-?11.28?限定某個(gè)目錄禁止解析php -?11.29?限制user_agent -?11.30/11.31?php相關(guān)配置 -?擴(kuò)展 -?apache開啟壓縮?http://ask.apelearn.com/question/5528 -?apache2.2到2.4配置文件變更?http://ask.apelearn.com/question/7292 -?apache?options參數(shù)?http://ask.apelearn.com/question/1051 -?apache禁止trace或track防止xss?http://ask.apelearn.com/question/1045 -?apache?配置https?支持ssl?http://ask.apelearn.com/question/1029#?11.28?限定某個(gè)目錄禁止解析php-?如果有一個(gè)目錄是可以上傳圖片，但是可能被有心之人上傳php上去，因?yàn)閔ttpd開放了php模塊，所以如果被人上傳了***文件（php類型），httpd就有可能會(huì)進(jìn)行執(zhí)行，一旦執(zhí)行，就會(huì)讓對方獲得我們服務(wù)器的root權(quán)限，或者是被惡意刪除或修改一些參數(shù)，導(dǎo)致服務(wù)器癱瘓或者是被***-?案列：一臺(tái)服務(wù)器，網(wǎng)站被***，但不知道是什么原因，不知道怎么***的，也不知道***到什么程度，只知道他們公司的數(shù)據(jù)庫泄露了，數(shù)據(jù)是一些電話號碼，***并沒有去刪除數(shù)據(jù)，因?yàn)樗肋@個(gè)服務(wù)器的數(shù)據(jù)庫里，電話號碼每天都在增長，他就可以源源不斷的獲得新的電話號碼，獲得的電話號碼可以賣給第三方； -?[?]?解決方式： -?把一個(gè)沒有在這個(gè)服務(wù)器提交過的電話號碼，在這個(gè)服務(wù)器的網(wǎng)站上提交一次，結(jié)果，馬上就有人打電話過來，證明，***獲得電話號碼，到打電話給新的用戶，這套體系，已經(jīng)完全自動(dòng)化了（每天都會(huì)去抓取一個(gè)新的電話號碼來隊(duì)列，然后馬上賣給第三方，第三方馬上打電話給這個(gè)用戶），所以就猜測，網(wǎng)站的程序（php）存在漏洞，另一種可能就是sql注入的漏洞（可以把查詢的sql通過一些特殊的提交，提交到服務(wù)器上，服務(wù)器就會(huì)把這個(gè)sql語句轉(zhuǎn)換成正常的查詢，最終獲得一些數(shù)據(jù)回來）；但是sql注入漏洞，很容易修復(fù)，只要在網(wǎng)站提交的入口，增加一些特殊符號的過濾，就能完全的阻斷sql注入的漏洞。 首先抓包，監(jiān)控?cái)?shù)據(jù)的查詢，因?yàn)殡娫捥柎a是通過查詢了數(shù)據(jù)來的，寫一個(gè)死循環(huán)的腳本，每隔一分鐘抓一次查詢數(shù)據(jù)，抓完以后生成一個(gè)日志文件， 查看日志以后，發(fā)現(xiàn)有一條sql查詢，和網(wǎng)站源生的查詢不一樣，通過日志定位到了時(shí)間點(diǎn)，然后就去web服務(wù)器上查看時(shí)間點(diǎn)的訪問日志，通過日志查看到了一個(gè)非常特殊的請求，名字是以php結(jié)尾的文件，而且這個(gè)php文件是在圖片的目錄下進(jìn)行訪問的，然后去查看這個(gè)php?文件，發(fā)現(xiàn)這個(gè)文件內(nèi)容，是獲取服務(wù)器的權(quán)限，相當(dāng)于在服務(wù)器開了一個(gè)后門；這個(gè)問題產(chǎn)生的根本原因，就是因?yàn)樯蟼鲌D片目錄并沒有禁止解析php-?所謂SQL注入，就是通過把SQL命令插入到Web表單提交或輸入域名或頁面請求的查詢字符串，最終達(dá)到欺騙服務(wù)器執(zhí)行惡意的SQL命令。具體來說，它是利用現(xiàn)有應(yīng)用程序，將（惡意的）SQL命令注入到后臺(tái)數(shù)據(jù)庫引擎執(zhí)行的能力，它可以通過在Web表單中輸入（惡意）SQL語句得到一個(gè)存在安全漏洞的網(wǎng)站上的數(shù)據(jù)庫，而不是按照設(shè)計(jì)者意圖去執(zhí)行SQL語句。[1]??比如先前的很多影視網(wǎng)站泄露VIP會(huì)員密碼大多就是通過WEB表單遞交查詢字符暴出的，這類表單特別容易受到SQL注入式***．. -?那么怎么配置設(shè)置禁止php?解析 -?-?核心配置文件內(nèi)容<Directory?/data/wwwroot/www.123.com/upload>php_admin_flag?engine?off</Directory> -??curl測試時(shí)直接返回了php源代碼，并未解析 -??首先編輯虛擬主機(jī)配置文件 ```#</FilesMatch>?#</Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allowDeny?from?allAllow?from?127.0.0.1</FilesMatch></Directory><Directory?