linux的apache2.4限定某个目录禁止解析PHP及user_agent与PHP相关配置
生活随笔
收集整理的這篇文章主要介紹了
linux的apache2.4限定某个目录禁止解析PHP及user_agent与PHP相关配置
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
限定某個目錄禁止解析PHP
對于使用PHP語言編寫的網站,有一些目錄是有需求上傳文件的,比如服務器可以上傳圖片,并且沒有做防盜鏈,所以就會被人家當成了一個圖片存儲服務器,并且盜用帶寬流量。如果網站代碼有漏洞,讓***上傳了一個用PHP代碼寫的***,由于網站可以執行PHP程序,最終會讓***拿到服務器權限,為了避免這種情況發生,我們需要把能上傳文件的目錄直接禁止解析PHP代碼(不用擔心會影響網站訪問,若這種目錄也需要解析PHP,那說明程序員不合格)
1. 修改虛擬主機配置文件
[root@gary-tao ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf核心配置文件內容:<Directory /data/wwwroot/111.com/upload>php_admin_flag engine off //這一段就可以禁止解析PHP代碼<FilesMatch (.*)\.php(.*)> //這一段就是讓php的文件訪問受到限制,防止php文件的源代碼被查看Order allow,denyDeny from all</FilesMatch></Directory>[root@gary-tao 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK //測試語法 [root@gary-tao 111.com]# /usr/local/apache2.4/bin/apachectl graceful //加載配置 [root@gary-tao 111.com]# mkdir upload //創建一個upload目錄 [root@gary-tao 111.com]# ls 123.php admin index.php qq.png upload [root@gary-tao 111.com]# cp 123.php upload/修改后示例圖
2. 使用curl測試時返回403
[root@gary-tao 111.com]# curl -x172.16.111.100:80 'http://111.com/upload/123.php' -I //直接不給訪問權限 HTTP/1.1 403 Forbidden Date: Tue, 26 Dec 2017 06:19:17 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1測試需要把下面配置先禁止掉:
<FilesMatch (.*)\.php(.*)> Order allow,denyDeny from all</FilesMatch>[root@gary-tao 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@gary-tao 111.com]# /usr/local/apache2.4/bin/apachectl graceful修改后示例圖:
禁止掉后使用curl后的測試結果:
[root@gary-tao 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php' //下例信息說明123.php不能正常解析 <?php echo "123.php"; ?>限制user_agent
user_agent可以理解為瀏覽器標識,針對user_agent來限制一些訪問,比如可以限制一些不太友好的搜索引擎“爬蟲”,你之所以能在百度搜到一些論壇,就是因為百度會派一些“蜘蛛爬蟲”過來抓取網站數據。“蜘蛛爬蟲”抓取數據類似于用戶用瀏覽器訪問網站,當“蜘蛛爬蟲”太多或者訪問太頻繁,就會浪費服務器資源。另外,也可以限制惡意請求,這種惡意請求我們通常稱作cc***,他的原理很簡單,就是用很多用戶的電腦同時訪問同一個站點,當訪問量或者頻率達到一定層次,會耗盡服務器資源,從而使之不能正常提供服務。這種cc***其實有很明顯的規律,其中這些惡意請求的user_agent相同或者相似,那我們就可以通過限制user_agent發揮防***的作用。
1. 針對user_agent來做訪問限制的核心配置文件內容
[root@gary-tao 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf核心配置文件內容<IfModule mod_rewrite.c>RewriteEngine onRewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //OR是或者的意思,user_agent匹配curl或者匹配baidu.comRewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC] //NC是忽略大小寫RewriteRule .* - [F] //F是Forbidden</IfModule>[root@gary-tao 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@gary-tao 111.com]# /usr/local/apache2.4/bin/apachectl graceful修改配置示例如下圖:
2.使用curl測試如下:
[root@gary-tao 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php' <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /upload/123.php on this server.<br /> </p> </body></html> [root@gary-tao 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php' -I HTTP/1.1 403 Forbidden Date: Tue, 26 Dec 2017 07:03:42 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-13.指定user_agent,如果不指定user_agent,那么curl作為user_agent會被限制訪問,從上面測試可以看出。
示例如下:
[root@gary-tao 111.com]# curl -A "xietao xietao" -x127.0.0.1:80 'http://111.com/upload/123.php' -I HTTP/1.1 200 OK Date: Tue, 26 Dec 2017 07:08:20 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 Last-Modified: Tue, 26 Dec 2017 06:16:53 GMT ETag: "19-561383aa99f09" Accept-Ranges: bytes Content-Length: 25 Cache-Control: max-age=0 Expires: Tue, 26 Dec 2017 07:08:20 GMT Content-Type: application/x-httpd-php[root@gary-tao 111.com]# tail /usr/local/apache2.4/logs/111.com-access_20171226.log //查看日志 127.0.0.1 - - [26/Dec/2017:14:25:40 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 200 - "-" "curl/7.29.0" 127.0.0.1 - - [26/Dec/2017:14:26:52 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 200 25 "-" "curl/7.29.0" 172.16.111.1 - - [26/Dec/2017:14:29:07 +0800] "GET / HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0" 172.16.111.1 - - [26/Dec/2017:14:29:16 +0800] "GET /123.php HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0" 172.16.111.1 - - [26/Dec/2017:14:29:31 +0800] "GET /uploab/123.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0" 172.16.111.1 - - [26/Dec/2017:14:29:43 +0800] "GET /upload/123.php HTTP/1.1" 200 25 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0" 172.16.111.1 - - [26/Dec/2017:14:29:44 +0800] "GET /upload/123.php HTTP/1.1" 200 25 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0" 127.0.0.1 - - [26/Dec/2017:15:03:15 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0" 127.0.0.1 - - [26/Dec/2017:15:03:42 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0" 127.0.0.1 - - [26/Dec/2017:15:08:20 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 200 - "-" "xietao xietao"解釋說明:
常用配置選項:
使用參數 -A 指定了它的user_agent后就可以訪問。
使用參數 -e 指定referer
使用參數 -x 相對省略本地綁定hosts
使用參數 -I 查看狀態碼
php相關配置
雖然PHP是以httpd一個模塊的形式存在,但是PHP本身也有自己的配置文件。
1. 查看PHP配置文件位置
[root@gary-tao 111.com]# ls 123.php admin index.php qq.png upload [root@gary-tao 111.com]# vi index.php //編輯index文件,輸入以下內容,保存退出。<?php phpinfo(); ?>- 瀏覽器訪問:http://111.com/index.php
- 復制源碼包里開發配置文件
結果如下圖:
解釋說明:
php.ini為PHP的配置文件,可以看出其在/usr/local/php7/etc/php.ini。
2.PHP的disable_functions
PHP有諸多的內置的函數,有一些函數(比如exec)會直接調取linux的系統命令,如果開放將會非常危險,因此,基于安全考慮應該把一些存在安全風險的函數禁掉。
示例如下:
[root@gary-tao php-7.1.6]# vim /usr/local/php7/etc/php.ini //搜索disable_functions,編輯加上如下函數eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo [root@gary-tao php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful //重新加載配置因為加上了phpinfo函數,所以訪問index.php時結果如下:
3.定義date.timezone,如果不定義會導致有告警信息
[root@gary-tao php-7.1.6]# vim /usr/local/php7/etc/php.ini //找到date.timezone定義如下:date.timezone = Asia/Shangahi(或Chongqing)示例圖如下:
4. 配置 error_log
PHP的日志對于程序員來講非常重要,它是排查問題的重要手段。
如果加上了phpinfo函數后,瀏覽器上訪問http://111.com/index.php 就會有信息輸出,這樣也暴露的地址目錄,相對來說也不安全,我們需要把報錯信息也隱藏掉,操作如下:
[root@gary-tao php-7.1.6]# vim /usr/local/php7/etc/php.ini //搜索display_errors定義如下: display_errors = Off [root@gary-tao php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful修改示意圖
瀏覽訪問結果如下:
使用curl測試如下:
[root@gary-tao php-7.1.6]# curl -A "xietao xietao" -x127.0.0.1:80 'http://111.com/index.php' [root@gary-tao php-7.1.6]# curl -A "xietao xietao" -x127.0.0.1:80 'http://111.com/index.php' -I HTTP/1.1 200 OK Date: Tue, 26 Dec 2017 09:02:01 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Cache-Control: max-age=0 Expires: Tue, 26 Dec 2017 09:02:01 GMT Content-Type: text/html; charset=UTF-8總結:配置了display_errors = Off后,瀏覽器訪問沒有任何輸出信息,一片空白,使用curl輸出也是一樣,這樣我們就無法判斷是否有問題,所以需要配置錯誤日志。
修改配置日志示例如下:
[root@gary-tao php-7.1.6]# vim /usr/local/php7/etc/php.ini定義如下: //搜索log_errors 改為 log_errors =On //搜索error_log 改為 /tmp/php/php_errors.log //搜索error_reporting 改為 error_reporting = E_ALL & ~E_NOTICE //搜索display_errors 改為 display_errors = Off[root@gary-tao php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@gary-tao php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@gary-tao php-7.1.6]# curl -A "xietao xietao" -x127.0.0.1:80 'http://111.com/index.php' [root@gary-tao php-7.1.6]# ls /tmp/ pear php_errors.log systemd-private-c13d62a36c594e09a55010e8f304eb60-vmtoolsd.service-1qgl8W [root@gary-tao php-7.1.6]# ls -l /tmp/php_errors.log -rw-r--r-- 1 daemon daemon 290 12月 26 17:13 /tmp/php_errors.log [root@gary-tao php-7.1.6]# ps aux |grep httpd root 5358 0.0 1.4 260000 14804 ? Ss 12月19 0:37 /usr/local/apache2.4/bin/httpd -k graceful daemon 14250 0.0 1.3 546828 13604 ? Sl 17:13 0:00 /usr/local/apache2.4/bin/httpd -k graceful daemon 14251 0.0 1.1 546828 11580 ? Sl 17:13 0:00 /usr/local/apache2.4/bin/httpd -k graceful daemon 14252 0.0 1.8 682124 18552 ? Sl 17:13 0:00 /usr/local/apache2.4/bin/httpd -k graceful root 14340 0.0 0.0 112680 972 pts/0 S+ 17:15 0:00 grep --color=auto httpd [root@gary-tao php-7.1.6]# grep error_log /usr/local/php7/etc/php.ini ; server-specific log, STDERR, or a location specified by the error_log ; Set maximum length of log_errors. In error_log information about the source is error_log = /tmp/php_errors.log ;error_log = syslog ; OPcache error_log file name. Empty string assumes "stderr". ;opcache.error_log= [root@gary-tao php-7.1.6]# touch /tmp/php_errors.log ; chmod 777 /tmp/php_errors.log //因為日志用戶是daemon,日志是隨著httpd的服務啟動,為了保證PHP的錯誤日志所在目錄存在,并且有權限為可寫。 [root@gary-tao php-7.1.6]# cat /tmp/php_errors.log [26-Dec-2017 17:13:35 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [26-Dec-2017 17:13:47 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2模擬一個錯誤演示:
[root@gary-tao php-7.1.6]# vim /data/wwwroot/111.com/2.php //編輯如下內容<?php echo 1234.php; adfadgagagag[root@gary-tao php-7.1.6]# curl -A "xietao xietao" -x127.0.0.1:80 http://111.com/2.php [root@gary-tao php-7.1.6]# curl -A "xietao xietao" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.0 500 Internal Server Error Date: Tue, 26 Dec 2017 09:32:20 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8出現狀態碼500,這說明我們訪問的頁面是存在錯誤的,此時需要查看PHP的錯誤日志來判定錯誤原因,如下:
[root@gary-tao php-7.1.6]# !cat cat /tmp/php_errors.log [26-Dec-2017 17:13:35 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [26-Dec-2017 17:13:47 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [26-Dec-2017 17:32:08 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'php' (T_STRING), expecting ',' or ';' in /data/wwwroot/111.com/2.php on line 2 [26-Dec-2017 17:32:20 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'php' (T_STRING), expecting ',' or ';' in /data/wwwroot/111.com/2.php on line 25.配置open_basedir
前言
一個服務器上跑很多網站,小公司為節省成本采用的做法,這樣操作是會有一些弊端:多個網站跑在同一個服務器上,如果其中一個網站被黑,很有可能會連累到其他站點,為了避免這種尷尬的事情發生,我們應當作一些預防手段。
PHP有一個概念叫作open_basedir,它的作用是將網站限定在指定目錄里,就算該站點被黑了,***只能在該目錄下面有所作為,而不能左右其他目錄。如果你的服務器上只有一個站點,那可以直接在php.ini中設置open_basedir參數。但如果服務器上跑的站點比較多,那在php.ini中設置就不合適了,因為在php.ini中只能定義一次,也就是說所有站點都一起定義限定的目錄,那這樣似乎起不到隔離多個站點的目的。
