限定某个目录禁止解析php
没限定之前,一切正常
[root@HANLIN upload]# curl -x192.168.0.106:80 111.com/upload/index.php -i
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 15:50:35 GMT
Server: Apache/2.4.35 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Content-Length: 7
Content-Type: text/html; charset=UTF-8
[root@HANLIN upload]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<Directory /data/wwwroot/111.com/upload>
php_admin_flag engine off
#<FilesMatch (.*)\.php(.*)> (这一段是直接禁止访问php文件)
# Order allow,deny
# Deny from all
# </FilesMatch>
</Directory>
测试
[root@HANLIN upload]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@HANLIN upload]# /usr/local/apache2.4/bin/apachectl graceful
[root@HANLIN upload]# !curl
curl -x192.168.0.106:80 111.com/upload/index.php -i
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 15:57:05 GMT
Server: Apache/2.4.35 (Unix) PHP/5.6.32
Last-Modified: Mon, 19 Nov 2018 15:48:21 GMT
ETag: "19-57b067249cc7e"
Accept-Ranges: bytes
Content-Length: 25
Content-Type: application/x-httpd-php
<?php
echo "111.com"; (作了php禁止解析后,解析不了了就显示源代码)
?>
在浏览器上测试的话,访问111.com/index.php一切正常
如果访问111.com/upload/index.php 访问不了,提示另存
访问控制 user_agent
[root@HANLIN ~]#vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com xy.com
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] (检测日志里的user_agent,如果是curl或者百度直接报错403)
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F] (检测到匹配项报错403)
</IfMoudule>
测试
[root@HANLIN wwwroot]#!curl (未加载配置之前是可以正常访问的)
curl -x192.168.0.106:80 111.com
111.com[root@HANLIN wwwroot]# ^C
[root@HANLIN wwwroot]# !vim
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
[root@HANLIN wwwroot]#/usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@HANLIN wwwroot]# /usr/local/apache2.4/bin/apachectl -t^C
[root@HANLIN wwwroot]#/usr/local/apache2.4/bin/apachectl graceful
[root@HANLIN wwwroot]#!curl
curl -x192.168.0.106:80 111.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title> (加载user_agent配置后只要是curl类型的全部forbidden)
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>
[root@HANLIN wwwroot]# curl -A "aming" -x192.168.0.106:80 111.com (-A表示指定useragent ,指定完了之后useragent就不是默认的curl了,所以就可以访问了,-e表示指定refer)
111.com[root@HANLIN wwwroot]#
192.168.0.106 - - [21/Nov/2018:01:27:31 +0800] "GET HTTP://111.com/ HTTP/1.1" 403 209 "-" "curl/7.29.0"
192.168.0.106 - - [21/Nov/2018:01:30:55 +0800] "GET HTTP://111.com/ HTTP/1.1" 403 209 "-" "curl/7.29.0"
192.168.0.106 - - [21/Nov/2018:01:31:08 +0800] "GET HTTP://111.com/ HTTP/1.1" 200 7 "-" "aming" (红颜色标注的是访问日志里面的useragent)
php相关配置
[root@HANLIN 111.com]#vim index.php
<?php
phpinfo();
?>
[root@HANLIN 111.com]#cp /usr/local/src/php-5.6.32/php.ini-development /usr/local/php/etc/php.ini (把源码包里面的配置文件复制到php安装目录 也就是Loaded Configuration File的路径,这也是php配置文件的路径)
phpinfo
PHP Version 5.6.32 |
System | Linux HANLIN.16 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 |
Build Date | Oct 23 2018 03:02:10 |
Configure Command | './configure' '--prefix=/usr/local/php' '--with-apxs2=/usr/local/apache2.4/bin/apxs' '--with-config-file-path=/usr/local/php/etc' '--with-mysql=/usr/local/mysql' '--with-pdo-mysql=/usr/local/mysql' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-libxml-dir' '--with-gd' '--with-jpeg-dir' '--with-png-dir' '--with-freetype-dir' '--with-iconv-dir' '--with-zlib-dir' '--with-bz2' '--with-openssl' '--with-mcrypt' '--enable-soap' '--enable-gd-native-ttf' '--enable-mbstring' '--enable-sockets' '--enable-exif' |
