11.28 限定某個目錄禁止解析phpphp
<Directory /data/wwwroot/abc.com/admin> php_admin_flag engine off <FilesMatch (.*)\.php(.*)> order allow,deny Deny from all </FilesMatch> </Directory>
禁止php解析操做,其實就是爲了服務器更加安全,特別是針對能夠寫的目錄shell
可寫的目錄,通常是不須要解析php,這個須要牢記,通常靜態文件存放的目錄是不容許解析php 的apache
11.29 限制user_agentvim
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_USER_AGENT} .curl. [NC,OR] RewriteCond %{HTTP_USER_AGENT} .baidu.com. [NC] RewriteRule .* - [F] </IfModule> OR:匹配的意思。user_agent匹配當前行或者下面一行。若是不加OR就是而且 NC:表示忽略大小寫。由於有些瀏覽器首字符會大寫。 F:就是直接Forbidden 由於curl是沒有user_agent(上一次訪問的地址) curl -A "123123" 指定user_agent //自定義user_agent curl -A "lsx lsx" -x192.168.211.150:80 discuz2.com/lsx/1.php -I //user_agent生效 cat /usr/local/apache2.4/logs/discuz2.com-access_log 192.168.211.150 - - [ +0800] "HEAD HTTP://discuz2.com/lsx/1.php HTTP/1.1" 200 - "-" "lsx lsx" 關於curl: -A :指定user_agent -e:指定Referer -x:至關於省略hosts -I:查看狀態碼
11.30 PHP相關配置瀏覽器
/usr/local/php/bin/php -i|grep -i "loaded configuration file"
Loaded Configuration File => /usr/local/php/etc/php.ini
沒有php.ini 那麼就須要複製模板過來安全
cd /usr/local/src/php-5.6.30/ cp php.ini-development /usr/local/php/etc/php.ini
vim /usr/local/php/etc/php.ini
vim /usr/local/php/etc/php.ini 搜索disable_functions 在disable_functions =後面添加函數 eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close 預覽 disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
/usr/local/apache2.4/bin/apachectl -t /usr/local/apache2.4/bin/apachectl graceful
禁用函數後,這些函數就沒法被調用,例如phpinfo做用是顯示php的配置,而禁用後使用網頁沒法顯示出來;bash
搜索date.timezone
修改date.timezone =爲
date.timezone = Asia/Shanghai服務器
搜索display_errors
將display_errors = On改成
display_errors = Offcurl
搜索error_log =
修改error_log = 目錄爲
error_log = /tmp/php_errors.logsocket
搜索error_reporting =
在error_reporting = E_ALL 修改成
error_reporting = E_ALL & ~E_NOTICE
open_basedir的做用是限制php在指定的目錄裏活動
vim /usr/local/php/etc/php.ini
搜索error_log =修改成指定目錄
open_basedir = /data/wwwroot/111.com:/tmp推薦在虛擬配置中設置
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
針對網站站點增長代碼 php_admin_value open_basedir "/data/wwwroot/111.com:/tmp/"