" ];then

  sed -i '13d' $FILE

  sed -i 12a"Deny from all" $FILE

 elif grep -q "Deny from .*" $FILE;then

  sed -i 's=Deny from .*=Deny from all=' $FILE

  sed -i '13s/Allow/Deny/' /etc/httpd/vhost.d/$1.conf

 number=$(grep "Deny from all" $FILE | wc -l | awk '{print $1}')

 if [ "${number}" -ne 1 ];then

  sed -i "13d" $FILE

allowsome()

 echo $2 >/tmp/$1.tmp

 ip=`sed "s/,/ /g" /tmp/$1.tmp`

 rm /tmp/$1.tmp

        line=$(sed -n '/Deny from all/=' $FILE)

 linea=$(($line - 1))

 if $(grep -B 1 "Deny from all" $FILE | grep -q '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}');then

  sed -e "${linea}s=Allow from .*=Allow from $ip=" $FILE > /tmp/$$.tmp

         cat /tmp/$$.tmp > $FILE

  rm -f /tmp/$$.tmp

 exit 0

 if $(grep -q "Deny from all" $FILE) ;then

  sed -i ${line}i"Allow from" $FILE

  sed "${line}s=Allow from=Allow from $ip=" $FILE > /tmp/$$.tmp

denysome()

 if grep -q "Deny from all" $FILE;then

  exit 0

 a=$(head -n 13 $FILE | tail -n 1 | sed 's=\(^        \)==')

 b=$(head -n 13 $FILE | tail -n 1 | sed 's=\(^        \)=='| awk '{print $1,$2}')

 if [ X"$a" = X"Allow from all" ];then 

  sed "13s=Allow from all=Deny from $ip=" $FILE > /tmp/$$.tmp

 elif [ X"$b" = X"Deny from" ];then

  sed "13s=Deny from .*=Deny from $ip=" $FILE > /tmp/$$.tmp

ipdirectory()

 echo $2 >/tmp/$1_Directory.tmp

 Directory=$(head -n 1 /tmp/$1_Directory.tmp)

 rm /tmp/$1_Directory.tmp

 echo $3 >/tmp/$1.tmp

 line=$(($(wc -l $FILE | awk '{print $1}') - 1))

 if grep -q -o "<Directory /var/www/virtual/$1/home/wwwroot/$Directory>" $FILE ;then

  Directoryline=$(($(grep -n -o "<Directory /var/www/virtual/$1/home/wwwroot/$Directory>" $FILE | awk -F : '{print $1}') +5))

  sed -i "${Directoryline}s=\(allow from .*\)=\1 $ip=" $FILE

  sed -i ${line}a"<Directory /var/www/virtual/$1/home/wwwroot/$Directory>" $FILE

  sed -i `expr $line + 1`a"AddHandler php5-cgi .php" $FILE

  sed -i `expr $line + 2`a"Action php5-cgi /php5-cgi" $FILE

  sed -i `expr $line + 3`a"AllowOverride All" $FILE

  sed -i `expr $line + 4`a"Options -Indexes -ExecCGI Includes IncludesNOEXEC FollowSymLinks" $FILE

         sed -i `expr $line + 5`a"allow from $ip" $FILE

         sed -i `expr $line + 6`a"deny from all" $FILE

  sed -i `expr $line + 7`a"</Directory>" $FILE

delipdirectory()

        Directory=$(head -n 1 /tmp/$1_Directory.tmp)

        echo $3 >/tmp/$1.tmp

        ip=`sed "s/,/ /g" /tmp/$1.tmp`

        FILE=/etc/httpd/vhost.d/$1.conf

        Directoryline=$(grep -n -o "<Directory /var/www/virtual/$1/home/wwwroot/$Directory>" $FILE | awk -F : '{print $1}')

 Da=$(($Directoryline + 7))

 sed -i "${Directoryline},${Da}d" $FILE

case $1 in

 -a)

  denyall $2

  allowall $2

  /sbin/service httpd reload >/dev/null;;

 -d)

 -s)

  if [ $# -eq 2 ];then

  else

  allowsome $2 $3

  /sbin/service httpd reload >/dev/null

  fi;;

 -x)

  denysome $2 $3

         /sbin/service httpd reload >/dev/null;;

 -i)

  ipdirectory $2 $3 $4

 -l)

  delipdirectory $2 $3

esac

本文转自 freeterman 51CTO博客，原文链接：http://blog.51cto.com/myunix/1094757，如需转载请自行联系原作者