Apache限定目錄解析PHP,限制user_agent,PHP相關的配置

時間 2019-11-12

標籤 apache 限定目錄解析 php 限制 user agent 相關配置欄目 Apache 简体版

原文原文鏈接

Apache限定目錄解析PHP

配置前訪問upload/index.php

[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
This is upload diretory

配置，/usr/local/apache2.4/conf/extra/httpd-vhosts.conf對應的虛擬網站增長以下內容，從新加載配置

<Directory /usr/local/apache2.4/test-webroot/upload>
    php_admin_flag engine off
</Directory>
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful

測試

[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
<?php
echo "This is upload diretory\n";
?>

雖然解析不了PHP，但會打印源文件，能夠再經過FilesMatch來禁止訪問。配置

<Directory /usr/local/apache2.4/test-webroot/upload>
    <FilesMatch (.*).php(.*)>
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>

加載配置文件，測試

[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/index.php
on this server.<br />
</p>
</body></html>

限制user_agent

user_agent能夠理解爲瀏覽器標識
須要使用rewrite模塊，去掉httpd.conf中的rewrite_module
配置前訪問

[root@test-a ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:20 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:20 GMT
Content-Type: text/html; charset=UTF-8
[root@test-a ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I # 經過選項-A指定user_agent
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:35 GMT
Content-Type: text/html; charset=UTF-8

配置，/usr/local/apache2.4/conf/extra/httpd-vhosts.conf對應的虛擬網站增長以下內容，從新加載配置。說明NC(no case)不區分大小寫；OR或者，表示與下面的條件是或的關係；F(forbidden)禁止

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
    RewriteRule  .*  -  [F]
</IfModule>

從新加載配置，測試

[root@test-a ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 403 Forbidden
Date: Wed, 21 Nov 2018 01:39:00 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
[root@test-a ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:39:04 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:39:04 GMT
Content-Type: text/html; charset=UTF-8

PHP相關的配置

查看配置文件路徑
方法1: /usr/local/php/bin/php -i|grep -i "loaded configuration file" # 不過這種方法不許確
方法2: 能夠寫個php文件利用phpinfo()訪問查看php
在使用/usr/local/php/bin/php -i|grep -i "loaded configuration file"時，有警告提示,配置處理html

[root@test-a ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
PHP Warning:  Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in Unknown on line 0
Loaded Configuration File => /usr/local/php/etc/php.ini
#/usr/local/php/etc/php.ini中找到date.timezone設置成
date.timezone=Asia/Shanghai
#
# 加載，測試OK
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful                    [root@test-a ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
Loaded Configuration File => /usr/local/php/etc/php.ini

disable_functions，PHP有諸多內置的函數,有一些函數開放將會很是危險。所以,基於安全考慮應該把一些存在安全風險的函數禁掉(例如:phpinfo會顯示服務器相關信息)

# vim /usr/local/php/etc/php.ini // 搜索disable_functions,編輯成以下
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp ,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsocko pen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_ close

配置error_log

# 從/usr/local/php/etc/php.ini中搜索log_errors,改爲以下
log_errors = On
# 再搜索error_log,改成
error_log = /var/log/php/php_errors.log 
# 再搜索error_reporting,改成 
error_reporting = E_ALL & ~E_NOTICE
# 再搜索display_errors,改成 
display_errors = Off
log_errors能夠設置爲on或者off,若是想讓PHP記錄錯誤日誌,須要設置爲on；
error_log設定錯誤日誌路徑;
error_reporting設定錯誤日誌的級別,E_ALL爲全部類型的日誌,無論是提醒仍是警告 都會記錄。在開發環境下面設置爲E_ALL,能夠方便排查問題,但也會形成日誌記錄不少無心義的內容。&符號表示而且,~表示排除,因此兩個組合在一塊兒就是在E_ALL的基礎上排除掉notice相關的日誌。display_errors設置爲on,則會把錯誤日誌直接顯示在瀏覽器裏,這樣對於用戶訪問來講體驗很差,並且還會暴露網站的一些文件路徑等重要信息,因此要設置爲off。

配置open_basedir，將網站限定在指定目錄裏
默認站點在/usr/local/php/etc/php.ini配置 open_basedir = /tmp:/usr/local/apache2.4/test-webroot
虛擬站點配置是在對應站點目錄配置中配置: php_admin_value open_basedir "/data/wwwroot/www.123.com/:/tmp/"

注意，/tmp的主要做用是網站的一些臨時文件須要訪問該目錄，好比上傳文件時。web

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。