/data/wwwroot/111.com>SetEnvIfNoCase?Referer?"http://111.com"?local_refSetEnvIfNoCase?Referer?"http://aaa.com"?local_refSetEnvIfNoCase?Referer?"^$"?local_ref<FilesMatch?"\.(txt|doc|mp3|zip|rar|jpg|gif|png)">Order?Allow,DenyAllow?from?env=local_ref</FilesMatch></Directory> ``` -?改為 ```#</FilesMatch>?#</Directory><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off<FilesMatch?(.*)\.php(.*)>Order?allow,denyDeny?from?all</FilesMatch></Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allowDeny?from?allAllow?from?127.0.0.1</FilesMatch></Directory><Directory?/data/wwwroot/111.com>SetEnvIfNoCase?Referer?"http://111.com"?local_refSetEnvIfNoCase?Referer?"http://aaa.com"?local_refSetEnvIfNoCase?Referer?"^$"?local_ref :wq??????? ``` -?檢查語法，重新加載配置 ``` [root@localhost?~]#?/usr/local/apache2.4/bin/apachectl?-t Syntax?OK [root@localhost?~]#?/usr/local/apache2.4/bin/apachectl?graceful [root@localhost?~]#?[root@localhost?~]#?cd?/data/wwwroot/111.com [root@localhost?111.com]#?ls 123.php??admin??index.php??qq.png [root@localhost?111.com]#?mkdir?upload [root@localhost?111.com]#?ls 123.php??admin??index.php??qq.png??upload [root@localhost?111.com]#?cp?123.php?upload/[root@localhost?111.com]#?!curl curl?-x127.0.0.1:80?'http://111.com/admin.php?/alsjdf'?-I HTTP/1.1?404?Not?Found Date:?Thu,?12?Oct?2017?12:41:28?GMT Server:?Apache/2.4.27?(Unix)?PHP/7.1.6 Content-Type:?text/html;?charset=iso-8859-1``` -?再來訪問下 ``` [root@localhost?111.com]#?curl?-x127.0.0.1:80?'http://111.com/upload/123.php'?-I HTTP/1.1?403?Forbidden Date:?Thu,?12?Oct?2017?12:42:49?GMT Server:?Apache/2.4.27?(Unix)?PHP/7.1.6 Content-Type:?text/html;?charset=iso-8859-1[root@localhost?111.com]#?curl?-x127.0.0.1:80?'http://111.com/upload/123.php' <!DOCTYPE?HTML?PUBLIC?"-//IETF//DTD?HTML?2.0//EN"> <html><head> <title>403?Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You?don't?have?permission?to?access?/upload/123.php on?this?server.<br?/> </p> </body></html> [root@localhost?111.com]#? ``` -?先把filesmatch?注釋掉 ```#</FilesMatch>?#</Directory><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off#<FilesMatch?(.*)\.php(.