LAMP架構 (Ⅲ ) ——防盜鏈、訪問控制、php配置
LAMP架構 (Ⅲ )
十五 、配置防盜鏈
防盜鏈,通俗講就是不讓別人盜用你網站上的資源,這個資源指的是圖片、視頻、歌曲、文檔等,在這以前須要理解一下referer的概念,若是你經過A網站的一個頁面http://a.com/a.html裏面的連接去訪問B網站的一個頁面http://b.com/b.html,那麼這個B網站頁面的referer就是http://a.com/a.html。也就是說,一個referer就是一個網址。php
打開虛擬主機配置文件,按如下內容配置虛擬主機;css
[root@ying01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf //編輯虛擬主機配置文件
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref // 定義容許訪問連接的referer
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref //把空referer設爲白名單,即直接訪問的地址
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
Order Allow,Deny //白名單地址allow,其餘deny
Allow from env=local_ref // 白名單爲local_ref對應的地址
</FilesMatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
改完配置,仍是須要檢測語法,以及重啓httpdhtml
[root@ying01 ~]# /usr/local/apache2.4/bin/apachectl -t //更改配置後,須要檢查配置語法 Syntax OK [root@ying01 ~]# /usr/local/apache2.4/bin/apachectl graceful //重啓httpd
如今用111.com/1.jpg 測試這個配置內容;mysql
[root@ying01 ~]# ls /data/wwwroot/111.com/ 123.php 1.jpg index.php [root@ying01 111.com]# curl -x192.168.112.136:80 -I 111.com/1.jpg //直接訪問,狀態200,至關於空refer HTTP/1.1 200 OK Date: Sat, 30 Jun 2018 10:18:47 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Last-Modified: Tue, 26 Jun 2018 08:19:48 GMT ETag: "8967-56f8729511100" Accept-Ranges: bytes Content-Length: 35175 Content-Type: image/jpeg [root@ying01 111.com]# curl -e "http://www.qq.com/1.jpg" -x192.168.112.136:80 -I 111.com/1.jpg HTTP/1.1 403 Forbidden //定義refer爲qq,此爲禁止refer Date: Sat, 30 Jun 2018 10:19:22 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -e "http://111.com/1.jpg" -x192.168.112.136:80 -I 111.com/1.jpg HTTP/1.1 200 OK //定義refer爲111.com,能夠訪問 Date: Sat, 30 Jun 2018 10:19:59 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Last-Modified: Tue, 26 Jun 2018 08:19:48 GMT ETag: "8967-56f8729511100" Accept-Ranges: bytes Content-Length: 35175 Content-Type: image/jpeg [root@ying01 111.com]# curl -e "http://ask.apelearn.com/lkkh.gif" -x192.168.112.136:80 -I 111.com/1.jpg HTTP/1.1 200 OK //定義refer爲ask.apelearn.com,能夠訪問 Date: Sun, 01 Jul 2018 01:04:12 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Last-Modified: Tue, 26 Jun 2018 08:19:48 GMT ETag: "8967-56f8729511100" Accept-Ranges: bytes Content-Length: 35175 Content-Type: image/jpeg
總結:git
- 當須要訪問111.com/1.jpg這個圖片的時候:
- 直接訪問訪問圖片;
由於已經定義爲空refer: **SetEnvIfNoCase Referer "^$" local_ref **github
- 經過制定的refer來訪問;
已經定義111.com引用者: SetEnvIfNoCase Referer "http://111.com" local_ref
已經定義ask.apelearn.com引用者: SetEnvIfNoCase Referer "http://ask.apelearn.com" local_refredis
- 可是這個只是針對如下幾種格式的內容:
FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">sql
好比:咱們來訪問111.com/index.php,那麼能夠任意被引用;shell
[root@ying01 111.com]# curl -e "http://www.baidu.com" -x192.168.112.136:80 -I 111.com/index.php HTTP/1.1 200 OK //用百度,也能夠訪問index.php Date: Sun, 01 Jul 2018 01:14:23 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@ying01 111.com]# curl -e "http://www.126.com" -x192.168.112.136:80 -I 111.com/index.php HTTP/1.1 200 OK //用126,也能夠訪問index.php,因此這個refer,能夠任意指定 Date: Sun, 01 Jul 2018 01:16:12 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8
十六 、訪問控制
對於一些比較重要的網站內容,除了可使用用戶認證限制訪問以外,還能夠經過其餘一些方法作到限制,好比限制IP,也能夠限制user_agent。限制IP指的是限制訪問網址的來源IP,而限制user_agent,一般用來限制惡意或者不正常的請求.apache
16.1 訪問控制Directory
在虛擬主機配置文件裏面,按下面內容配置;
[root@ying01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
如下爲配置內容:
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com/admin> //增長admin目錄
Order deny,allow //按先拒絕,再容許執行
Deny from all //拒絕全部
Allow from 127.0.0.1 //容許ip
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
測試前的準備工做
[root@ying01 111.com]# ls 123.php 1.jpg 1.txt ceshi.png index.php [root@ying01 111.com]# mkdir admin //在111.com下建立admin目錄 [root@ying01 111.com]# touch admin/index.php //在admin下建立index.php文件 [root@ying01 111.com]# echo "qeqe2222" >> admin/index.php [root@ying01 111.com]# cat !$ cat admin/index.php qeqe2222 [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl graceful //httpd重啓
在容許IP 127.0.0.1下,訪問admin目錄
[root@ying01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php -I //能夠正常訪問 HTTP/1.1 200 OK Date: Sun, 01 Jul 2018 01:56:52 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@ying01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php //可以輸出 qeqe2222 [root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/admin/asdsf -I HTTP/1.1 404 Not Found //404表明容許訪問,此頁面沒有 Date: Sun, 01 Jul 2018 02:05:08 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
用ifconfig,查看本機有3個IP;
[root@ying01 111.com]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.112.136 netmask 255.255.255.0 broadcast 192.168.112.255
inet6 fe80::16dc:89c:b761:e115 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:87:3f:91 txqueuelen 1000 (Ethernet)
RX packets 8986 bytes 758369 (740.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4496 bytes 555923 (542.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.112.158 netmask 255.255.255.0 broadcast 192.168.112.255
ether 00:0c:29:87:3f:91 txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0 //已經定義allow
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 516 bytes 44492 (43.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 516 bytes 44492 (43.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
那麼使用除127.0.0.1這個IP外,其餘IP測試狀況;
[root@ying01 111.com]# curl -x192.168.112.158:80 111.com/admin/index -I HTTP/1.1 403 Forbidden //此IP下禁止訪問 Date: Sun, 01 Jul 2018 03:10:05 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x192.168.112.136:80 111.com/admin/index -I HTTP/1.1 403 Forbidden //此IP下禁止訪問 Date: Sun, 01 Jul 2018 03:10:19 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
16.2 訪問控制FilesMatch
編輯虛擬主機配置文件,進行FilesMatch配置;既要匹配文件,又要限制IP;
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com> //在111.com目錄下
<Filesmatch admin.php(.*)> //文件匹配admin.php後面跟任意的字符
Order deny,allow
Deny from all
Allow from 127.0.0.1 //只容許127.0.0.1訪問
</Filesmatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
在知足admin.php 下,不一樣IP下,進行訪問測試;
[root@ying01 111.com]# curl -x192.168.112.136:80 http://111.com/admin.phpsaaaaaaaaaaaa -I //知足admin.php HTTP/1.1 403 Forbidden //由於只容許IP:127.0.0.1訪問 Date: Sun, 01 Jul 2018 14:55:48 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x192.168.112.136:80 'http://111.com/admin.php#aaaaaaaaaaaa' -I //知足admin.php HTTP/1.1 403 Forbidden //由於只容許IP:127.0.0.1訪問 Date: Sun, 01 Jul 2018 15:00:45 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x127.0.0.1:80 'http://111.com/admin.php#aaaaaaaaaaaa' -I //加上單引號,是由於有特殊符號# HTTP/1.1 404 Not Found //可以鏈接,可是無此頁面 Date: Sun, 01 Jul 2018 15:01:10 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/admin.phpsaaaaaaaaaaaa -I HTTP/1.1 404 Not Found //可以鏈接,可是無此頁面 Date: Sun, 01 Jul 2018 15:02:51 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
試驗結果:只有127.0.0.1可以訪問 admin.php(.*)的網頁。其他IP,無此權限;
16.3 限定某個目錄禁止解析php
有這樣一種狀況,有些站點和論壇是容許上傳圖片到服務器,他們上傳一些php或者js到服務器,而後被咱們執行加載,從而對數據形成威脅。 爲了不這種事情的發生,咱們須要限制上傳類型。
編輯虛擬主機配置文件,進行如下配置;
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com/upload> //在111.com定義upload目錄
