1.8.11 限定目录禁止解析php
#核心配置文件内容
<Directory /data/wwwroot/www.123.com/upload>
php_admin_flag engine off
# <FilesMatch (.*)\.php(.*)>
# Order allow,deny
# Deny from all
# </FilesMatch>
</Directory>
#curl测试时直接返回了php源代码,并未解析
编辑配置测试:
[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName www.111.com
ServerAlias 111.com
<Directory /data/wwwroot/111.com>
php_admin_flag engine off
</Directory>
ErrorLog "logs/111.com-error_log"
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@Dasoncheng ~]# curl www.111.com/admin.php
<?php
echo "Welcome to the page of admin\n"
?>
[root@Dasoncheng ~]# curl www.111.com/admin/index.php
<?php
echo "This page is forbidden;\n"
?>
##可以看出上面index.php页面就没有解析出来!
只达到这样的效果肯定是不行的!那怎么办呢?
我来教你:
[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName www.111.com
ServerAlias 111.com
<Directory /data/wwwroot/111.com>
php_admin_flag engine off
<FilesMatch (.*)\.php*>
Order allow,deny
Deny from all
</FilesMatch>
</Directory>
ErrorLog "logs/111.com-error_log"
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
测试:
[root@Dasoncheng ~]# curl www.111.com/admin.php -I
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl www.111.com/admin/index.php -I
HTTP/1.1 403 Forbidden
搞定!大吉大利、今晚吃鸡……
目的:防止他人上传并执行恶意php执行脚本!(禁止执行PHP脚本,获取权限。如php一句话木马)
1.8.12 限制user_agent
user_agent可以理解为浏览器标识
核心配置文件内容
<IfModule mod_rewrite.c> //再次用到rewrite模块
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //条件OR是或者,上下两个条件;NC是不区分大小写(对agent)
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC] //条件
RewriteRule .* - [F] //规则,直接forbidden
</IfModule>
curl -A "123123" 指定user_agent
编辑配置:
[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName www.111.com
ServerAlias 111.com
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
ErrorLog "logs/111.com-error_log"
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
测试:
[root@Dasoncheng ~]# curl www.111.com/admin/admin.html
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl -A "baidu.com" www.111.com/admin/admin.html -I
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl -A "www.baidu.com" www.111.com/admin/admin.html
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl -A "google.com" www.111.com/admin/admin.html
echo "This is a html page"
小提示:
目的:限制来源agent访问代理!限制来源agent,减轻服务器压力
需求背景:被攻击,来源agent 访问地址 时间一致;我们通过限制agent访问代理来处理流量;
curl -A “aminglinu” 指定agent为aminglinux
curl -e “http://” 指定referer为http://*
curl -x 指定域名host(免得修改hosts文件)
curl -I 只查看访问状态,不显示内容!
几种限制ip的方法 http://www.lishiming.net/thread-6519-1-1.html
apache 自定义header http://www.aminglinux.com/bbs/thread-830-1-1.html
apache的keepalive和keepalivetimeout http://www.aminglinux.com/bbs/thread-556-1-1.html