1.8.11 限定目錄禁止解析php

1.8.11 限定目錄禁止解析php

#核心配置文件內容
    <Directory /data/wwwroot/www.123.com/upload>
        php_admin_flag engine off
#       <FilesMatch (.*)\.php(.*)>
#       Order allow,deny
#       Deny from all
#       </FilesMatch>
    </Directory>
#curl測試時直接返回了php源代碼，並未解析

編輯配置測試：

[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/111.com"
    ServerName www.111.com
    ServerAlias 111.com
    <Directory /data/wwwroot/111.com>
       php_admin_flag engine off
    </Directory>
    ErrorLog "logs/111.com-error_log"
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@Dasoncheng ~]# curl www.111.com/admin.php
<?php
echo "Welcome to the page of admin\n"
?>
[root@Dasoncheng ~]# curl www.111.com/admin/index.php
<?php
echo "This page is forbidden;\n"
?>
##能夠看出上面index.php頁面就沒有解析出來！

只達到這樣的效果確定是不行的！那怎麼辦呢？
我來教你：

[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/111.com"
    ServerName www.111.com
    ServerAlias 111.com
    <Directory /data/wwwroot/111.com>
       php_admin_flag engine off
       <FilesMatch (.*)\.php*>
         Order allow,deny
         Deny from all
       </FilesMatch>
    </Directory>
    ErrorLog "logs/111.com-error_log"
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful

測試：

[root@Dasoncheng ~]# curl www.111.com/admin.php -I
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl www.111.com/admin/index.php -I
HTTP/1.1 403 Forbidden

搞定！大吉大利、今晚吃雞……
目的：防止他人上傳並執行惡意php執行腳本！（禁止執行PHP腳本，獲取權限。如php一句話木馬）

1.8.12 限制user_agent

user_agent能夠理解爲瀏覽器標識  
 核心配置文件內容  
   <IfModule mod_rewrite.c>  //再次用到rewrite模塊   
        RewriteEngine on     
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]  //條件OR是或者，上下兩個條件；NC是不區分大小寫（對agent）   
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]  //條件   
        RewriteRule  .*  -  [F]  //規則，直接forbidden   
    </IfModule>   
 curl -A "123123" 指定user_agent

編輯配置：

[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/111.com"
    ServerName www.111.com
    ServerAlias 111.com
    <IfModule mod_rewrite.c>
       RewriteEngine on
       RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
       RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
       RewriteRule .* - [F]
    </IfModule>
    ErrorLog "logs/111.com-error_log"
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful

測試：

[root@Dasoncheng ~]# curl www.111.com/admin/admin.html
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl -A "baidu.com" www.111.com/admin/admin.html -I
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl -A "www.baidu.com" www.111.com/admin/admin.html
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl -A "google.com" www.111.com/admin/admin.html
echo "This is a html page"

小提示：
目的：限制來源agent訪問代理！限制來源agent，減輕服務器壓力
需求背景：被攻擊，來源agent 訪問地址 時間一致；咱們經過限制agent訪問代理來處理流量；
curl -A 「aminglinu」 指定agent爲aminglinux
curl -e 「http://」 指定referer爲http://*
curl -x 指定域名host（省得修改hosts文件）
curl -I 只查看訪問狀態，不顯示內容！

幾種限制ip的方法 http://www.lishiming.net/thread-6519-1-1.html
apache 自定義header http://www.aminglinux.com/bbs/thread-830-1-1.html
apache的keepalive和keepalivetimeout http://www.aminglinux.com/bbs/thread-556-1-1.html