Apache限定目錄解析PHP,限制user_agent,PHP相關的配置原

Apache限定目錄解析PHP

配置前訪問upload/index.php

[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
This is upload diretory

配置，/usr/local/apache2.4/conf/extra/httpd-vhosts.conf對應的虛擬網站增加如下內容，重新加載配置

<Directory /usr/local/apache2.4/test-webroot/upload>
    php_admin_flag engine off
</Directory>
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful

測試

[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
<?php
echo "This is upload diretory\n";
?>

雖然解析不了PHP，但會打印源文件，可以再通過FilesMatch來禁止訪問。配置

<Directory /usr/local/apache2.4/test-webroot/upload>
    <FilesMatch (.*).php(.*)>
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>

加載配置文件，測試

[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/index.php
on this server.<br />
</p>
</body></html>

限制user_agent

user_agent可以理解爲瀏覽器標識
需要使用rewrite模塊，去掉httpd.conf中的rewrite_module
配置前訪問

[root@test-a ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:20 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:20 GMT
Content-Type: text/html; charset=UTF-8
[root@test-a ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I # 通過選項-A指定user_agent
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:35 GMT
Content-Type: text/html; charset=UTF-8

配置，/usr/local/apache2.4/conf/extra/httpd-vhosts.conf對應的虛擬網站增加如下內容，重新加載配置。說明NC(no case)不區分大小寫；OR或者，表示與下面的條件是或的關係；F(forbidden)禁止

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
    RewriteRule  .*  -  [F]
</IfModule>

重新加載配置，測試

[root@test-a ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 403 Forbidden
Date: Wed, 21 Nov 2018 01:39:00 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
[root@test-a ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:39:04 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:39:04 GMT
Content-Type: text/html; charset=UTF-8

PHP相關的配置

查看配置文件路徑
方法1: /usr/local/php/bin/php -i|grep -i "loaded configuration file" # 不過這種方法不準確
方法2: 可以寫個php文件利用phpinfo()訪問查看
在使用/usr/local/php/bin/php -i|grep -i "loaded configuration file"時，有警告提示,配置處理

[root@test-a ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
PHP Warning:  Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in Unknown on line 0
Loaded Configuration File => /usr/local/php/etc/php.ini
#/usr/local/php/etc/php.ini中找到date.timezone設置成
date.timezone=Asia/Shanghai
#
# 加載，測試OK
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful                    [root@test-a ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
Loaded Configuration File => /usr/local/php/etc/php.ini

disable_functions，PHP有諸多內置的函數,有一些函數開放將會非常危險。因此,基於安全考慮應該把一些存在安全風險的函數禁掉(例如:phpinfo會顯示服務器相關信息)

# vim /usr/local/php/etc/php.ini // 搜索disable_functions,編輯成如下
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp ,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsocko pen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_ close

配置error_log

# 從/usr/local/php/etc/php.ini中搜索log_errors,改成如下
log_errors = On
# 再搜索error_log,改爲
error_log = /var/log/php/php_errors.log 
# 再搜索error_reporting,改爲 
error_reporting = E_ALL & ~E_NOTICE
# 再搜索display_errors,改爲 
display_errors = Off
log_errors可以設置爲on或者off,如果想讓PHP記錄錯誤日誌,需要設置爲on；
error_log設定錯誤日誌路徑;
error_reporting設定錯誤日誌的級別,E_ALL爲所有類型的日誌,不管是提醒還是警告 都會記錄。在開發環境下面設置爲E_ALL,可以方便排查問題,但也會造成日誌記錄很多無意義的內容。&符號表示並且,~表示排除,所以兩個組合在一起就是在E_ALL的基礎上排除掉notice相關的日誌。display_errors設置爲on,則會把錯誤日誌直接顯示在瀏覽器裏,這樣對於用戶訪問來說體驗不好,而且還會暴露網站的一些文件路徑等重要信息,所以要設置爲off。

配置open_basedir，將網站限定在指定目錄裏
默認站點在/usr/local/php/etc/php.ini配置 open_basedir = /tmp:/usr/local/apache2.4/test-webroot
虛擬站點配置是在對應站點目錄配置中配置: php_admin_value open_basedir "/data/wwwroot/www.123.com/:/tmp/"

注意，/tmp的主要作用是網站的一些臨時文件需要訪問該目錄，比如上傳文件時。

Apache限定目錄解析PHP,限制user_agent,PHP相關的配置原

Apache限定目錄解析PHP

限制user_agent

PHP相關的配置

工作中用到的腳本合集

通過f-string編寫簡潔高效的Python格式化輸出代碼

24-5-18 X

Xshell利用Xftp傳輸文件,使用pure-ftpd搭建ftp服務

exportfs命令, vsftp搭建ftp服務

NFS安裝與配置使用

MySQL 創建用戶以及授權,常用的語句,利用mysqldump備份與恢復

MySQL密碼更改,常用命令

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結

Apache限定目錄解析PHP,限制user_agent,PHP相關的配置 原

Apache限定目錄解析PHP

限制user_agent

PHP相關的配置

Apache限定目錄解析PHP,限制user_agent,PHP相關的配置原