php_admin_flag engine off //禁止php解析,全部訪問都報403錯誤
<FilesMatch (.*)\.php(.*)> // .php 先後匹配任意字符
Order deny,allow //按禁止,容許執行
Deny from all //禁止所有
</Filesmatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
建立目錄,並把123.php複製到upload,並重啓配置;作好測試準備工做;
[root@ying01 111.com]# mkdir upload [root@ying01 111.com]# ls 123.php 1.jpg 1.txt admin ceshi.png index.php upload [root@ying01 111.com]# cp 123.php upload/ [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
進行測試,發現禁止解析php,也不能輸出源代碼;
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/upload/123.php -I HTTP/1.1 403 Forbidden Date: Sun, 01 Jul 2018 15:45:24 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/upload/123.php //禁止訪問,也不能輸出源代碼 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /upload/123.php on this server.<br /> </p> </body></html>
再進行配置,把FilesMatch部分不執行,加上#號
[root@ying01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com/upload> //在111.com定義upload目錄
php_admin_flag engine off //禁止php解析,全部訪問都報403錯誤
#<FilesMatch (.*)\.php(.*)> // .php 先後匹配任意字符
# Order deny,allow //按禁止,容許執行
# Deny from all //禁止所有
#</Filesmatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
此時重啓配置後,進行測試;結果不能解析php,只能輸出源代碼;
[root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/upload/123.php //不可以解析PHP,只是輸出源代碼 <?php echo "123.php";
總結:所以爲了安全,咱們必須讓其根本不能訪問php(匹配.php),不給其解析機會;
16.4 限制user_agent
User Agent中文名爲用戶代理,簡稱 UA,它是一個特殊字符串頭,使得服務器可以識別客戶使用的操做系統及版本、CPU 類型、瀏覽器及版本、瀏覽器渲染引擎、瀏覽器語言、瀏覽器插件等。
當用crul訪問的時候,user_agent的值爲「curl/7.29.0」;所以咱們能夠用其,來作實驗;
第一步:把下面內容定義爲虛擬主機的的配置文件
[root@ying01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<IfModule mod_rewrite.c>
RewriteEngine on //
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //匹配curl,不區分大小寫,或者
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
第二步:直接用curl訪問111.com目錄下的123.php
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/123.php -I HTTP/1.1 403 Forbidden //禁止訪問 Date: Sun, 01 Jul 2018 16:42:05 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
第三步:用curl -A指定user_agent的值
[root@ying01 111.com]# curl -A "123456" -x127.0.0.1:80 http://111.com/123.php -I //指定user_agent爲123456 HTTP/1.1 200 OK //能夠訪問 Date: Sun, 01 Jul 2018 16:44:13 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@ying01 111.com]# curl -A "ying ying" -x127.0.0.1:80 http://111.com/123.php -I //指定user_agent爲ying ying HTTP/1.1 200 OK //能夠訪問 Date: Sun, 01 Jul 2018 16:45:19 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8
第四步:調用訪問日誌;能夠看出user_agent爲"curl/7.29.0" ,也有"123456"和"ying ying"
[root@ying01 111.com]# tail -3 /usr/local/apache2.4/logs/111.com-access_20180702.log 127.0.0.1 - - [02/Jul/2018:00:42:05 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0" 127.0.0.1 - - [02/Jul/2018:00:44:13 +0800] "HEAD http://111.com/123.php HTTP/1.1" 200 - "-" "123456" 127.0.0.1 - - [02/Jul/2018:00:45:19 +0800] "HEAD http://111.com/123.php HTTP/1.1" 200 - "-" "ying ying"
總結:user_agent爲"curl/7.29.0" 匹配配置文件,所以禁止訪問;而用curl -A指定user_agent的值,則狀態碼爲200;
十7、PHP配置
17.1 php的配置文件
試驗準備工做;在111.com下,編輯index.php內容
[root@ying01 ~]# cd /data/wwwroot/111.com [root@ying01 111.com]# ls 123.php 1.jpg 1.txt admin ceshi.png index.php upload [root@ying01 111.com]# vim index.php <?php phpinfo();
此時咱們在瀏覽器上訪問index.php, 發現** Loaded Configuration File**沒有加載
此時把php.ini-development文件,複製到/usr/local/php7/etc/php.ini
[root@ying01 111.com]# /usr/local/php7/bin/php -i | grep -i 'loaded configuration file' Loaded Configuration File => [root@ying01 111.com]# cd /usr/local/src/php-7.1.6/ [root@ying01 php-7.1.6]# cp php.ini-development /usr/local/php7/etc/php.ini [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
從新加載後,再用瀏覽器上訪問index.php,此時** Loaded Configuration File**已經加載
17.2 危險函數的禁用
編輯/usr/local/php7/etc/php.ini配置文件
[root@ying01 php-7.1.6]# vim /usr/local/php7/etc/php.ini 如下爲php.ini文件內容,搜索 disable_functions disable_functions =eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec, system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec, proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog, readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
這些函數都是比較危險的,爲了安全,通常要把他們禁用;
eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
此時我已經把phpinfo,也禁用了;此時沒法打開;
雖然不能訪問了,可是它卻在頁面上顯示錯誤信息; 爲了避免讓其顯示
[root@ying01 php-7.1.6]# vim /usr/local/php7/etc/php.ini display_errors = off //把on改成off [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
此時再次在瀏覽器,刷新,結果成爲一個空頁面;
17.3 設置php的錯誤日誌
雖然免除了危險,可是對於咱們管理員來講,這個頁面,不友好,沒法判斷此頁面;此時須要設置錯誤日誌;
再次打開php.ini配置文件
[root@ying01 php-7.1.6]# vim /usr/local/php7/etc/php.ini log_errors = On //須要執行,且爲on error_log = /tmp/php_errors.log //定義錯誤日誌目錄
- 設置error_reporting 錯誤級別
; Common Values: ; E_ALL (Show all errors, warnings and notices including coding standards.) ; E_ALL & ~E_NOTICE (Show all errors, except for notices) ; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) ; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) ; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED ; Development Value: E_ALL ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT ; http://php.net/error-reporting error_reporting = E_ALL //默認爲E_ALL,選擇
選擇生產環境的級別
error_reporting = E_ALL & ~E_NOTICE //在生產環境中,最經常使用的就是這個!有時候出現notice並非出錯
加載,重啓配置
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/index.php //繼續訪問,確定沒有輸出 [root@ying01 php-7.1.6]# ls /tmp/php_errors.log //可是此時有咱們設置的錯誤日誌出現 /tmp/php_errors.log
查看看這個錯誤日誌的權限,發現爲daemon;說明跟httpd配置文件相關
[root@ying01 php-7.1.6]# ls -l /tmp/php_errors.log -rw-r--r-- 1 daemon daemon 1350 7月 2 11:02 /tmp/php_errors.log [root@ying01 php-7.1.6]# ps aux |grep httpd root 1471 0.0 0.7 258948 13608 ? Ss 09:40 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 2602 0.0 0.6 545776 12344 ? Sl 10:56 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 2603 0.0 1.9 1220144 36752 ? Sl 10:56 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 2604 0.0 0.8 744496 16400 ? Sl 10:56 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 2707 0.0 0.8 613424 16748 ? Sl 10:57 0:00 /usr/local/apache2.4/bin/httpd -k start root 2817 0.0 0.0 112724 984 pts/0 S+ 11:06 0:00 grep --color=auto httpd [root@ying01 php-7.1.6]#
查看php錯誤日誌
[root@ying01 php-7.1.6]# cat /tmp/php_errors.log [02-Jul-2018 03:02:12 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [root@ying01 php-7.1.6]# [root@ying01 php-7.1.6]# vim /data/wwwroot/111.com/2.php //新建2.php [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php //空頁面 [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I //出現500狀態碼 HTTP/1.0 500 Internal Server Error Date: Mon, 02 Jul 2018 03:12:56 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8 [root@ying01 php-7.1.6]# cat /tmp/php_errors.log //查看錯誤日誌 [02-Jul-2018 02:57:11 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [02-Jul-2018 03:02:12 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [02-Jul-2018 03:12:42 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4 [02-Jul-2018 03:12:56 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
17.4 open_basedir配置
若是有一臺服務器跑了不少個站點,其中就有一個站的程序寫的很爛,漏洞百出,被***所劫持,只要一臺被劫持,其它的服務器也就很快被搞定。爲了防止這樣的事情發生,如何搞定呢?
