配置防盜鏈、訪問控制

十一週一次課（12月25日）
11.25 配置防盜鏈
11.26 訪問控制Directory
11.27 訪問控制FilesMatch
擴展
幾種限制ip的方法
http://ask.apelearn.com/question/6519

apache 自定義header
http://ask.apelearn.com/question/830

apache的keepalive和keepalivetimeout
http://ask.apelearn.com/question/556

配置防盜鏈
• 通過限制referer來實現防盜鏈的功能，如果referer是本站就能訪問，如果不是就403
• 配置文件增加如下內容

<Directory /data/wwwroot/www.123.com>
        SetEnvIfNoCase Referer "http://www.123.com" local_ref
        SetEnvIfNoCase Referer "http://123.com" local_ref
        SetEnvIfNoCase Referer "^$" local_ref
        <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">
            Order Allow,Deny
            Allow from env=local_ref
        </filesmatch>
    </Directory>
• curl -e "http://www.aminglinux.com/123.html" 自定義referer
curl -e "http://www.baidu.com/123.txt" -x127.0.0.1:80 123.com/15.png -I
curl -e "http://123.com/123.txt" -x127.0.0.1:80 123.com/15.png -I

<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/abc.com"
    ServerName abc.com
    ServerAlias www.abc.com www.111.com
    ErrorLog "logs/abc.com-error_log"
    CustomLog "logs/abc.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/123.com"
    ServerName 123.com
    ServerAlias www.123.com 1123.com.cn
#配置反盜鏈
 <Directory /data/wwwroot/123.com>
        SetEnvIfNoCase Referer "http://www.123.com" local_ref
        SetEnvIfNoCase Referer "http://123.com" local_ref
       # SetEnvIfNoCase Referer "^$" local_ref  
        <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
          Order Allow,Deny
          Allow from env=local_ref
        </filesmatch>
  </Directory>

    <IfModule mod_expires.c>
     ExpiresActive on
     ExpiresByType image/gif  "access plus 1 days"
     ExpiresByType image/jpeg "access plus 24 hours"
     ExpiresByType image/png "access plus 24 hours" 
     ExpiresByType text/css "now plus 2 hour" 
     ExpiresByType application/x-javascript "now plus 2 hours" 
     ExpiresByType application/javascript "now plus 2 hours" 
     ExpiresByType application/x-shockwave-flash "now plus 2 hours" 
     ExpiresDefault "now plus 0 min" 
    </IfModule> 
    ErrorLog "logs/123.com-error_log" 
    SetEnvIf Request_URI ".*\.gif$" img 
    SetEnvIf Request_URI ".*\.jpg$" img 
    SetEnvIf Request_URI ".*\.png$" img 
    SetEnvIf Request_URI ".*\.bmp$" img 
    SetEnvIf Request_URI ".*\.swf$" img 
    SetEnvIf Request_URI ".*\.js$" img 
    SetEnvIf Request_URI ".*\.css$" img 
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/123.com-access_%Y%m%d.log 86400"  combined env=!img 

</VirtualHost> 

---

訪問控制Directory
• 設置一個目錄只能通過白名單訪問，或者拒絕某個ip訪問。核心配置文件內容

vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
  <Directory /data/wwwroot/www.123.com/admin/>
        Order deny,allow  #排序，這裏是先拒絕在被允許。哪個在前面就先執行哪個，deny在前面就先執行Deny from all再執行Allow 
        Deny from all #拒絕所有
        Allow from 127.0.0.1  #允許本機
    </Directory>

• curl測試狀態碼爲403則

admin目錄下的都是403

訪問控制FilesMatch
Directory是控制目錄。FilesMatch是控制一個鏈接（匹配頁面和後面所帶的參數）
•核心配置文件內容

<Directory /data/wwwroot/123.com>
    <FilesMatch  "admin.php(.*)">
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </FilesMatch>
</Directory>