• LAMP架构二


    安装PHP7

    1.查看php配置文件信息(phpinfo),php有两个配置文件开发环境和生产环境

    [root@localhost php-5.6.30]# /usr/local/php/bin/php -i |less
    

    2.我们将配置文件放到/usr/local/php/etc/php.ini下

    [root@localhost php-5.6.30]# cp php.ini-production /usr/local/php/etc/php.ini
    [root@localhost php-5.6.30]# 
    

    3.安装php7(bz2的压缩包用 tar -jxvf解压)

    [root@localhost php-7.1.6]# cd /usr/local/src/^C                             
    [root@localhost php-7.1.6]# wget http://mirrors.sohu.com/php/php-7.1.6.tar.gz^C
    [root@localhost php-7.1.6]# tar -zxvf php-7.1.6.tar.gz ^C
    [root@localhost php-7.1.6]# cd php-7.1.6/^C
    [root@localhost php-7.1.6]# 

    4.php7配置文件

    [root@localhost php-7.1.6]# ./configure --prefix=/usr/local/php7 
    --with-apxs2=/usr/local/apache2.4/bin/apxs
    --with-config-file-path=/usr/local/php7/etc
    --with-pdo-mysql=/usr/local/mysql
    --with-mysqli=/usr/local/mysql/bin/mysql_config
    --with-libxml-dir
    --with-gd
    --with-jpeg-dir
    --with-png-dir
    --with-freetype-dir
    --with-iconv-dir
    --with-zlib-dir
    --with-bz2
    --with-openssl
    --with-mcrypt
    --enable-soap
    --enable-gd-native-ttf
    --enable-mbstring
    --enable-sockets
    --enable-exif

    5.make && make install

    6.查看文件php7模块文件

    [root@localhost php-7.1.6]# ls /usr/local/apache2.4/modules/libphp7.so 
    /usr/local/apache2.4/modules/libphp7.so
    [root@localhost php-7.1.6]# du -sh /usr/local/apache2.4/modules/libphp7.so  
    37M     /usr/local/apache2.4/modules/libphp7.so
    [root@localhost php-7.1.6]# 
    

    7.发现apache加载了

    php5_module (shared)

    php7_module (shared)

    [root@localhost php-7.1.6]# /usr/local/apache2.4/bin/apachectl -M
    AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
    Loaded Modules:
     core_module (static)
     so_module (static)
     http_module (static)
     mpm_event_module (static)
     authn_file_module (shared)
     authn_core_module (shared)
     authz_host_module (shared)
     authz_groupfile_module (shared)
     authz_user_module (shared)
     authz_core_module (shared)
     access_compat_module (shared)
     auth_basic_module (shared)
     reqtimeout_module (shared)
     filter_module (shared)
     mime_module (shared)
     log_config_module (shared)
     env_module (shared)
     headers_module (shared)
     setenvif_module (shared)
     version_module (shared)
     unixd_module (shared)
     status_module (shared)
     autoindex_module (shared)
     dir_module (shared)
     alias_module (shared)
     php5_module (shared)
     php7_module (shared)
    [root@localhost php-7.1.6]# 
    

    8.想要只支持一个php怎么做呢,修改httpd.conf,将php5模块所在的行注释掉

    [root@localhost php-7.1.6]# !vim
    vim /usr/local/apache2.4/conf/httpd.conf
    [root@localhost php-7.1.6]# 
    

    Apache和PHP结合

    1.解决启动apache提示警告信息文件,编辑apache配置文件将ServerName注释状态打开

    2.启动apache,查看httpd服务是否启动成功

    [root@localhost php-7.1.6]# /usr/local/apache2.4/bin/apachectl restart
    [root@localhost php-7.1.6]# ps aux|grep httpd
    daemon    60694  0.0  0.3 435528  3740 ?        Sl   09:42   0:00 /usr/local/apache2.4/bin/httpd -k start
    daemon    60695  0.0  0.3 435528  3736 ?        Sl   09:42   0:00 /usr/local/apache2.4/bin/httpd -k start
    daemon    60696  0.0  0.3 435528  3740 ?        Sl   09:42   0:00 /usr/local/apache2.4/bin/httpd -k start
    root      60779  2.0  0.0 112680   976 pts/5    S+   09:42   0:00 grep --color=auto httpd
    root      99405  0.0  0.6 146616  6988 ?        Ss   2月01   0:07 /usr/local/apache2.4/bin/httpd -k start
    [root@localhost php-7.1.6]# 
    

