第十九课预习任务

最新推荐文章于 2021-10-16 10:06:33 发布

a1779078902

最新推荐文章于 2021-10-16 10:06:33 发布

阅读量489

点赞数

分类专栏： linux 运维学习笔记

本文链接：https://blog.csdn.net/a1779078902/article/details/82656482

版权

linux 运维学习笔记专栏收录该内容

90 篇文章 1 订阅

订阅专栏

1.配置防盗链

1.1 首先我们来清楚两个概念：a.防盗链:防盗链就是禁止其他网站引用自己网站资源而做的一系列设置，优点就不需要说了，绝多数就是防止资源浪费，特别是有宽带、流量限制的空间如果不做一些限制可能就光引用自己网站图片、视频等等资源可能会消耗很大一部分流量。b. referer的概念:你通过A网站的一个页面http://a.com/a.html 里面的链接去访问B网站的一个页面http：//b.com/b.html ，那么这个B网站页面的referer就是http://a.com/a.html。也就是说，一个referer其实就是一个网址。

1.2 现在我们来配置一下apache配置文件

<Directory /data/wwwroot/test.com>
        SetEnvIfNoCase Referer "http://test.com" local_ref
        SetEnvIfNoCase Referer "http://test.com" local_ref
        SetEnvIfNoCase Referer "^$" local_ref
        <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
            Order Allow,Deny
            Allow from env=local_ref
        </filesmatch>
    </Directory>
   SetEnvIf Request_URI ".*\.gif$" img
        SetEnvIf Request_URI ".*\.jpg$" img
        SetEnvIf Request_URI ".*\.png$" img
        SetEnvIf Request_URI ".*\.bmp$" img
        SetEnvIf Request_URI ".*\.swf$" img
        SetEnvIf Request_URI ".*\.js$" img
        SetEnvIf Request_URI ".*\.css$" img

1.3 验证一下语法，重新加载配置文件。并测试配置是否成功

[root@knightlai images]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@knightlai images]# /usr/local/apache2.4/bin/apachectl graceful

//测试防盗链是否配置成功出现403说明拦截了
[root@knightlai images]# curl -x192.168.139.196:80 test.com/images/1.jpg -I
HTTP/1.1 403 Forbidden
Date: Wed, 12 Sep 2018 03:57:12 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1

1.4将第三方的网站加入到配置文件然后我们用curl模拟测试一下防盗链是否配置成功

//编辑配置文件
[root@knightlai images]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
 <Directory /data/wwwroot/test.com>
        SetEnvIfNoCase Referer "http://test.com" local_ref
        SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref

//模拟来源测试防盗链发现可以成功了（只要是白名单里面的就可以访问成功）
[root@knightlai images]# curl -e "http://ask.apelearn.com" -x192.168.139.196:80 test.com/images/1.jpg -I
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 04:33:08 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
Last-Modified: Tue, 14 Jul 2009 05:32:31 GMT
ETag: "bea1f-46ea3c3d3b9c0"
Accept-Ranges: bytes
Content-Length: 780831
Content-Type: image/jpeg
[root@knightlai images]# curl -e "http://test.com" -x192.168.139.196:80 test.com/images/1.jpg -I
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 04:37:01 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
Last-Modified: Tue, 14 Jul 2009 05:32:31 GMT
ETag: "bea1f-46ea3c3d3b9c0"
Accept-Ranges: bytes
Content-Length: 780831
Content-Type: image/jpeg
//如果不是白名单里面的网站还是403
[root@knightlai images]# curl -e "http://www.hao123.com" -x192.168.139.196:80 test.com/images/1.jpg -I
HTTP/1.1 403 Forbidden
Date: Wed, 12 Sep 2018 04:33:22 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1

2.访问控制Directory

2.1 有时候对于一些比较重要的网站内容,除了可以使用用户认证限制访问之外,还可以通过其他一些方法做到限制,比如可以限制IP,也可以限制user_agent,限制IP指的是限制访问网站的来源IP,而限制user_agent,通常用来限制恶意或者不正常的请求。

2.2首先还是编辑配置文件

[root@knightlai images]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<Directory /data/wwwroot/test.com/images/>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
</Directory>

//使用<Directory>来指定要限制访问的目录，order定义控制顺序，哪个在前面就先匹配哪个规则，在这里deny在前面，所以要先匹配Deny from all,这样所有的来源IP都会被限制，然后匹配Allow from 127.0.0.1,这样又允许了127.0.0.1这个IP。最终的效果是，只允许来源IP为127.0.0.1的访问。

2.3 验证一下语法，重新加载配置文件。并测试配置是否成功

[root@knightlai images]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@knightlai images]# /usr/local/apache2.4/bin/apachectl graceful

//只有来自白名单里面的可以访问
[root@knightlai images]# curl -x127.0.0.1:80 test.com/images/ -I
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 04:47:31 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
Content-Type: text/html;charset=ISO-8859-1