1.使用php.ini設置open_basedir舉例演示:
- 條件:把這個open_basedir地址目錄的111.com目錄下改成錯誤的1111.com
得到如下日志結果,示例如下:
[root@gary-tao php-7.1.6]# vim /usr/local/php7/etc/php.ini //編輯添加open_basedir目錄地址定義如下 open_basedir = /data/wwwroot/1111.com:/tmp [root@gary-tao php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@gary-tao php-7.1.6]# curl -A "xietao xietao" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.0 500 Internal Server Error Date: Tue, 26 Dec 2017 11:44:40 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8[root@gary-tao php-7.1.6]# vi /data/wwwroot/111.com/2.php //編輯定義如下,保存退出<?php echo 123;[root@gary-tao php-7.1.6]# curl -A "xietao xietao" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.0 500 Internal Server Error Date: Tue, 26 Dec 2017 11:47:23 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8[root@gary-tao php-7.1.6]# !cat cat /tmp/php_errors.log [26-Dec-2017 17:13:35 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [26-Dec-2017 17:13:47 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [26-Dec-2017 17:32:08 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'php' (T_STRING), expecting ',' or ';' in /data/wwwroot/111.com/2.php on line 2 [26-Dec-2017 17:32:20 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'php' (T_STRING), expecting ',' or ';' in /data/wwwroot/111.com/2.php on line 2 [26-Dec-2017 19:44:40 Asia/Shanghai] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/111.com/2.php) is not within the allowed path(s): (/data/wwwroot/1111.com:/tmp) in Unknown on line 0 [26-Dec-2017 19:44:40 Asia/Shanghai] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 [26-Dec-2017 19:44:40 Asia/Shanghai] PHP Fatal error: Unknown: Failed opening required '/data/wwwroot/111.com/2.php' (include_path='.:/usr/local/php7/lib/php') in Unknown on line 0 [26-Dec-2017 19:47:23 Asia/Shanghai] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/111.com/2.php) is not within the allowed path(s): (/data/wwwroot/1111.com:/tmp) in Unknown on line 0 [26-Dec-2017 19:47:23 Asia/Shanghai] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 [26-Dec-2017 19:47:23 Asia/Shanghai] PHP Fatal error: Unknown: Failed opening required '/data/wwwroot/111.com/2.php' (include_path='.:/usr/local/php7/lib/php') in Unknown on line 0- 條件:把這個open_basedir地址目錄改成正確的111.com
2.針對不同的虛擬主機去限制不同的open_basedir。
[root@gary-tao ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf定義如下: php_admin_value open_basedir "/data/wwwroot/111.com:/tmp/"[root@gary-tao ~]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@gary-tao ~]# /usr/local/apache2.4/bin/apachectl graceful [root@gary-tao ~]# !curl curl -A "a" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.1 200 OK Date: Tue, 26 Dec 2017 12:34:57 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Cache-Control: max-age=0 Expires: Tue, 26 Dec 2017 12:34:57 GMT Content-Type: text/html; charset=UTF-8[root@gary-tao ~]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php 123[root@gary-tao ~]#修改示例圖:
轉載于:https://blog.51cto.com/taoxie/2054896
總結
以上是生活随笔為你收集整理的linux的apache2.4限定某个目录禁止解析PHP及user_agent与PHP相关配置的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 从根儿上理解mysql_从根儿上理解 M
- 下一篇: 用不同显卡训练gan的区别_面霜质地这么