    3.查看服务器是否开启80端口,发现并没有开启

    [root@localhost php-7.1.6]# iptables -nvL
    

    4.临时将80端口规则加到防火墙中(-I 添加规则、-D 删除规则),发现浏览器可以访问服务器了,telnet也可以连接服务器了

    [root@localhost php-7.1.6]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
    

    5.编辑apache配置文件denied改为granted

    6.查看配置文件是否有语法错误

    [root@localhost local]# /usr/local/apache2.4/bin/apachectl -t
    Syntax OK
    [root@localhost local]# 

    7.重新加载配置文件

    [root@localhost local]# /usr/local/apache2.4/bin/apachectl graceful
    [root@localhost local]# 
    

    8.添加配置文件,检查配置文件是否正常。

    [root@localhost local]# /usr/local/apache2.4/bin/apachectl -t
    Syntax OK
    [root@localhost local]# /usr/local/apache2.4/bin/apachectl graceful
    [root@localhost local]# 
    

    9.可以正常访问服务器

    10.支持php

     Apache默认虚拟主机

    1.编辑httpd.conf文件去掉虚拟主机配置文件#号

    2.编辑虚拟主机配置文件并建立相对应的目录

    <VirtualHost *:80>
        ServerAdmin webmaster@dummy-host.example.com
        DocumentRoot "/data/wwwroot/abc.com"
        ServerName abc.com
        ServerAlias www.abc.com www.123.com
        ErrorLog "logs/abc.com-error_log"
        CustomLog "logs/abc.com-access_log" common
    </VirtualHost>
    
    <VirtualHost *:80>
        ServerAdmin webmaster@dummy-host2.example.com
        DocumentRoot "/data/wwwroot/111.com"
        ServerName 111.com
        ServerAlias www.example.com
        ErrorLog "logs/111.com-error_log"
        CustomLog "logs/111.com-access_log" common
    </VirtualHost>
    
    [root@localhost ~]# mkdir /data/wwwroot/
    [root@localhost ~]# mkdir /data/wwwroot/abc.com
    [root@localhost ~]# mkdir /data/wwwroot/111.com
    [root@localhost ~]# vim /data/wwwroot/abc.com/index.php
    [root@localhost ~]# 
    

    3.创建index.php文件并写点代码

    [root@localhost ~]# vim /data/wwwroot/111.com/index.php
    [root@localhost ~]# 
    

      

    4.检查配置文件

    [root@localhost ~]# /usr/local/apache2.4/bin/apachectl -t
    Syntax OK
    [root@localhost ~]# /usr/local/apache2.4/bin/apachectl graceful   
    [root@localhost ~]# 
    

    5.curl命令来检测是否可以访问-x 选项可以为CURL添加代理功能,用浏览器看需要本地做host

    [root@localhost ~]# curl -x10.21.95.122:80 abc.com
    abc.com[root@localhost ~]# curl -x10.21.95.122:80 abce.com
    abc.com[root@localhost ~]# curl -x10.21.95.122:80 abcee.com
    abc.com[root@localhost ~]# curl -x10.21.95.122:80 www.example.com
    111.com[root@localhost ~]# 
    

    6.打开虚拟主机配置文件,主配置文件将失效

     Apache用户认证  

     1.修改虚拟主机配置文件

    <VirtualHost *:80>
        ServerAdmin webmaster@dummy-host2.example.com
        DocumentRoot "/data/wwwroot/111.com"
        ServerName 111.com
        ServerAlias www.example.com
            <Directory /data/wwwroot/111.com>
                    AllowOverride AuthConfig
                    AuthName "Restricted Files"
                    AuthType Basic
                    AuthUserFile /data/.htpasswd
                    Require valid-user
            </Directory>
        ErrorLog "logs/111.com-error_log"
        CustomLog "logs/111.com-access_log" common
    </VirtualHost>
    