[root@knightlai images]# curl -x192.168.139.196:80 test.com/images/ -I
HTTP/1.1 403 Forbidden
Date: Wed, 12 Sep 2018 04:48:16 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1

3.访问控制FilesMatch

3.1 filesmatch表示配置匹配后缀名文件的防盗链,主要是针对某个文件来做限制。

3.2 首先还是来编辑配置文件

[root@knightlai images]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<Directory /data/wwwroot/test.com>
    <FilesMatch  "1.php(.*)">
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </FilesMatch>
 </Directory>

3.2 验证一下语法，重新加载配置文件。并测试配置是否成功

[root@knightlai images]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@knightlai images]# /usr/local/apache2.4/bin/apachectl graceful

//看一下1.php出现403错误了
[root@knightlai images]# curl -x192.168.139.196:80 test.com/1.php -I
HTTP/1.1 403 Forbidden
Date: Wed, 12 Sep 2018 04:59:20 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
//别的目录下的文件是没有问题的
[root@knightlai images]# curl -x192.168.139.196:80 test.com/images/1.jpg -I
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 05:00:04 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
Last-Modified: Tue, 14 Jul 2009 05:32:31 GMT
ETag: "bea1f-46ea3c3d3b9c0"
Accept-Ranges: bytes
Content-Length: 780831
Content-Type: image/jpeg

4.限定某个目录禁止解析php

4.1 在可上传文件的目录下禁止解析PHP，为了避免上传的PHP文件有木马，所以禁止该目录下面的访问解析PHP。一般可写目录、静态文件存放的目录内是不允许存放PHP。

4.2 首先还是来编辑配置文件

[root@knightlai images]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<Directory /data/wwwroot/111.com/upload>
        php_admin_flag engine off  //这一段就可以禁止解析PHP代码
       <FilesMatch (.*)\.php(.*)> //这一段就是让php的文件访问受到限制，防止php文件的源代码被查看
        Order allow,deny
        Deny from all
        </FilesMatch>
</Directory>

4.3 验证一下语法，重新加载配置文件。并测试配置是否成功（这里我们模拟生产环境新建一个upload目录）

[root@knightlai upload]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<Directory /data/wwwroot/test.com/upload>
        php_admin_flag engine off  //这个就是禁止解析php
      #  <FilesMatch (.*)\.php(.*)> 
      #  Order allow,deny
      #  Deny from all
      #  </FilesMatch>
    </Directory>
//这里我们创建一个upload目录，用来测试
[root@knightlai images]# cd ..
[root@knightlai test.com]# mkdir upload
[root@knightlai test.com]# cp /data/wwwroot/test.com/1.php  /data/wwwroot/test.com/upload/
[root@knightlai test.com]# cd ..
[root@knightlai wwwroot]# cd test.com/
[root@knightlai test.com]# cd upload/
[root@knightlai upload]# ls
1.php

我们可以用浏览器测试一下，直接就不解析让我们来下载这个php文件

4.4 有两种方法可以实现，一种是直接不解析相关php文件，一种是相关的php文件直接禁止掉

   <Directory /data/wwwroot/test.com/upload>
        php_admin_flag engine off
     //这一段是直接禁止相关php文件   
        <FilesMatch (.*)\.php(.*)>
        Order allow,deny
        Deny from all
        </FilesMatch>
//如果禁止相关php文件就会出现403错误
[root@knightlai upload]# curl -x127.0.0.1:80 test.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Date: Wed, 12 Sep 2018 05:33:24 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
//下面我们看一下不解析是什么错误代码
[root@knightlai upload]# curl -x127.0.0.1:80 test.com/upload/1.php -I
<?php
echo "test.com";
?>

5.限制user_agent

5.1 user_agent可以理解为浏览器标识。防止CC攻击，使大量肉机同时访问某站点，造成拥堵。CC攻击的规律为所有的user_agent都是一致的，且访问频率快，访问地址相同。

5.2 首先我们还是看一下配置文件

[root@knightlai upload]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR] //OR是或者的意思，user_agent匹配curl或者匹配baidu.com
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC] //NC是忽略大小写
        RewriteRule  .*  -  [F]  //F是Forbidden
    </IfModule>

5.3 验证一下语法，重新加载配置文件。并测试配置是否成功

当user_agent匹配到curl或者baidu.com时,都会触发规则显Forbidden

[root@knightlai upload]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@knightlai upload]# /usr/local/apache2.4/bin/apachectl graceful

//如果我们不指定来源user_agent是不能访问的
[root@knightlai upload]# curl -x127.0.0.1:80 'http://test.com/upload/1.php'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/1.php
on this server.<br />
</p>
</body></html>

//指定user_agent就可以成功访问了
[root@knightlai upload]# curl -A "aaa aaa" -x127.0.0.1:80 'http://test.com/upload/1.php' -I
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 06:01:07 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Content-Type: text/html; charset=UTF-8

6.php相关配置

6.1 相关配置文件存放目录

[root@knightlai upload]# /usr/local/php/bin/php -i |grep -i "loaded configuration file"
PHP Warning:  Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in Unknown on line 0
Loaded Configuration File => /usr/local/php/etc/php.ini

6.2 这里我们看到有一些警告信息提示我们没有设置timezone，其实我们可以设置一下定义date.timezone

//编辑php.ini这个配置文件修改其中的timezone
[root@knightlai etc]# vim php.ini
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = Asia/Shangahi

6.3 PHP的disable_functions:PHP有诸多的内置的函数，有一些函数（比如exec）会直接调取linux的系统命令，如果开放将会非常危险，因此，基于安全考虑应该把一些存在安全风险的函数禁掉。

//在这里我们可以定义一些禁止的函数
[root@knightlai etc]# vim php.ini
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names.
; http://php.net/disable-functions
disable_functions=eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close，phpinfo

6.4 php中配置 error_log(PHP的日志非常重要，它是排查问题的重要手段。将display_errors设为off，如果是on的话会将错误日志直接显示在浏览器里，这样对于用户访问不好，而且还会暴露一些文件路径等重要信息，所以要设为off。)

[root@knightlai etc]# vim php.ini
; This directive controls whether or not and where PHP will output errors,
; notices and warnings too. Error output is very useful during development, but
; it could be very dangerous in production environments. Depending on the code
; which is triggering the error, sensitive information could potentially leak
; out of your application such as database usernames and passwords or worse.
; For production environments, we recommend logging errors rather than
; sending them to STDOUT.
; Possible Values:
;   Off = Do not display any errors
;   stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
;   On or stdout = Display errors to STDOUT
; Default Value: On
; Development Value: On
; Production Value: Off
; http://php.net/display-errors
//在这里配置是否显示错误信息
display_errors = ON

6.5 修改相关配置日志

[root@knightlai etc]# vim php.ini
//搜索log_errors 改为 log_errors =On
//搜索error_log 改为 /tmp/php/php_errors.log
//搜索error_reporting 改为 error_reporting = E_ALL & ~E_NOTICE
//搜索display_errors 改为 display_errors = Off

; Log errors to specified file. PHP's default behavior is to leave this value
; empty.
; http://php.net/error-log
; Example:
error_log = /usr/local/php/php_errors.log

error_reporting = E_ALL & ~E_NOTICE
;   Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
;   Development Value: E_ALL
;   Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT

//因为日志用户是daemon，日志是随着httpd的服务启动，为了保证PHP的错误日志所在目录存在，并且有权限为可写。
[root@knightlai php]# touch php_errors.log
[root@knightlai php]# chmod 777 php_errors.log
-rwxrwxrwx  1 root root    0 Sep 12 02:48 php_errors.log

#有时候，定义了一个错误日志，但是这个错误日志始终没有生成，
那么就需要检查一下定义错误日志所在的目录，到底httpd有没有写权限 
最保险的办法，就是在所在目录创建一个错误日志的文件，然后赋予它777的权限，
这样就不需要担心这个文件httpd是否有写权限了#

6.6 配置open_basedir:一台服务器上有多个网站运行，这样做的弊端是如果其中一个被黑。其它的也有可能被连累open_basedir就刚好能解决这个问题，它的作用是将网站限定在指定目录里，就算被黑也波及不到其他目录 .

6.6.1 编辑php.ini配置文件

//配置open_basedir
[root@knightlai etc]# vim php.ini
; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
; http://php.net/open-basedir
open_basedir =/data/wwwroot/test1.com/1.php
//这里出现500错误
[root@knightlai etc]# curl -A "aaa aaa" -x127.0.0.1:80 'http://test.com/1.php' -I
HTTP/1.0 500 Internal Server Error
Date: Wed, 12 Sep 2018 07:14:55 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Connection: close
Content-Type: text/html; charset=UTF-8

6.6.2 修改正确的open_basedir又可以正常访问了

[root@knightlai etc]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@knightlai etc]# /usr/local/apache2.4/bin/apachectl graceful
[root@knightlai etc]# curl -A "aaa aaa" -x127.0.0.1:80 'http://test.com/1.php' -I
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 07:16:02 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Content-Type: text/html; charset=UTF-8

