1.8.8 配置防盗链
通过限制referer来实现防盗链的功能
配置文件增加如下内容
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://www.111.com" local_ref
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<filesmatch ".(txt|doc|mp3|zip|rar|jpg|gif)"> //定义规则:
Order Allow,Deny //order定义访问控制
Allow from env=local_ref
</filesmatch>
</Directory>
curl -e "http://www.aminglinux.com/123.html" 自定义referer
这个是我在开源中国定义的referer跳转!
↑抱歉,我发现 回帖加链接不知道为啥浏览器防盗链没有效果了!禁止空白referer访问还是有效果的(待研究)
查看了日志之后,我发现 日志里面并没有记录到referer,用其他回帖网站 也没有看到referer,下次在研究这个咯!
编辑配置:
[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName www.111.com
ServerAlias 111.com
SetEnvIfNoCase Referer "http://www.111.com" local_ref
# SetEnvIfNoCase Referer "www.oschina.net" local_ref
# SetEnvIfNoCase Referer "^$" local_ref
<filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">
Order Allow,Deny
Allow from env=local_ref
</filesmatch>
ErrorLog "logs/111.com-error_log"
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
测试效果:
[root@Dasoncheng ~]# curl -e "http://www.oschina.net" www.111.com/luds.jpg -I
HTTP/1.1 403 Forbidden ##403遇到的第三个web反馈!
……
[root@Dasoncheng ~]# curl www.111.com/luds.jpg -I
HTTP/1.1 403 Forbidden
……
##以上使用referer和空referer都不能访问,必须是www.111.com为referer才能访问这个.jpg
##为什么使用浏览器 回帖指定offerer都可以
再次编辑并测试!
[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName www.111.com
ServerAlias 111.com
SetEnvIfNoCase Referer "http://www.111.com" local_ref
SetEnvIfNoCase Referer "www.oschina.net" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">
Order Allow,Deny
Allow from env=local_ref
</filesmatch>
ErrorLog "logs/111.com-error_log"
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@Dasoncheng ~]# curl -e "http://www.oschina.net" www.111.com/luds.jpg -I
HTTP/1.1 200 OK
[root@Dasoncheng ~]# curl www.111.com/luds.jpg -I
HTTP/1.1 200 OK
##防盗链访问成功!
1.8.9 访问控制Directory
核心配置文件内容
<Directory /data/wwwroot/111.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
curl测试状态码为403则被限制访问了。
编辑配置:
##首先,上面修改的日志记录 修改后记得还原!(.jpg不记录日志)
[root@Dasoncheng ~]# mkdir -p /data/wwwroot/111.com/admin
[root@Dasoncheng ~]# vim /data/wwwroot/111.com/admin/index.php
[root@Dasoncheng ~]# cat /data/wwwroot/111.com/admin/index.php
<?php
echo "This page is forbidden;\n"
?>
[root@Dasoncheng ~]# curl -x192.168.60.11:80 www.111.com/admin/index.php
This page is forbidden; ##成功访问!
[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName www.111.com
ServerAlias 111.com
<Directory /data/wwwroot/111.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
ErrorLog "logs/111.com-error_log"
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
测试访问:
[root@Dasoncheng ~]# curl -x192.168.60.11:80 www.111.com/admin/index.php -I
HTTP/1.1 403 Forbidden ##使用192.168.60.11访问失败,127.0.0.1却可以访问;
[root@Dasoncheng ~]# curl -x127.0.0.1:80 www.111.com/admin/index.php -I
HTTP/1.1 200 OK
再次修改测试:
[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName www.111.com
ServerAlias 111.com
<Directory /data/wwwroot/111.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.60.0/24
</Directory>
ErrorLog "logs/111.com-error_log"
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@Dasoncheng ~]# curl -x192.168.60.11:80 www.111.com/admin/index.php -I
HTTP/1.1 200 OK ##这里已经可以访问了哦!!
小提示: 关于/etc/hosts和curl命令。
如果访问一个本地域名,如果hosts文件里面没有解析的话 那么我们如何用curl访问呢?
1、直接访问ip:http://192.168.60.12
2、使用curl -x192.168.60.12:80 www.111.com 命令访问(这样就相当于指定了域名的ip,但是ip后面需要接端口号,不然默认访问的是1080端口)
还有:
访问本地站点:
curl -x127.0.0.1:80 那么他就用127.0.0.1这个ip来访问该地址!
curl -x192.168.60.11:80 则默认用192.168.60.11来访问!(前提是访问本地站点)
1.8.10 访问控制FilesMatch
核心配置文件内容
<Directory /data/wwwroot/111.com>
<FilesMatch "admin.php(.*)"> //等一下用正则写看看能不能用!
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
编辑配置并测试:
[root@Dasoncheng ~]# curl www.111.com/admin.php -I
HTTP/1.1 200 OK
[root@Dasoncheng ~]# curl www.111.com/admin/admin.html -I
HTTP/1.1 200 OK
[root@Dasoncheng ~]# curl www.111.com/index.php -I
HTTP/1.1 200 OK
[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName www.111.com
ServerAlias 111.com
<Directory /data/wwwroot/111.com>
<FilesMatch "admin.*">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
ErrorLog "logs/111.com-error_log"
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
##测试↓:
[root@Dasoncheng ~]# curl www.111.com/admin.php -I
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl www.111.com/admin/admin.html -I
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl www.111.com/index.php -I
HTTP/1.1 200 OK
##访问文件,并用正则限制成功了哦!
apache日志记录代理IP以及真实客户端IP http://www.lishiming.net/thread-960-1-1.html
apache只记录指定URI的日志 http://www.lishiming.net/thread-981-1-1.html
apache日志记录客户端请求的域名 http://www.lishiming.net/thread-1037-1-1.html
apache 日志切割问题 http://www.lishiming.net/thread-566-1-1.html
几种限制ip的方法 http://www.lishiming.net/thread-6519-1-1.html
apache 自定义header http://www.aminglinux.com/bbs/thread-830-1-1.html
apache的keepalive和keepalivetimeout http://www.aminglinux.com/bbs/thread-556-1-1.html