    2.生成用户密码文件

    [root@localhost ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
    [root@localhost ~]# /usr/local/apache2.4/bin/htpasswd -c -m /data/.htpasswd apache
    New password: 
    Re-type new password: 
    Adding password for user apache
    [root@localhost ~]# 
    
    [root@localhost ~]# /usr/local/apache2.4/bin/htpasswd -m /data/.htpasswd apache1
    New password: 
    Re-type new password: 
    Adding password for user apache1
    [root@localhost ~]# cat /data/.htpasswd                                       apache:$apr1$7yblTxbh$nuIrcwIU3nlsee3Aek8jJ.
    apache1:$apr1$1bnu4tPX$/u15wjn1vuexrW8ROHC9u0
    [root@localhost ~]# 
    
    [root@localhost ~]# /usr/local/apache2.4/bin/apachectl -t                     Syntax OK
    [root@localhost ~]# /usr/local/apache2.4/bin/apachectl graceful   
    [root@localhost ~]# 
    

    3.curl访问提示401 -I 只看状态码不看返回的内容

    [root@localhost ~]# curl -x127.0.0.1:80 111.com -I
    HTTP/1.1 401 Unauthorized
    Date: Fri, 02 Feb 2018 07:44:52 GMT
    Server: Apache/2.4.28 (Unix) PHP/5.6.30
    WWW-Authenticate: Basic realm="Restricted Files"
    Content-Type: text/html; charset=iso-8859-1
    
    [root@localhost ~]# 
    

    4.用浏览器访问,编辑客户端host文件,访问111.com

    5.用curl方式输入用户名密码方式访问

    [root@localhost ~]# curl -x127.0.0.1:80 -uapache:apache 111.com
    111.com[root@localhost ~]# 
    

      

    1.filesmatch指定文件认证

    域名跳转

    1.修改配置文件域名跳转需要在虚拟主机配置中添加别名和一个 rewrite 模块,如下,配置当访问 www.aaa.com 时跳转到 www.test.com

    [root@localhost ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
    <VirtualHost *:80>
        DocumentRoot "/data/www"
        ServerName www.test.com
        ServerAlias www.aaa.com
        <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteCond %{HTTP_HOST} ^www.aaa.com$    
            RewriteRule ^/(.*)$ http://www.test.com/$1 [R=301,L]
        </IfModule>
    </VirtualHost>
    

      

    [root@localhost ~]# /usr/local/apache2/bin/apachectl -t
    [root@localhost ~]# /usr/local/apache2/bin/apachectl graceful
    

    2.扩展:如果有多个域名跳转到一个域名如何配置,如下,配置当访问 www.aaa.com 或访问 www.bbb.com 时跳转到 www.test.com 

    [root@localhost ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
    <VirtualHost *:80>
        DocumentRoot "/data/www"
        ServerName www.test.com
        ServerAlias www.aaa.com     # 这里配置两个别名
        ServerAlias www.bbb.com
        <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteCond %{HTTP_HOST} ^www.aaa.com$ [OR]    # 这里末尾要加[OR],表示或者
            RewriteCond %{HTTP_HOST} ^www.bbb.com$
            RewriteRule ^/(.*)$ http://www.test.com/$1 [R=301,L]
        </IfModule>
    </VirtualHost>
    

    3.查看是否加载了rewrite模块

    [root@localhost ~]# /usr/local/apache2.4/bin/apachectl -M |grep rewrite
    [root@localhost ~]# vi /usr/local/apache2.4/conf/httpd.conf
    [root@localhost ~]# /usr/local/apache2.4/bin/apachectl -M |grep rewrite
     rewrite_module (shared)
    [root@localhost ~]# 
    

      

    [root@localhost ~]# /usr/local/apache2.4/bin/apachectl graceful            
    [root@localhost ~]# 
    