6.6.3 针对不同的虚拟主机去限制不同的open_basedir

<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/test.com"
    ServerName test.com
   ServerAlias www.test.com www.123.com
  php_admin_value open_basedir "/data/wwwroot/test.com/1.php"
   <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
        RewriteRule  .*  -  [F]
    </IfModule>
  #  SetEnvIf Request_URI ".*\.gif$" img
 #       SetEnvIf Request_URI ".*\.jpg$" img
 #       SetEnvIf Request_URI ".*\.png$" img
 #       SetEnvIf Request_URI ".*\.bmp$" img
 #       SetEnvIf Request_URI ".*\.swf$" img
 #       SetEnvIf Request_URI ".*\.js$" img
 #       SetEnvIf Request_URI ".*\.css$" img  
   ErrorLog "logs/test.com-error_log"
  CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/test-access_log_%Y%m%d_log 86400" combined env=!img
 # CustomLog  "logs/test.com-access_log" combined 
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/123.com"
    ServerName 123.com
    ServerAlias www.hahaha.com
   php_admin_value open_basedir "/data/wwwroot/123.com/test.php"
    ErrorLog "logs/123.com-error_log"
    CustomLog "logs/123.com-access_log" common
</VirtualHost>

6.6.4 测试open_basedir

[root@knightlai 123.com]# curl -A "aaa aaa" -x127.0.0.1:80 'http://test.com/1.php' -I
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 07:26:15 GMT
Server: Apache/2.4.34 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Content-Type: text/html; charset=UTF-8

7.php扩展模块安装

7.1编译httpd时，有涉及动态和静态模块，PHP也一样有静态与动态之分，之前所涉及到的PHP安装都全部为静态，并没有任何动态的模块，所谓动态，就是一个独立存在的.so文件，在httpd中PHP就是以动态模块的形式被加载的。PHP一旦编译完成后，要想再增加一个功能的话，要么重新编译PHP，要么直接编译一个扩展模块（生成一个.so文件），然后在php.ini中配置一下，就可以被加载使用了。

7.2 看一下我们的电脑上面使用了哪些模块

root@knightlai 123.com]# /usr/local/php/bin/php -m
[PHP Modules]
bz2
Core
ctype
date
dom
ereg
exif
..........
fileinfo
xmlwriter
zlib

7.3 我们开始下载一个扩展模块编译成.so文件

我们这里扩展安装一个mongodb
[root@knightlai src]# wget https://github.com/mongodb/mongo-php-driver-legacy/archive/master.zip
--2018-09-12 04:06:55--  https://github.com/mongodb/mongo-php-driver-legacy/archive/master.zip
Resolving github.com (github.com)... 192.30.253.112, 192.30.253.113
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/mongodb/mongo-php-driver-legacy/zip/master [following]
--2018-09-12 04:06:57--  https://codeload.github.com/mongodb/mongo-php-driver-legacy/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.253.121, 192.30.253.120
Connecting to codeload.github.com (codeload.github.com)|192.30.253.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’

    [                           <=>                                                                            ] 1,543,994    232KB/s   in 6.9s   

2018-09-12 04:07:05 (219 KB/s) - ‘master.zip’ saved [1543994]

[root@knightlai mongo-php-driver-legacy-master]# /usr/local/php/bin/phpize
Configuring for:
PHP Api Version:         20131106
Zend Module Api No:      20131226
Zend Extension Api No:   220131226
//这里我们生成了一个configure文件
[root@knightlai mongo-php-driver-legacy-master]# ls
acinclude.m4    build             config.h.in   CONTRIBUTING.md  exceptions    log_stream.h      mkinstalldirs  php_mongo.h
aclocal.m4      cleantests.sh     config.m4     cursor.c         gridfs        ltmain.sh         mongo.c        README.md
api             collection.c      config.sub    cursor.h         install-sh    Makefile.frag     mongoclient.c  rebuild.sh
autom4te.cache  collection.h      configure 
[root@knightlai mongo-php-driver-legacy-master]# make &&make install
............................................
Build complete.
Don't forget to run 'make test'.

Installing shared extensions:     /usr/local/php/lib/php/extensions/no-debug-zts-20131226/

7.4 我们查看一下编译好的.so文件有一个mongo.so文件,查询一下扩展模块存放目录

[root@knightlai mongo-php-driver-legacy-master]# ls /usr/local/php/lib/php/extensions/no-debug-zts-20131226/
mongo.so  opcache.so

[root@knightlai mongo-php-driver-legacy-master]# /usr/local/php/bin/php -i|grep extension_dir
extension_dir => /usr/local/php/lib/php/extensions/no-debug-zts-20131226 => /usr/local/php/lib/php/extensions/no-debug-zts-20131226
sqlite3.extension_dir => no value => no value

7.5 在php.ini中配置一行增加扩展模块

[root@knightlai etc]# vim php.ini
extension=mongo.so

7.6查看一下配置是否成功,模块是否添加成功

[root@knightlai etc]# /usr/local/php/bin/php -m
[PHP Modules]
bz2
Core
ctype
date
dom
ereg
exif
fileinfo
filter
gd
hash
iconv
json
libxml
mongo
mysql
mysqli
openssl
pcre
.......