- 目录
- 1.配置防盗链
- 2.访问控制 -Directory
- 3.访问控制FilesMatch
- 4.限定某个目录禁止解析php
- 5.访问控制- user_agent
- 6.PHP相关配置
- 7.PHP扩展模块的安装
- 扩展
1.配置防盗链
通过限制referer来实现防盗链的功能
设置了防盗链后,一些站点将无法通过引用的方式来获取服务器的资源,只能通过直接访问本机来获取,这样就将有效的流量访问限定到了本机,不被不法站点所利用。
配置文件增加如下内容
<Directory /data/wwwroot/12.com> 定义网站目录
SetEnvIfNoCase Referer "http://www.123.com" local_ref 定义可访问连接ref'
SetEnvIfNoCase Referer "http://123.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref 是否可以空ref访问
<filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">
Order Allow,Deny 允许还是拒绝
Allow from env=local_ref
</filesmatch>
</Directory>
注视空ref访问后
添加白名单后访问
<Directory /data/wwwroot/12.com>
SetEnvIfNoCase Referer "https://my.oschina.net" local_ref
curl -e可以自定义ref
2.访问控制 -Directory
允许白名单ip来访问内容
核心配置内容,拒绝非Allow的ip访问
<Directory /data/wwwroot/12.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
由于没有权限访问显示Forbidden
增加本机ip权限
<Directory /data/wwwroot/12.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.1.187
</Directory>
可以正常访问。
3.访问控制FilesMatch
在Directory下增加一行,指定限制访问格式。
<Directory /data/wwwroot/12.com/admin/>
<FileMatch admin.php(.*)>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.1.187
</FileMatch>
针对访问连接控制权限
[root@chenshi apache2.4]# curl -x192.168.1.197:80 'http://123.com/admin.php?asdsadasdsd' -I
HTTP/1.1 404 Not Found
Date: Fri, 29 Jun 2018 03:30:32 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
4.限定某个目录禁止解析php
假设有一个目录是可以上传图片,但是可能被有心之人上传php上去,因为httpd开放了php模块,所以如果被人上传了木马文件(php类型),httpd就有可能会进行执行,一旦执行,就会让对方获得我们服务器的root权限,或者是被恶意删除或修改一些参数,导致服务器瘫痪或者是被攻击。
编辑核心配置文件内容,检查配置文件是否存在语法错误,并重新配置文件。
[root@chenshi ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<Directory /data/wwwroot/12.com/upload>
php_admin_flag engine off
</Directory>
[root@chenshi ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@chenshi ~]# /usr/local/apache2.4/bin/apachectl graceful
curl测试直接返回php源码,并未解析。
[root@chenshi apache2.4]# curl -x192.168.1.197:80 123.com/upload/123.php
<?php
echo "123.php";
5.访问控制- user_agent
user_agent可以理解为浏览器表标识
核心配置文件内容,需要mod_rewrite.c模块的支持。第一行表示打开mod_rewrite模块;第二行表示拒绝curl访问。第三行表示拒绝百度访问。(起到防止攻击的功能)
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baicu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
curl测试403
[root@chenshi apache2.4]# curl -x192.168.1.197:80 123.com -I
HTTP/1.1 403 Forbidden
Date: Fri, 29 Jun 2018 05:44:18 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
6.PHP相关配置
查看php配置文件位置,但是可能找到php.ini不准确,可以用phpinfo来查看
[root@chenshi ~]# /usr/local/php/bin/php -i|grep -i "loaded configuration file"
Loaded Configuration File => /usr/local/php/etc/php.ini
PHP Warning: Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in Unknown on line 0
修改php.ini文件,增加限制危险函数
disable_functions=eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close
date.timeone定义时区
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone =Asia/Shanghai
error_log,定义错误日志存放地址,log_error需要打开
error_log = /tmp/php_errors.log
; Log errors to syslog (Event Log on Windows).
;error_log = syslog
open_basedir安全选项;当一台服务器上跑了很多站点,当一个站点被黑保证别的网站正常运行,网站目录隔离
可以在vhost里面定义php.ini里的参数,增加一行
php_admin_value open_basedir "/data/wwwroot/111.com:/tmp/"
7.PHP扩展模块的安装
查看php模块
[root@chenshi ~]# /usr/local/php/bin/php -m
[PHP Modules]
bz2
Core
ctype
date
dom
ereg
exif
fileinfo
filter
gd
hash
iconv
json
libxml
mbstring
mcrypt
mysql
mysqli
openssl
pcre
PDO
pdo_sqlite
Phar
posix
Reflection
session
SimpleXML
soap
sockets
SPL
sqlite3
standard
tokenizer
xml
xmlreader
xmlwriter
zlib
[Zend Modules]
安装一个redis的模块
[root@chenshi ~]# cd /usr/local/src/
[root@chenshi src]# wget https://codeload.github.com/phpredis/phpredis/zip/develop
[root@chenshi src]#mv develop phpredis-develop.zip
[root@chenshi src]#unzip phpredis-develop.zip
[root@chenshi src]#cd phpredis-develop
[root@chenshi phpredis-develop]# /usr/local/php/bin/phpize
Configuring for:
PHP Api Version: 20131106
Zend Module Api No: 20131226
Zend Extension Api No: 220131226
[root@chenshi phpredis-develop]./configure --with-php-config=/usr/local/php/bin/php-config
[root@chenshi phpredis-develop]# make && make install
[root@chenshi phpredis-develop]# /usr/local/php/bin/php -i |grep extension_dir
extension_dir => /usr/local/php/lib/php/extensions/no-debug-zts-20131226 => /usr/local/php/lib/php/extensions/no-debug-zts-20131226
sqlite3.extension_dir => no value => no value
[root@chenshi phpredis-develop]# ls /usr/local/php/lib/php/extensions/no-debug-zts-20131226
opcache.so redis.so
;extension=php_shmop.dll
;extension=redis.so
扩展
几种限制ip的方法 http://ask.apelearn.com/question/6519
apache 自定义header http://ask.apelearn.com/question/830
apache的keepalive和keepalivetimeout http://ask.apelearn.com/question/556
apache开启压缩 http://ask.apelearn.com/question/5528
apache2.2到2.4配置文件变更 http://ask.apelearn.com/question/7292
apache options参数 http://ask.apelearn.com/question/1051
apache禁止trace或track防止xss http://ask.apelearn.com/question/1045
apache 配置https 支持ssl http://ask.apelearn.com/question/1029
apache rewrite教程 http://coffeelet.blog.163.com/blog/static/13515745320115842755199/ http://www.cnblogs.com/top5/archive/2009/08/12/1544098.html
apache rewrite 出现死循环 http://ask.apelearn.com/question/1043
php错误日志级别参考 http://ask.apelearn.com/question/6973
php开启短标签 http://ask.apelearn.com/question/120
php.ini详解 http://legolas.blog.51cto.com/2682485/493917
269
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