- 在php配置文件中設置open_basedi
在php配置文件中,把111.com故意寫成1111.com
[root@ying01 php-7.1.6]# vim /usr/local/php/etc/php.ini open_basedir = /data/wwwroot/1111.com:/tmp
重啓配置,測試
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.0 500 Internal Server Error //出現500狀態碼 Date: Mon, 02 Jul 2018 03:33:14 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8
查看錯誤日誌:php_errors.log
[root@ying01 php-7.1.6]# tail -3 /tmp/php_errors.log [02-Jul-2018 03:12:42 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4 [02-Jul-2018 03:12:56 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4 [02-Jul-2018 03:33:14 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
在php配置文件中,把錯誤的目錄1111.com改成111.com
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.0 500 Internal Server Error Date: Mon, 02 Jul 2018 03:35:22 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8
- 針對不一樣的虛擬主機限定不一樣的open_basedir
按下圖設置vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
重啓配置後,能夠訪問成功;
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.1 200 OK Date: Mon, 02 Jul 2018 04:06:09 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php 123[root@ying01 php-7.1.6]#
十8、 PHP擴展模塊安裝
18.1 下載模塊包安裝
下載源碼包
[root@ying01 ~]# cd /usr/local/src/ [root@ying01 src]# wget https://codeload.github.com/phpredis/phpredis/zip/develop
更名,解壓包
[root@ying01 src]# mv develop phpredis-develop.zip //更更名稱 [root@ying01 src]# unzip phpredis-develop.zip //解壓
使其生成configure 文件
[root@ying01 src]# cd phpredis-develop/ [root@ying01 phpredis-develop]# [root@ying01 phpredis-develop]# /usr/local/php7/bin/phpize Configuring for: PHP Api Version: 20160303 Zend Module Api No: 20160303 Zend Extension Api No: 320160303 Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF environment variable. Then, rerun this script.
提示缺乏autoconf包
[root@ying01 phpredis-develop]# yum install -y autoconf
將繼續執行生成configure文件
[root@ying01 phpredis-develop]# /usr/local/php7/bin/phpize Configuring for: PHP Api Version: 20160303 Zend Module Api No: 20160303 Zend Extension Api No: 320160303 [root@ying01 phpredis-develop]# ls configure configure
配置、編譯,安裝
[root@ying01 phpredis-develop]# ./configure --with-php-config=/usr/local/php7/bin/php-config [root@ying01 phpredis-develop]# make [root@ying01 phpredis-develop]# make install
查看擴展模塊存放目錄
[root@ying01 phpredis-develop]# /usr/local/php7/bin/php -i |grep extension_dir extension_dir => /usr/local/php7/lib/php/extensions/no-debug-zts-20160303 => /usr/local/ph sqlite3.extension_dir => no value => no value
目錄爲空,此時在php.ini加載一條擴展語句
[root@ying01 phpredis-develop]# vim /usr/local/php7/etc/php.ini
此時查看存放擴展模塊的目錄,發現有剛纔配置的 redis.so模塊
[root@ying01 phpredis-develop]# /usr/local/php7/bin/php -m |grep redis redis [root@ying01 zip]# ls /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/ opcache.so redis.so
18.2 編譯自帶的PHP源碼包
php7的源碼包中,有不少自帶的源碼包。咱們不須要再次下載,直接編譯便可!