*)>#Order?allow,deny#Deny?from?all#</FilesMatch></Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allowDeny?from?allAllow?from?127.0.0.1</FilesMatch></Directory><Directory?/data/wwwroot/111.com>SetEnvIfNoCase?Referer?"http://111.com"?local_refSetEnvIfNoCase?Referer?"http://aaa.com"?local_ref :wq??[root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?-t Syntax?OK [root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?graceful [root@localhost?111.com]#?``` -?再來訪問 ``` [root@localhost?111.com]#?!curl curl?-x127.0.0.1:80?'http://111.com/upload/123.php' <? echo?"123.php"; [root@localhost?111.com]#? ``` 用windows訪問下看下 -?-?這個(gè)時(shí)候進(jìn)一步限制它?連讓它訪問的機(jī)會(huì)都沒有，更別說去解析php了 -?再次打開配置文件?把剛剛注釋的取消, ``` -???#</Directory><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off<FilesMatch?(.*)\.php(.*)>Order?allow,denyDeny?from?all</FilesMatch>[root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?-t Syntax?OK [root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?graceful``` -?再來訪問 -?直接提示無法訪問403 禁止php解析，是為讓服務(wù)器更加安全，尤其是針對可以寫的目錄；可以寫的目錄，一般是不需要解析php，這個(gè)需要牢記，一般靜態(tài)文件存放的目錄是不允許解析php?的 #?11.29?限制user_agent -?有時(shí)候，網(wǎng)站會(huì)受到一種叫?cc?***，CC***就是***，通過軟件，肉雞同時(shí)去訪問一個(gè)站點(diǎn)，超過服務(wù)器的并發(fā)，就會(huì)導(dǎo)致站點(diǎn)宕機(jī)；通過肉雞，軟件去訪問站點(diǎn)，就是普通的訪問，沒有什么特殊的，只是讓站點(diǎn)超過并發(fā)導(dǎo)致嚴(yán)重超負(fù)荷而宕機(jī)，所以沒辦法去進(jìn)行控制；所謂CC***都會(huì)有一個(gè)規(guī)律的特征，就是user_agent是一致的，比如同一個(gè)IP、同一個(gè)標(biāo)識、同一個(gè)地址；遇到這種規(guī)律的user_agent頻繁訪問的情況我們就可以判定他就是CC***，我們就可以通過限制他的user_agent?減輕服務(wù)器壓力，只需要讓他從正常訪問的200，限制為403，就能減輕服務(wù)器的壓力，因?yàn)?03僅僅是一個(gè)請求，只會(huì)使用到很少的帶寬，畢竟他沒有牽扯到php?和mysql cc*** -?***者借助代理服務(wù)器生成指向受害主機(jī)的合法請求，實(shí)現(xiàn)DDOS和偽裝就叫：CC(ChallengeCollapsar)。 CC主要是用來***頁面的。大家都有這樣的經(jīng)歷，就是在訪問論壇時(shí)，如果這個(gè)論壇比較大，訪問的人比較多，打開頁面的速度會(huì)比較慢，訪問的人越多，論壇的頁面越多，數(shù)據(jù)庫壓力就越大，被訪問的頻率也越高，占用的系統(tǒng)資源也就相當(dāng)可觀。 -?一個(gè)靜態(tài)頁面不需要服務(wù)器多少資源，甚至可以說直接從內(nèi)存中讀出來發(fā)給你就可以了，但是論壇就不一樣了，我看一個(gè)帖子，系統(tǒng)需要到數(shù)據(jù)庫中判斷我是否有讀帖子的權(quán)限，如果有，就讀出帖子里面的內(nèi)容，顯示出來——這里至少訪問了2次數(shù)據(jù)庫，如果數(shù)據(jù)庫的數(shù)據(jù)容量有200MB大小，系統(tǒng)很可能就要在這200MB大小的數(shù)據(jù)空間搜索一遍，這需要多少的CPU資源和時(shí)間？如果我是查找一個(gè)關(guān)鍵字，那么時(shí)間更加可觀，因?yàn)榍懊娴乃阉骺梢韵薅ㄔ谝粋€(gè)很小的范圍內(nèi)，比如用戶權(quán)限只查用戶表，帖子內(nèi)容只查帖子表，而且查到就可以馬上停止查詢，而搜索肯定會(huì)對所有的數(shù)據(jù)進(jìn)行一次判斷，消耗的時(shí)間是相當(dāng)?shù)拇蟆?CC就是充分利用了這個(gè)特點(diