合理分权是提升管理效率的有效方法,通过本讲内容所讲而已对Apache进行合理配置,进行针对性的授权,从而提升对Apache的管理以及安全性。
11.25 配置防盗链
编辑虚拟主机配置文件:
[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://aaa.com" local_ref
#SetEnvIfNoCase Referer "^$" local_ref
#定义referer白名单
<filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
Order Allow,Deny
Allow from env=local_ref
#定义规则:允许变量local_ref指定的referer访问,拒绝其他所有访问。
</filesmatch>
</Directory>
:wq保存
检测语法错误并重载:
[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 ~]# ls /data/wwwroot/111.com/
123.php index.php photo1.jpg
现在我们来测试一下,打开photo1.jpg
上图这样子用浏览器直接打开photo1.jpg是打不开得。
把这个链接放到帖子里。
打开肯定也是Forbidden的。想让他不是Forbidden要把贴子网站添加到白名单里去。直接复制网址
注: 如果在referer白名单中不加“^#”(空referer),直接访问指定内容将会被拒绝。
curl命令
curl -e 指定referer
11.26 访问控制Directory
编辑虚拟主机配置文件:
[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<Directory /data/wwwroot/www.123.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
#只允许IP--127.0.0.1访问“/data/wwwroot/111.com/admin/”目录中的内容
:wq
[root@cham002 ~]# ls /data/wwwroot/
111.com abc.com
[root@cham002 ~]# cd /data/wwwroot/
[root@cham002 wwwroot]# cd 111.com/
[root@cham002 111.com]# ls
123.php index.php photo1.jpg
[root@cham002 111.com]# mkdir admin
[root@cham002 111.com]# ls
123.php admin index.php photo1.jpg
[root@cham002 111.com]# touch admin/index.php
[root@cham002 111.com]# ls admin
index.php
[root@cham002 111.com]# echo "1212121" > admin/index.php
[root@cham002 111.com]# cat !$
cat admin/index.php
1212121
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php
[root@cham002 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php
1212121
[root@cham002 111.com]# curl -x192.168.230.150:80 111.com/admin/index.php
1212121
#测试失败。查看httpd-vhosts.conf
Directory 目录没改。
[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<Directory /data/wwwroot/111.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php -I
HTTP/1.1 200 OK
Date: Mon, 25 Dec 2017 12:50:49 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
[root@cham002 111.com]# curl -x192.168.230.136:80 111.com/admin/index.php -I
^C
[root@cham002 111.com]# curl -x192.168.230.150:80 111.com/admin/index.php -I
HTTP/1.1 403 Forbidden
Date: Mon, 25 Dec 2017 12:51:09 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
**说明:**本节用于设定指定IP访问指定目录的权限!
11.27 访问控制FilesMatch
[root@cham002 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
使用FilesMatch参数:
<Directory /data/wwwroot/111.com>
<FilesMatch admin.php(.*)>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 111.com]# curl -x192.168.230.150:80 http://111.com/admin/adfsfds -I
HTTP/1.1 404 Not Found
Date: Mon, 25 Dec 2017 14:03:52 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@cham002 111.com]# curl -x192.168.230.150:80 'http://111.com/admin.php?adfsfds' -I
HTTP/1.1 403 Forbidden
Date: Mon, 25 Dec 2017 14:04:40 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/admin.php?adfsfds' -I
HTTP/1.1 404 Not Found
Date: Mon, 25 Dec 2017 14:05:04 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
#因为访问的文件不存在,所以报错:404!