    Apache访问日志

    常用命令

    1.查看apache的进程数 
    ps -aux | grep httpd | wc -l 
    2.分析日志查看当天的ip连接数 
    cat default-access_log | grep "10/Dec/2010" | awk '{print $2}' | sort | uniq -c | sort -nr 
    3.查看指定的ip在当天究竟访问了什么url 
    cat default-access_log | grep "10/Dec/2010" | grep "218.19.140.242" | awk '{print $7}' | sort | uniq -c | sort -nr 
    4.查看当天访问排行前10的url 
    cat default-access_log | grep "10/Dec/2010" | awk '{print $7}' | sort | uniq -c | sort -nr | head -n 10 
    5.看到指定的ip究竟干了什么 
    cat default-access_log | grep 218.19.140.242 | awk '{print $1" "$8}' | sort | uniq -c | sort -nr | less 
    6.查看访问次数最多的几个分钟(找到热点) 
    awk '{print $4}' default-access_log |cut -c 14-18|sort|uniq -c|sort -nr|head

    1.查看日志

    [root@localhost ~]# cat /usr/local/apache2.4/logs/
    111.com-access_log  abc.com-error_log   httpd.pid
    111.com-error_log   access_log          
    abc.com-access_log  error_log           
    [root@localhost ~]# cat /usr/local/apache2.4/logs/111.com-access_log 
    10.21.95.122 - - [02/Feb/2018:15:19:15 +0800] "GET HTTP://www.example.com/ HTTP/1.1" 200 7
    127.0.0.1 - - [02/Feb/2018:15:44:52 +0800] "HEAD HTTP://111.com/ HTTP/1.1" 401 -
    10.21.95.218 - - [02/Feb/2018:15:48:48 +0800] "GET / HTTP/1.1" 401 381
    10.21.95.218 - apache [02/Feb/2018:15:50:00 +0800] "GET / HTTP/1.1" 401 381
    10.21.95.218 - apache [02/Feb/2018:15:50:26 +0800] "GET / HTTP/1.1" 200 7
    10.21.95.218 - apache [02/Feb/2018:15:50:26 +0800] "GET /favicon.ico HTTP/1.1" 404 209
    127.0.0.1 - apache [02/Feb/2018:15:53:11 +0800] "GET HTTP://111.com/ HTTP/1.1" 200 7
    [root@localhost ~]# 
    

    2.查看gz压缩包内容

    zcat access_log.2018020209.gz |head

    3.定义新的日志文件格式common改为combined,日志记录更详细。

    4.让配置文件生效

    [root@localhost ~]# /usr/local/apache2.4/bin/apachectl graceful              
    [root@localhost ~]# 
    

     访问日志不记录静态文件

    1,当访问很多图片,文档等静态资源的时候,会加大你日志的容量,日志容量占用你磁盘空间后,会出现服务器宕机等很严重的问题,这时需要将日志进行配置优化。当访问网页时不记录这些图片、css、js等信息日志。

       SetEnvIf Request_URI ".*.gif$" img
        SetEnvIf Request_URI ".*.jpg$" img
        SetEnvIf Request_URI ".*.png$" img
        SetEnvIf Request_URI ".*.bmp$" img
        SetEnvIf Request_URI ".*.swf$" img
        SetEnvIf Request_URI ".*.js$" img
        SetEnvIf Request_URI ".*.css$" img
        CustomLog "logs/111.com-access_log" combined env=!img
    

    2.重新加载配置文件

    [root@bogon ~]# /usr/local/apache2.4/bin/apachectl graceful
    
    [root@bogon ~]# curl -x127.0.0.1:80 111.com/aaaa.jpg                          <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL /aaaa.jpg was not found on this server.</p>
    </body></html>
    [root@bogon ~]# 
    

    3.访问不是规则包含的链接被记录到日志,jpg结尾的不记录到日志

    [root@bogon ~]# curl -x127.0.0.1:80 111.com/aaaa.jpg1  
    [root@bogon ~]# tail /usr/local/apache2.4/logs/111.com-access_log    
    127.0.0.1 - - [02/Feb/2018:15:44:52 +0800] "HEAD HTTP://111.com/ HTTP/1.1" 401 -
    10.21.95.218 - - [02/Feb/2018:15:48:48 +0800] "GET / HTTP/1.1" 401 381
    10.21.95.218 - apache [02/Feb/2018:15:50:00 +0800] "GET / HTTP/1.1" 401 381
    10.21.95.218 - apache [02/Feb/2018:15:50:26 +0800] "GET / HTTP/1.1" 200 7
    10.21.95.218 - apache [02/Feb/2018:15:50:26 +0800] "GET /favicon.ico HTTP/1.1" 404 209
    127.0.0.1 - apache [02/Feb/2018:15:53:11 +0800] "GET HTTP://111.com/ HTTP/1.1" 200 7
    10.21.95.218 - apache [02/Feb/2018:17:48:08 +0800] "GET / HTTP/1.1" 200 7
    10.21.95.218 - apache [02/Feb/2018:18:11:59 +0800] "GET / HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
    10.21.95.218 - apache [02/Feb/2018:18:12:00 +0800] "GET / HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
    127.0.0.1 - - [05/Feb/2018:17:53:08 +0800] "GET HTTP://111.com/aaaa.jpg1 HTTP/1.1" 401 381 "-" "curl/7.29.0"
    [root@bogon ~]# 
    

    访问日志切割 

     

    1.添加配置文件选项rotatelogs -l 切割命令 -l 指定以什么时间格式切割 86400 每天0点生成一个新的文件

    2.生成了记录日期格式的日志文件111.com-access_20180206.log

    [root@bogon ~]# curl -x127.0.0.1:80 111.com/index.php
    111.com[root@bogon ~]# ls /usr/local/apache2.4/logs/
    111.com-access_20180206.log  111.com-error_log   abc.com-error_log  error_log
    111.com-access_log           abc.com-access_log  access_log         httpd.pid
    [root@bogon ~]# 
    

     

    [root@bogon ~]# cat /usr/local/apache2.4/logs/111.com-access_20180206.log 
    127.0.0.1 - - [06/Feb/2018:09:14:26 +0800] "GET HTTP://111.com/123.php HTTP/1.1" 404 205 "-" "curl/7.29.0"
    127.0.0.1 - - [06/Feb/2018:09:15:44 +0800] "GET HTTP://111.com/index.php HTTP/1.1" 200 7 "-" "curl/7.29.0"
    [root@bogon ~]#  

    3.还需要写一个任务计划超过多少天的日志删除减小空间占用crontab

    00 * * * * find /applog/app -type f -mtime +1 -exec rm -f {} ;

    静态元素过期时间

    1.在虚拟主机配置文件中添加expires_module模块配置文件

    [root@bogon 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
    

      

    <IfModule mod_expires.c>
         ExpiresActive on
         ExpiresByType image/gif "access plus 1 days"
         ExpiresByType image/jpeg "access plus 24 hours"
         ExpiresByType image/png "access plus 24 hours"
         ExpiresByType test/css "now plus 2 hours"
         ExpiresByType application/x-javascripts "now plus 2 hours"
         ExpiresByType application/x-shockwave-flash "now plus 2 hours"
         ExpiresDefault "now plus 0 min"
    </IfModule>
    
    [root@bogon 111.com]# /usr/local/apache2.4/bin/apachectl -t
    

    2.查看模块是否打开,打开expires模块

    [root@bogon 111.com]# /usr/local/apache2.4/bin/apachectl -M|grep expires
    [root@bogon 111.com]# 
    

    [root@bogon 111.com]# /usr/local/apache2.4/bin/apachectl graceful
    [root@bogon 111.com]# /usr/local/apache2.4/bin/apachectl -M|grep expires   
     expires_module (shared)
    [root@bogon 111.com]# 
    

    配置防盗链

    1.配置文件增加,111.com和aaa.com允许,其他的拒绝

        <Directory /data/wwwroot/111.com>           
        SetEnvIfNoCase Referer "http://111.com" local_ref            
        SetEnvIfNoCase Referer "http://aaa.com" local_ref
        <filesmatch ".(txt|doc|mp3|zip|rar|jpg|gif|png)">
            Order Allow,Deny
            Allow from env=local_ref
            Deny from all
        </filesmatch>
        </Directory>
    

     

    [root@bogon ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf        
    [root@bogon ~]# /usr/local/apache2.4/bin/apachectl -t                         Syntax OK
    [root@bogon ~]# /usr/local/apache2.4/bin/apachectl graceful               
    [root@bogon ~]# 

    2.直接不能访问,应该ref为空,必须把这个图片放到111.com和aaa.com相关的内容里,来源ref是白名单的情况才能访问。

    3.如果想在浏览器直接能访问配置空ref

    SetEnvIfNoCase Referer "^$" local_ref

    [root@bogon ~]# /usr/local/apache2.4/bin/apachectl graceful
    

    4.可以用curl -e 直接创造referrer

    [root@bogon ~]# curl -e "http://111.com/a.jpg" -x127.0.0.1:80 111.com/a.jpg -I 
    HTTP/1.1 200 OK
    Date: Tue, 06 Feb 2018 03:45:11 GMT
    Server: Apache/2.4.28 (Unix) PHP/5.6.30
    Last-Modified: Sat, 12 Aug 2017 09:29:53 GMT
    ETag: "8f393-5568b126b0640"
    Accept-Ranges: bytes
    Content-Length: 586643
    Cache-Control: max-age=86400
    Expires: Wed, 07 Feb 2018 03:45:11 GMT
    Content-Type: image/jpeg
    
    [root@bogon ~]#
    

    访问控制Directory

    1.添加配置文件,创建admin目录添加index.php文件

    1.看Order后面的,哪个在前,哪个在后

    2.如果deny在前,那么就需要看deny from 这句,然后看allow from这一句

    3.规则是一条一条的匹配的,不管是deny在前面还是allow在前,都是会生效的。比如例子中。先deny了所有,然后又allow了127.0.0.1,所以127.0.0.1是通过的。

    Order allow ,deny

    deny from all

    allow from 127.0.0.1

    这个就会deny所有了,127.0.0.1也会被deny。因为顺序是先allow然后deny,虽然一开始allow了127.0.0.1,但是后面有拒绝了它。

    Order allow,deny

    deny from all

    上面的规则就表示,全部都不能通过

    Order deny,allow

    deny from all

    上面的规则表示,全部都不能通过

    Order deny,allow

    只有顺序,没有具体规则,表示,全部都可以通行(默认的),因为allow在最后了。

    Order allow,deny

    这个表示,全部不能通行(默认的),因为deny在最后了。

    讲完了allow ,deny我们再来看看具体的应用吧。

    (1)某个目录做限制,比如该目录很重要,只允许我们公司的IP访问,当然这个目录可以使网站根目录,也就是整个站点都要做限制了。

    <Directory /data/www/>              

    Order deny,allow

    Deny from all

    Allow from 127.0.0.1              

    </Directory>

    说明:只允许127.0.0.1访问,其他IP全部拒绝掉。

     <Directory "/data/wwwroot/111.com/admin">
            Order deny,allow
            Deny from all    # 表示禁止 1.1.1.1 访问 abc 目录
            Allow from 127.0.0.1
        </Directory>
    
    [root@bogon 111.com]# mkdir admin
    [root@bogon 111.com]# touch index.php
    [root@bogon 111.com]# echo 121212 > index.php 
    [root@bogon 111.com]# cat index.php 
    121212
    [root@bogon 111.com]# 
    
    [root@bogon admin]# curl -x127.0.0.1:80 111.com/admin/index.php -I
    HTTP/1.1 200 OK
    Date: Tue, 06 Feb 2018 04:55:21 GMT
    Server: Apache/2.4.28 (Unix) PHP/5.6.30
    X-Powered-By: PHP/5.6.30
    Cache-Control: max-age=0
    Expires: Tue, 06 Feb 2018 04:55:21 GMT
    Content-Type: text/html; charset=UTF-8
    
    [root@bogon admin]# 
    

      

    [root@bogon admin]# curl -x10.21.95.122:80 111.com/admin/index.php -I         
    HTTP/1.1 403 Forbidden
    Date: Tue, 06 Feb 2018 04:56:25 GMT
    Server: Apache/2.4.28 (Unix) PHP/5.6.30
    Content-Type: text/html; charset=iso-8859-1
    