在php-7.1.6/etc目錄下有不少目錄;
root@ying01 phpredis-develop]# cd /usr/local/src/php-7.1.6/ [root@ying01 php-7.1.6]# cd ext/ [root@ying01 ext]# ls bcmath ext_skel interbase opcache pdo_sqlite skeleton tokenizer bz2 ext_skel_win32.php intl openssl pgsql snmp wddx calendar fileinfo json pcntl phar soap xml com_dotnet filter ldap pcre posix sockets xmlreader ctype ftp libxml pdo pspell spl xmlrpc curl gd mbstring pdo_dblib readline sqlite3 xmlwriter date gettext mcrypt pdo_firebird recode standard xsl dba gmp mysqli pdo_mysql reflection sysvmsg zip dom hash mysqlnd pdo_oci session sysvsem zlib enchant iconv oci8 pdo_odbc shmop sysvshm exif imap odbc pdo_pgsql simp
如今編譯一個模塊 zip
[root@ying01 phpredis-develop]# cd /usr/local/src/php-7.1.6/ [root@ying01 php-7.1.6]# cd ext/ //裏面有zip模塊 [root@ying01 ext]# ls bcmath ext_skel interbase opcache pdo_sqlite skeleton tokenizer bz2 ext_skel_win32.php intl openssl pgsql snmp wddx calendar fileinfo json pcntl phar soap xml com_dotnet filter ldap pcre posix sockets xmlreader ctype ftp libxml pdo pspell spl xmlrpc curl gd mbstring pdo_dblib readline sqlite3 xmlwriter date gettext mcrypt pdo_firebird recode standard xsl dba gmp mysqli pdo_mysql reflection sysvmsg zip dom hash mysqlnd pdo_oci session sysvsem zlib enchant iconv oci8 pdo_odbc shmop sysvshm exif imap odbc pdo_pgsql simplexml tidy [root@ying01 ext]# /usr/local/php7/bin/php -m |grep zip //在php加載模塊中,查找zip [root@ying01 ext]# cd zip/ [root@ying01 zip]# ls config.m4 CREDITS lib php_zip.c tests zip_stream.c config.w32 examples LICENSE_libzip php_zip.h TODO [root@ying01 zip]# /usr/local/php7/bin/phpize Configuring for: PHP Api Version: 20160303 Zend Module Api No: 20160303 Zend Extension Api No: 320160303
配置、編譯,安裝
[root@ying01 zip]# ./configure --with-php-config=/usr/local/php7/bin/php-config [root@ying01 zip]# make [root@ying01 zip]# make install
查看目錄,此時發現zip.so模塊
Installing shared extensions: /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/ [root@ying01 zip]# ls /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/ opcache.so redis.so zip.so
相關文章
- 1. LAMP架構(七)配置防盜鏈,訪問控制
- 2. LAMP架構(配置防盜鏈、訪問控制Directory、訪問控制FilesMatch)
- 3. LAMP架構設置防盜鏈及訪問控制
- 4. 配置防盜鏈,訪問控制
- 5. 配置防盜鏈,訪問控制Directory,訪問控制FilesMatch
- 6. 配置防盜鏈 訪問控制Directory 訪問控制FilesMatch······
- 7. 11.25 配置防盜鏈,訪問控制Directory ,訪問控制FilesMatch
- 8. 配置防盜鏈、訪問控制Directory、訪問控制FilesMatch
- 9. 配置防盜鏈 訪問控制Directory 訪問控制FilesMatch
- 10. 配置防盜鏈、 訪問控制Directory 、訪問控制FilesMatch
- 更多相關文章...
- • Swift 訪問控制 - Swift 教程
- • Maven 構建配置文件 - Maven教程
- • IDEA下SpringBoot工程配置文件沒有提示
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 跳槽面試的幾個實用小技巧,不妨看看!
- 2. Mac實用技巧 |如何使用Mac系統中自帶的預覽工具將圖片變成黑白色?
- 3. Mac實用技巧 |如何使用Mac系統中自帶的預覽工具將圖片變成黑白色?
- 4. 如何使用Mac系統中自帶的預覽工具將圖片變成黑白色?
- 5. Mac OS非兼容Windows軟件運行解決方案——「以VMware & Microsoft Access爲例「
- 6. 封裝 pyinstaller -F -i b.ico excel.py
- 7. 數據庫作業三ER圖待完善
- 8. nvm安裝使用低版本node.js(非命令安裝)
- 9. 如何快速轉換圖片格式
- 10. 將表格內容分條轉換爲若干文檔
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. LAMP架構(七)配置防盜鏈,訪問控制
- 2. LAMP架構(配置防盜鏈、訪問控制Directory、訪問控制FilesMatch)
- 3. LAMP架構設置防盜鏈及訪問控制
- 4. 配置防盜鏈,訪問控制
- 5. 配置防盜鏈,訪問控制Directory,訪問控制FilesMatch
- 6. 配置防盜鏈 訪問控制Directory 訪問控制FilesMatch······
- 7. 11.25 配置防盜鏈,訪問控制Directory ,訪問控制FilesMatch
- 8. 配置防盜鏈、訪問控制Directory、訪問控制FilesMatch
- 9. 配置防盜鏈 訪問控制Directory 訪問控制FilesMatch
- 10. 配置防盜鏈、 訪問控制Directory 、訪問控制FilesMatch