Server API | Apache 2.0 Handler |
Virtual Directory Support | enabled |
Configuration File (php.ini) Path | /usr/local/php/etc |
Loaded Configuration File | /usr/local/php/etc/php.ini |
Scan this dir for additional .ini files | (none) |
Additional .ini files parsed | (none) |
PHP API | 20131106 |
PHP Extension | 20131226 |
Zend Extension | 220131226 |
Zend Extension Build | API220131226,TS |
PHP Extension Build | API20131226,TS |
Debug Build | no |
Thread Safety | enabled |
Zend Signal Handling | disabled |
Zend Memory Manager | enabled |
Zend Multibyte Support | provided by mbstring |
IPv6 Support | enabled |
DTrace Support | disabled |
Registered PHP Streams | https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar |
Registered Stream Socket Transports | tcp, udp, unix, udg, ssl, sslv3, tls, tlsv1.0, tlsv1.1, tlsv1.2 |
Registered Stream Filters | zlib.*, bzip2.*, convert.iconv.*, mcrypt.*, mdecrypt.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk |
[root@HANLIN 111.com]# vim /usr/local/php/etc/php.ini (编辑php配置文件)
disable_functions=eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream-socket_server,popen,proc_open,proc_close,phpinfo (禁掉php里面一些危险的函数)
[root@HANLIN 111.com]#/usr/local/apache2.4/bin/apachectl graceful
Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 (就会发现phpinfo已经被禁掉)
[root@HANLIN 111.com]# vim /usr/local/php/etc/php.ini
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = Asia/Shanghai (前面分号相当于是注释,要去掉才行,这个不输入可能会出现一些错误信息)
[root@HANLIN 111.com]# vim /usr/local/php/etc/php.ini
display_errors = on (on表示错误信息会直接展示在浏览器上)
测试
[root@HANLIN 111.com]# curl -A "a" -x127.0.0.1:80 http://111.com/index.php -I (加-A因为前面已经做了useragent,现在display还没关)
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 18:24:00 GMT
Server: Apache/2.4.35 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Content-Type: text/html; charset=UTF-8
关闭
[root@HANLIN 111.com]#curl -A "a" -x127.0.0.1:80 http://111.com/index.php (什么都不显示,这时候就需要开启配置错误日志)
[root@HANLIN 111.com]#
开启并且配置错误日志
[root@HANLIN 111.com]# vim /usr/local/php/etc/php.ini
log_errors = On
error_log = /tmp/php_errors.log
还需要定义error_logs的级别
; Common Values:
; E_ALL (Show all errors, warnings and notices including coding standards.)
; E_ALL & ~E_NOTICE (Show all errors, except for notices)
; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.)
; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
; Development Value: E_ALL
; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
; http://php.net/error-reporting
error_reporting = E_ALL & ~E_NOTICE (生产环境下一般用这个级别,除了通知其他警告都要计入日志)
[root@HANLIN 111.com]#curl -A "a" -x127.0.0.1:80 http://111.com/index.php
[root@HANLIN 111.com]# cat /tmp/php_errors.log (错误日志不直接显示,被记录在我们配置的路径中去了)
[21-Nov-2018 02:40:16 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2
[root@HANLIN 111.com]# ls -l !$
ls -l /tmp/php_errors.log
-rw-r--r--. 1 daemon daemon 145 11月 21 02:40 /tmp/php_errors.log (属主是apache的属主)
[root@HANLIN 111.com]#
open_basedir = /data/wwwroot/111.com:/tmp
[root@HANLIN 111.com]#vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
php_admin_value open_basedir "/data/wwwroot/111.com:/tmp/" (在虚拟主机配置下就可以针对多个虚拟主机做限定访问目录的操作,主要是防止一个站点遭殃,其他的也跟着倒霉)