    [root@bogon admin]#
    

    访问控制FilesMatch

     1针对请求的uri去限制,前面安装的discuz论坛,访问后台是admin.php,那我们就可以针对admin.php做限制。

    <filesmatch "(.*)admin(.*)">
    
                  Order deny ,allow
    
                  Deny from all
    
                   Allow from 127.0.0.1
    
    说明:这里用到了filesmatch语法,表示匹配的意思。

    限定某个目录禁止解析php

    1.某个目录下解析PHP,这个很有用,我们做网站安全的时候,这个用的很多,比如某些目录可以上传文件,为了避免上传文件有木马,所以我们禁止这个目录下面的 访问解析PHP。

    2.配置文件添加如下代码,禁止upload目录下的php文件解析

        <Directory "/data/wwwroot/111.com/upload">
        php_admin_flag engine off
        <FilesMatch (.*).php(.*)>
        Order deny,allow
        Deny from all
        </FilesMatch>
        </Directory>
    
    [root@bogon admin]# mkdir /data/wwwroot/111.com/upload
    [root@bogon admin]# touch /data/wwwroot/111.com/upload/index.php
    [root@bogon admin]# echo 111 > /data/wwwroot/111.com/upload/index.php 
    [root@bogon admin]# 
    

    3.php_admin_flag engine off这个语句就是禁止解析php的控制语句,但只这样配置还不够,因为这样配置之后用户依然可以访问PHP文件,只不过不解析了,但可以下载,用户下载PHP文件也是不合适的,所以有必要在禁止一下。

    [root@bogon admin]# curl -x127.0.0.1:80 111.com/upload/index.php -I
    HTTP/1.1 403 Forbidden
    Date: Wed, 07 Feb 2018 01:41:52 GMT
    Server: Apache/2.4.28 (Unix) PHP/5.6.30
    Content-Type: text/html; charset=iso-8859-1
    
    [root@bogon admin]# 
    

    限制user_agent 

      <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]    # 如果要禁止多种浏>览器要在后面加[OR],表示或者 NC 忽略大小写
            RewriteCond %{HTTP_USER_AGENT} .*chrome.* [NC]     # 这里禁止 curl 和 chrome 访问我们的网站(只是做实验)
            RewriteRule .* - [F]                                # 表示 Forbidden 
        </IfModule>
    

     

    [root@bogon admin]# /usr/local/apache2.4/bin/apachectl graceful -t    
    Syntax OK
    [root@bogon admin]# /usr/local/apache2.4/bin/apachectl graceful
    [root@bogon admin]# curl -x127.0.0.1:80 111.com/upload/index.php -I       
    HTTP/1.1 403 Forbidden
    Date: Wed, 07 Feb 2018 02:33:37 GMT
    Server: Apache/2.4.28 (Unix) PHP/5.6.30
    Content-Type: text/html; charset=iso-8859-1
    
    [root@bogon admin]# 
    

    1. -A 模拟useragent

    [root@bogon admin]# curl -A "sun sun" -x127.0.0.1:80 111.com/index.php -I     HTTP/1.1 200 OK
    Date: Wed, 07 Feb 2018 02:35:50 GMT
    Server: Apache/2.4.28 (Unix) PHP/5.6.30
    X-Powered-By: PHP/5.6.30
    Cache-Control: max-age=0
    Expires: Wed, 07 Feb 2018 02:35:50 GMT
    Content-Type: text/html; charset=UTF-8
    
    [root@bogon admin]# 
  • 相关阅读:
    Jasmine入门
    最近面试js部分试题总结
    最近面试前端面试题整理(css部分)
    开发自己的类库
    关于FEer发展方向的思考
    工作那些事(八)工作的目标——《360周鸿祎在新员工入职培训上的讲话》读后感
    工作那些事(七)选择与被选择
    工作那些事(六)谈谈好的编程习惯的好处
    工作那些事(五)谈谈项目资料整理和积累
    工作那些事(四)大公司VS小公司
  • 原文地址:https://www.cnblogs.com/sunyujun/p/8399779.html
Copyright © 2020-2023  润新知