Apache實現防盜鏈
-
防盜鏈就是防止別人的網站代碼裏面盜用服務器的圖片、文件、視頻等相關資源
-
如果別人盜用網站的這些靜態資源,明顯的是會增大服務器的帶寬壓力
-
所以作爲網站的維護人員,要杜絕我們服務器的靜態資源被其他網站盜用
配置規則變量說明
* %{HTTP_ _REFERER}:瀏覽header中的鏈接字段,存放一一個鏈接的URL,代表是從哪個鏈接訪問所需的網頁
!^:不以後面的字符串開頭
.*$:以任意字符結尾
NC:不區分大寫
R:強制跳轉
規則匹配說明
RewriteEngine On:打開網頁重寫功能
RewriteCond:設置匹配規則
RewriteRule:設置跳轉動作
規則匹配
如果相應變量的值匹配所設置的規則,則逐條往下處理;如果不匹配,則往後的規則不再匹配。
Apache防盜鏈實驗
(1)安裝DNS服務的軟件包bind。
[root@localhost ~]# yum install bind -y
......//省略安裝過程
[root@localhost ~]#
(2)對DNS服務的主配置文件進行修改。
[root@localhost ~]# vim /etc/named.conf
options {
listen-on port 53 { any; }; //127.0.0.1改爲any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //localhost改爲any
(3)對DNS服務的區域配置文件進行修改。
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "abc.com" IN { //添加一個域名信息
type master;
file "abc.com.zone";
allow-update { none; };
};
(4)查看一下IP地址。
[root@localhost named]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.52.133 netmask 255.255.255.0 broadcast 192.168.52.255
inet6 fe80::3e1d:31ba:f66a:6f80 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:27:1c:3f txqueuelen 1000 (Ethernet)
RX packets 14532 bytes 20210558 (19.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6054 bytes 399142 (389.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(5)保留權限複製一份DNS服務的區域數據配置文件,進行修改。
[root@localhost ~]# cd /var/named/ //切換目錄
[root@localhost named]# ls //查看
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# cp -p named.localhost abc.com.zone //複製
[root@localhost named]# vim abc.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www IN A 192.168.52.133 //添加IPv4的域名解析
(6)開啓named服務。
[root@localhost named]# systemctl start named //開啓服務
[root@localhost named]# systemctl stop firewalld.service //關閉防火牆
[root@localhost named]# setenforce 0 //關閉增強性安全功能
[root@localhost named]#
(7)在宿主機將我們所需的工具包共享出去。
(8)通過Samba服務將工具包掛載到Linux系統。
[root@localhost ~]# smbclient -L //192.168.100.50/ //查看共享
Enter SAMBA\root's password: //匿名共享,沒有密碼,直接回車
OS=[Windows 10 Enterprise LTSC 2019 17763] Server=[Windows 10 Enterprise LTSC 2019 6.3]
Sharename Type Comment
--------- ---- -------
IPC$ IPC 遠程 IPC
share Disk
tools Disk
Users Disk
Connection to 192.168.100.50 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
[root@localhost ~]# mkdir /mnt/tools //創建掛載目錄
[root@localhost ~]# mount.cifs //192.168.100.50/tools /mnt/tools/ //掛載
Password for root@//192.168.100.50/tools:
[root@localhost ~]# cd /mnt/tools/ //進入掛載目錄
[root@localhost tools]# ls //查看
awstats-7.6.tar.gz extundelete-0.2.4.tar.bz2 forbid.png jdk-8u191-windows-x64.zip LAMP-C7
cronolog-1.6.2-14.el7.x86_64.rpm fiddler.exe intellijideahahau2018.rar john-1.8.0.tar.gz picture.jpg
[root@localhost tools]#
(9)將源碼編譯安裝Apache服務的壓縮包解壓到“/opt/”目錄。
[root@localhost tools]# cd LAMP-C7/ //切換目錄
[root@localhost LAMP-C7]# ls
apr-1.6.2.tar.gz Discuz_X2.5_SC_UTF8.zip LAMP-php5.6.txt php-5.6.11.tar.bz2
apr-util-1.6.0.tar.gz httpd-2.4.29.tar.bz2 mysql-5.6.26.tar.gz
[root@localhost LAMP-C7]# tar jxvf httpd-2.4.29.tar.bz2 -C /opt/ //解壓
......//省略解壓詳情
[root@localhost LAMP-C7]# tar zxvf apr-1.6.2.tar.gz -C /opt/ //解壓
......//省略解壓詳情
[root@localhost LAMP-C7]# tar zxvf apr-util-1.6.0.tar.gz -C /opt/ //解壓
......//省略解壓詳情
(10)進入“/opt/”目錄,將兩個apr包移動到“httpd-2.4.29/srclib/”目錄,並重命名。
[root@localhost LAMP-C7]# cd /opt/
[root@localhost opt]# ls
apr-1.6.2 apr-util-1.6.0 httpd-2.4.29 rh
[root@localhost opt]# mv apr-1.6.2/ httpd-2.4.29/srclib/apr
[root@localhost opt]# mv apr-util-1.6.0/ httpd-2.4.29/srclib/apr-util
(11)進入“httpd-2.4.29/”目錄,然後安裝編譯所需環境包。
[root@localhost opt]# ls
httpd-2.4.29 rh
[root@localhost opt]# cd httpd-2.4.29/
[root@localhost httpd-2.4.29]# ls
ABOUT_APACHE ap.d CHANGES docs httpd.spec libhttpd.dep Makefile.win README srclib
acinclude.m4 build CMakeLists.txt emacs-style include libhttpd.dsp modules README.cmake support
Apache-apr2.dsw BuildAll.dsp config.layout httpd.dep INSTALL libhttpd.mak NOTICE README.platforms test
Apache.dsw BuildBin.dsp configure httpd.dsp InstallBin.dsp LICENSE NWGNUmakefile ROADMAP VERSIONING
apache_probes.d buildconf configure.in httpd.mak LAYOUT Makefile.in os server
[root@localhost httpd-2.4.29]#
[root@localhost httpd-2.4.29]# yum -y install \
> gcc \
> gcc-c++ \
> make \
> pcre \
> pcre-devel \
> expat-devel \
> zlib-devel \
> perl
......//省略安裝過程
(12)進行對Apache服務器的配置。
[root@localhost httpd-2.4.29]# ./configure \
> --prefix=/usr/local/httpd \ //安裝路徑
> --enable-deflate \ //啓用壓縮模塊支持
> --enable-expires \ //啓用緩存模塊支持
> --enable-so \ //啓用動態加載模塊支持
> --enable-rewrite \ //啓用網頁地址重寫功能
> --enable-charset-lite \ //啓用字符集支持
> --enable-cgi //啓用CGI腳本程序支持
(13)編譯安裝Apache服務。
[root@localhost httpd-2.4.29]# make && make install
......//省略編譯安裝過程
[root@localhost httpd-2.4.29]#
(14)對Apache服務配置文件進行修改
[root@localhost httpd-2.4.29]# ln -s /usr/local/httpd/conf/httpd.conf /etc/httpd.conf //創建軟鏈接,方便使用
[root@localhost httpd-2.4.29]#
Listen 192.168.50.133:80 //開啓IPv4監聽
#Listen 80 //註釋IPv6監聽
#
ServerName www.abc.com:80 //設置域名
(15)將“/mnt/tools/”目錄下的兩張圖片,複製到Apache服務站點目錄“/usr/local/httpd/htdocs/”下。
[root@localhost httpd-2.4.29]# cd /mnt/tools/
[root@localhost tools]# ls
awstats-7.6.tar.gz extundelete-0.2.4.tar.bz2 forbid.png jdk-8u191-windows-x64.zip LAMP-C7
cronolog-1.6.2-14.el7.x86_64.rpm fiddler.exe intellijideahahau2018.rar john-1.8.0.tar.gz picture.jpg
[root@localhost tools]# cp picture.jpg /usr/local/httpd/htdocs/
[root@localhost tools]# cp forbid.png /usr/local/httpd/htdocs/
[root@localhost tools]# cd /usr/local/httpd/htdocs/
[root@localhost htdocs]# ls
forbid.png index.html picture.jpg
[root@localhost htdocs]#
(16)修改主頁文件,將圖片“picture.jpg”添加到首頁。
[root@localhost htdocs]# vim index.html
<html><body><h1>It works!</h1>
<img src="picture.jpg"/>
</body></html>
(17)將“/usr/local/httpd/bin/”目錄下的“apachectl”文件移動到“/etc/init.d/”目錄下,並在文件開頭添加chkconfig識別配置,然後將其添加爲標準的Linux系統服務
[root@localhost htdocs]# cd /opt/httpd-2.4.29/ //切換目錄
[root@localhost httpd-2.4.29]# cp /usr/local/httpd/bin/apachectl /etc/init.d/httpd //複製
[root@localhost httpd-2.4.29]# vim /etc/init.d/httpd //在配置文件添加兩行聲明
# chkconfig: 35 85 21 //服務識別參數,在級別3、5中啓動:啓動和關閉的順序分別爲85、21
# description: Apache is a World Wide Web server //服務描述信息
[root@localhost httpd-2.4.29]# chkconfig --add httpd //將httpd服務添加爲系統服務
[root@localhost httpd-2.4.29]#
[root@localhost httpd-2.4.29]# ln -s /usr/local/httpd/bin/* /usr/local/bin/ //將Apache服務的命令文件,建立軟鏈接到易於系統識別的目錄
[root@localhost htdocs]# apachectl -t //檢查Apache服務配置文件格式
Syntax OK //格式正確
[root@localhost httpd-2.4.29]# service httpd start //啓動Apache服務
[root@localhost httpd-2.4.29]#
(18)我們將win10-1主機的DNS地址改爲Linux系統的IP地址,然後去訪問域名“www.abc.com”,訪問成功。
(19)再給win10-2主機配置靜態IP地址,與LinuxIP地址同網段。然後配置DNS地址爲Linux系統IP地址。然後訪問域名“www.abc.com”,訪問成功。
(20)右擊圖片,點擊屬性。獲取圖片的URL,複製下來。
(21)進入控制面板,按下列圖片進行操作,在win10-2主機搭建web服務。
(22)新建一個TXT文本文件,輸入下圖的內容。然後保存,更改文件名爲“index.html”。並將其移動到web服務的默認站點目錄內。
(23)我們再用win10-1主機去訪問,win10-2主機搭建的站點,可以看到成功盜鏈的“www.abc.com”站點的圖片。
(24)對Apache服務配置文件進行修改,用“ / ”查找關鍵詞“rewrite”,將“ # ”刪除,開啓防盜鏈模塊。然後在下面的標籤內添加規則。
[root@localhost httpd-2.4.29]# vim /etc/httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so //開啓防盜鏈模塊
DocumentRoot "/usr/local/httpd/htdocs"
<Directory "/usr/local/httpd/htdocs"> //標籤最後添加規則
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
RewriteEngine On //以下爲規則
RewriteCond %{HTTP_REFERER} !^http://abc.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://abc.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.abc.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.abc.com/$ [NC]
RewriteRule .*\.(gif|jpg|swf)$ http://www.abc.com/forbid.png //跳轉到我們的防盜鏈圖片
</Directory>
(25)重啓Apache服務。
[root@localhost httpd-2.4.29]# service httpd stop
[root@localhost httpd-2.4.29]# service httpd start
[root@localhost httpd-2.4.29]#
(26)用win10-1主機分別訪問,Linux系統的域名爲“www.abc.com”的站點,和win10-2主機的站點。
此時win10-2主機已經不能盜鏈圖片。
配置Apache隱藏版本信息
-
Apache的版本信息,透露了一定的漏洞信息,從而給網站帶來安全隱患
-
生產環境中要配置Apache隱藏版本信息
-
可使用Fiddler抓包工具分析
Apache隱藏版本信息實驗
(1)接着上個實驗往下做,我們用win10-1主機去訪問“www.abc.com”站點。同時用Fiddler抓包工具進行抓包。此時我們再Headers裏可以看到Apache的版本號。
(2)對Apache服務主配置文件進行修改,開啓子配置文件。
[root@localhost httpd-2.4.29]# vim /etc/httpd.conf
# Various default settings
Include conf/extra/httpd-default.conf //開啓子配置文件
(3)進入默認子配置文件,修改配置文件。然後重啓Apache服務。
[root@localhost httpd-2.4.29]# cd /usr/local/httpd/conf/ //切換目錄
[root@localhost conf]# ls //查看
extra httpd.conf magic mime.types original
[root@localhost conf]# cd extra/ //切換目錄
[root@localhost extra]# ls //查看
httpd-autoindex.conf httpd-default.conf httpd-languages.conf httpd-mpm.conf httpd-ssl.conf httpd-vhosts.conf
httpd-dav.conf httpd-info.conf httpd-manual.conf httpd-multilang-errordoc.conf httpd-userdir.conf proxy-html.conf
[root@localhost extra]# vim httpd-default.conf //編輯配置文件
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod //將Full該爲Pord
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature Off //關閉簽名(默認關閉)
[root@localhost extra]# service httpd stop //關閉服務
[root@localhost extra]# service httpd start //開啓服務
[root@localhost extra]#
(4)再次用win10-1主機訪問站點,查看Fiddler抓包工具抓取的數據包頭部,此時Apache服務的版本號已經隱藏。
