合理分權是提高管理效率的有效方法,經過本講內容所講而已對Apache進行合理配置,進行鍼對性的受權,從而提高對Apache的管理以及安全性。php
編輯虛擬主機配置文件:html
[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf <Directory /data/wwwroot/111.com> SetEnvIfNoCase Referer "http://111.com" local_ref SetEnvIfNoCase Referer "http://aaa.com" local_ref #SetEnvIfNoCase Referer "^$" local_ref #定義referer白名單 <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)"> Order Allow,Deny Allow from env=local_ref #定義規則:容許變量local_ref指定的referer訪問,拒絕其餘全部訪問。 </filesmatch> </Directory> :wq保存 檢測語法錯誤並重載: [root@cham002 ~]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@cham002 ~]# /usr/local/apache2.4/bin/apachectl graceful [root@cham002 ~]# ls /data/wwwroot/111.com/ 123.php index.php photo1.jpg 如今咱們來測試一下,打開photo1.jpg
上圖這樣子用瀏覽器直接打開photo1.jpg是打不開得。apache
把這個連接放到帖子裏。vim
打開確定也是Forbidden的。想讓他不是Forbidden要把貼子網站添加到白名單裏去。直接複製網址瀏覽器
注: 若是在referer白名單中不加「^#」(空referer),直接訪問指定內容將會被拒絕。安全
curl -e 指定referercurl
編輯虛擬主機配置文件:測試
[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf <Directory /data/wwwroot/www.123.com/admin/> Order deny,allow Deny from all Allow from 127.0.0.1 </Directory> #只容許IP--127.0.0.1訪問「/data/wwwroot/111.com/admin/」目錄中的內容 :wq [root@cham002 ~]# ls /data/wwwroot/ 111.com abc.com [root@cham002 ~]# cd /data/wwwroot/ [root@cham002 wwwroot]# cd 111.com/ [root@cham002 111.com]# ls 123.php index.php photo1.jpg [root@cham002 111.com]# mkdir admin [root@cham002 111.com]# ls 123.php admin index.php photo1.jpg [root@cham002 111.com]# touch admin/index.php [root@cham002 111.com]# ls admin index.php [root@cham002 111.com]# echo "1212121" > admin/index.php [root@cham002 111.com]# cat !$ cat admin/index.php 1212121 [root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful [root@cham002 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php [root@cham002 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php 1212121 [root@cham002 111.com]# curl -x192.168.230.150:80 111.com/admin/index.php 1212121 #測試失敗。查看httpd-vhosts.conf Directory 目錄沒改。 [root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf <Directory /data/wwwroot/111.com/admin/> Order deny,allow Deny from all Allow from 127.0.0.1 </Directory> [root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful [root@cham002 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php -I HTTP/1.1 200 OK Date: Mon, 25 Dec 2017 12:50:49 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@cham002 111.com]# curl -x192.168.230.136:80 111.com/admin/index.php -I ^C [root@cham002 111.com]# curl -x192.168.230.150:80 111.com/admin/index.php -I HTTP/1.1 403 Forbidden Date: Mon, 25 Dec 2017 12:51:09 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
**說明:**本節用於設定指定IP訪問指定目錄的權限!網站
[root@cham002 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 使用FilesMatch參數: <Directory /data/wwwroot/111.com> <FilesMatch admin.php(.*)> Order deny,allow Deny from all Allow from 127.0.0.1 </FilesMatch> </Directory> [root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful [root@cham002 111.com]# curl -x192.168.230.150:80 http://111.com/admin/adfsfds -I HTTP/1.1 404 Not Found Date: Mon, 25 Dec 2017 14:03:52 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@cham002 111.com]# curl -x192.168.230.150:80 'http://111.com/admin.php?adfsfds' -I HTTP/1.1 403 Forbidden Date: Mon, 25 Dec 2017 14:04:40 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/admin.php?adfsfds' -I HTTP/1.1 404 Not Found Date: Mon, 25 Dec 2017 14:05:04 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 #由於訪問的文件不存在,因此報錯:404!