LAMP环境搭建与配置(2)
配置防盗链
防盗链,通俗讲,就是不让别人盗用网站上的资源,这个资源通常是指图片、视频、歌曲、文档等。
防止有人利用网站文件上传的功能,把一些静态媒体资源放到我们的网站上,然后在他们的网站上设置这些资源的链接到我们的网站上,当他们网站用户访问这些资源时,就会跳转到我们的服务器上,导致我们的服务器带宽流量异常增大。为了防止这种情况发生,我们利用apache服务器访问控制实现防盗链功能。
配置虚拟主机配置文件:
# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin lzx@123.com
DocumentRoot "/data/wwwroot/123.com"
ServerName 123.com
ServerAlias www.123.com
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/123.com-access_%Y%m%d.log 86400" combined
<Directory /data/wwwroot/123.com>
SetEnvIfNoCase Referer "http://www.123.com" local_ref #指定referer白名单
SetEnvIfNoCase Referer "http://123.com" local_ref #指定referer白名单
SetEnvIfNoCase Referer "^$" local_ref #空的referer也能访问
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif)"> #定义保护文件类型
Order Allow,Deny #访问控制顺序,先允许后拒绝。
Allow from env=local_ref #只有符合白名单上的referer才能访问123.com目录。
</FilesMatch>
</Directory>
//首先定义允许访问链接的referer,其中^$为空referer,
//当直接在浏览器里输入图片地址去访问它时,它的referer就为空。
#/usr/local/apache2.4/bin/apachectl-t
SyntaxOK
#/usr/local/apache2.4/bin/apachectlgraceful
配置验证
#curl -e" http://www.douxue.com/123.php" -xlocalhost:80 www.111.com/image/linux.jpg-I
状态码为403,其中-e参数表示请求的来源
curl -e "http://www.111.com/123.php" -xlocalhost:80 www.111.com/image/linux.jpg -I
白名单网页访问,状态码为200
#curl -xlocalhost:80www.111.com/image/linux.jpg-I
空referer为白名单网页访问,状态码为200
验证成功
访问控制-Diretory\FileMatch
(1)介绍
访问控制限制白名单IP,针对文件和目录。
(2)目录配置
先来看看怎么限制IP访问,编辑配置文件:
#vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost*:80>
ServerAdminwebmaster@dummy-host.example.com
DocumentRoot"/usr/local/apache2.4/docs/www.111.com"
ServerNamewww.111.com
ServerAlias111.com
< Directory/usr/local/apache2.4/docs/www.111.com/admin>
Orderdeny,allow
Denyfromall
Allowfrom127.0.0.1
</Directory>
ErrorLog"logs/111.com-error_log"
CustomLog"logs/111.com-access_log"combined
</VirtualHost>
//Directory是用来指定限制访问的目录,order定义控制顺序
验证过程:
# mkdir /usr/local/apache2.4/docs/www.111.com/admin/
//创建admin目录,模拟网站后台
#vi /usr/local/apache2.4/docs/www.111.com/admin/123.php
<?php
echo "HelloWorld!";
?>
配置验证:
# /usr/local/apache2.4/bin/apachectl -t
# /usr/local/apache2.4/bin/apachectl graceful
# curl -x127.0.0.1:80www.111.com/admin/123.php-I
状态码为200,可正常访问
#curl -x192.168.63.130:80 www.111.com/admin/123.php -I
状态码为403,拒绝访问
针对文件配置
编辑配置文件:
#vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost*:80>
ServerAdminwebmaster@dummy-host.example.com
DocumentRoot"/usr/local/apache2.4/docs/www.111.com"
ServerNamewww.111.com
ServerAlias111.com
<Directory/usr/local/apache2.4/docs/www.111.com/>
<FilesMatch"admin.php(.*)">
Orderdeny,allow
Denyfromall
Allowfrom127.0.0.1
</FilesMatch>
</Directory>
ErrorLog"logs/111.com-error_log"
CustomLog"logs/111.com-access_log"combined
</VirtualHost>
验证过程如下:
# cd /usr/local/apache2.4/docs/www.111.com/
# vim admin.php
<?php
echo "Thisisadmin.php";
?>
# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
#/ usr/local/apache2.4/bin/apachectl graceful
配置验证
#curl-x192.168.63.130:80www.111.com/admin.php-I
状态码403被拒绝
#curl-x127.0.0.1:80www.111.com/admin.php-I
状态码200访问正常
验证成功
访问控制-禁止解析PHP
简介
对于使用PHP语言编写的网站,有一些目录是有需求上传文件的。如果网
站代码有漏洞,让黑客上传了一个用PHP写的木马,由于网站可以执行PHP程
序,最终会让黑客拿到服务器权限。
为了避免这种情况发生,我们需要把能上传文件的目录直接禁止解析PHP
代码。
配置
配置如下:
#vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost*:80>
ServerAdminwebmaster@dummy-host.example.com
DocumentRoot"/usr/local/apache2.4/docs/www.111.com"
ServerNamewww.111.com
ServerAlias111.com
<Directory/usr/local/apache2.4/docs/www.111.com/upload>
php_admin_flagengineoff
</Directory>
ErrorLog"logs/111.com-error_log"
CustomLog"logs/111.com-access_log"combined
</VirtualHost>
# /usr/local/apache2.4/bin/apachectl -t
SyntaxOK
# /usr/local/apache2.4/bin/apachectl graceful
# cd /usr/local/apache2.4/docs/www.111.com/
# mkdir upload
#vim upload/123.php
<?php
echo"www.111.com/123.php";
?>
配置验证
#curl -x127.0.0.1:80 www.111.com/upload/123.php
<?php
echo"www.111.com/123.php";
?>
允许访问
<VirtualHost*:80>
ServerAdminwebmaster@dummy-host.example.com
DocumentRoot"/usr/local/apache2.4/docs/www.111.com"
ServerNamewww.111.com
ServerAlias111.com
<Directory/usr/local/apache2.4/docs/www.111.com/upload>
php_admin_flagengineoff
<FilesMatch(.*)\.php(.*)>
Orderallow,deny
Denyfromall
</FilesMatch>
</Directory>
ErrorLog"logs/111.com-error_log"
CustomLog"logs/111.com-access_log"combined
</VirtualHost>
验证成功
访问控制-user_agent
介绍
user_agent是指用户浏览器端的信息。比如你是用IE的还是Firefox浏览器
的。有些网站会根据这个来调整打开网站的类型,如是手机的就打开wap,显示
非手机的就打开PC常规页面
配置
#vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost*:80>
ServerAdminwebmaster@dummy-host.example.com
DocumentRoot"/usr/local/apache2.4/docs/www.111.com"
ServerNamewww.111.com
ServerAlias111.com
<IfModulemod_rewrite.c>
RewriteEngineon
RewriteCond%{HTTP_USER_AGENT}.*curl.*[NC,OR]
RewriteCond%{HTTP_USER_AGENT}.*baidu.com.*[NC]
RewriteRule.*-[F]
</IfModule>
ErrorLog"logs/111.com-error_log"
CustomLog"logs/www.111.com-access_log"combined
</VirtualHost>
//%{HTTP_USER_AGENT}为user_agent的内置变量,NC代表“不区分
大小写”,F代表Forbidden,OR表示“或者”,[F]代表forbidden。
验证过程:
# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
# /usr/local/apache2.4/bin/apachectl graceful
)配置验证
#curl -x127.0.0.1:80www.111.com/upload/123.php
验证成功
打开浏览器访问www.111.com/upload/123.php
反向测试
修改配置文件
RewriteCond % {HTTP_USER_AGENT}.*curl.*[NC,OR]
将curl改为Mozilla(浏览器客户端)
RewriteCond%{HTTP_USER_AGENT}.*Mozilla.*[NC,OR]
# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
# /usr/local/apache2.4/bin/apachectl graceful
# curl -x127.0.0.1:80 www.111.com/upload/123.php
指定客户端
修改配置文件,改回curl
RewriteCond%{HTTP_USER_AGENT}.*curl.*[NC,OR]
# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
# /usr/local/apache2.4/bin/apachectl graceful
# curl -A Mozllia -x127.0.0.1:80www.111.com/upload/123.php
-A参数指定客户端的用户代理标头,即User-Agent
PHP配置
PHP基础配置
查看PHP配置文件得位置
#/usr/local/php/bin/php -i |grep -i "loaded configuration file"
# cp /usr/local/src/php-5.6.30/php.ini-production /usr/local/php/etc/php.ini
# /usr/local/php/bin/php-i|grep-i "loaded configuration file"
#cd /usr/local/apache2.4/docs/www.111.com
#vim 123.php
<?php
phpinfo();
?>
#vim /usr/local/php/etc/php.ini
搜索disable_functions,编辑如下:
disable_functions=eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,pas
sthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_e
xec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symli
nk,1eak,popepassthru,stream_socket_server,popen,proc_open,proc_close
disable_functions表示禁用这些函数。
定义date.timezone,减少警告/
# vim /usr/local/php/etc/php.ini
找到date.timezone设置如下:
date.timezone = Asia/Shanghai
日志相关配置
例如,在disable_functions,定义禁用phpinfo函数
# vim/ usr/local/php/etc/php.ini
disable_functions=phpinfo,eval,assert,popen,passthru,escapeshellarg,escapeshell
cmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,
shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,
symlink,1eak,popepassthru,stream_socket_server,popen,proc_open,proc_close
浏览器访问www.111.com/123.php,显示空白
配置error_log:
# vim /usr/local/php/etc/php.ini
//记录错误日志:搜索log_errors,改成如下
log_errors=On
//记录错误日志目录位置:搜索error.log,改为
error_log= /tmp/php_errors.log
# /usr/local/apache2.4/bin/apachectl -t
SyntaxOK
# /usr/local/apache2.4/bin/apachectl graceful
配置完php.ini,查看日志
# tail -f /tmp/php_errors.log
配置open_basedir
open_basedir将网站限定在指定的目录,做目录的隔离
先在php.ini中设置open_basedir:
# vim /usr/local/php/etc/php.ini
//搜索open_basedir,改成如下
open_basedir= /usr/local/apache2.4/docs/www.111.com/admin:/tmp
因为限制了PHP只能在/tmp和/usr/local/apache2.4/docs/www.111.com/admin
两个目录下面活动,演示如下:
# /usr/local/apache2.4/bin/apachectl-t
Syntax OK
# /usr/local/apache2.4/bin/apachectl graceful
打开浏览器依次访问http://www.111.com/admin/123.php、
http://www.111.com/upload/123.php
虚拟主机配置open_basedir
将/usr/local/php/etc/php.ini中open_basedir注释掉,编辑虚拟主机配置
open_basedir
#vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost*:80>
ServerAdminwebmaster@dummy-host.example.com
DocumentRoot"/usr/local/apache2.4/docs/www.111.com"
ServerNamewww.111.com
ServerAlias111.com
php_admin_value open_basedir open_basedir
"/usr/local/apache2.4/docs/www.111.com/admin/:tmp/"
ErrorLog"logs/111.com-error_log"
CustomLog"logs/www.111.com-access_log"combined
</VirtualHost>
//起作用的是php_admin_value
刷新配置
# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
# /usr/local/apache2.4/bin/apachectl graceful
# curl -x127.0.0.1:80 www.111.com/admin/123.php
Hello World![root@localhostwww.111.com]#
[root@localhostwww.111.com]#
# curl -x127.0.0.1:80 www.111.com/upload/123.php -I
PHP扩展模块安装
# /usr/local/php/bin/php-m
//如何查看PHP加载了哪些模块
#cd /usr/local/src
#wget http://pecl.php.net/get/redis-2.2.5.tgz
//安装一个新的redis
#tar -zxvf redis-2.2.5.tgz
#mv redis-2.2.5 phpredis-develop
#cd phpredis-develop
#yum install -y autoconf
//因为有一处错误需要安装
#/usr/local/php/bin/phpize
//目的生成configure文件
Configuringfor:
PHP A pi Version: 20131106
Zend Module Api No: 20131226
Zend Extension Api No: 220131226
#./configure --with-php-config=/usr/local/php/bin/php-config
#make
#make install
Installing shared extensions: /usr/local/php/lib/ php/extensions/ no-debug- zts -
20131226/
//makeinstall时候编译好的就会放在这个目录里
#ls /usr/local/php/lib/php/extensions/no-debug-zts-20~~
//可以看到rdis.so
#vim /usr/local/php/etc/php.ini
//增加一行配置(可以放在文件最后一行)
extension = redis.so
# /usr/local/php/bin/php-m|grep redis
//查看是否加载了redis模块
redis
1165
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
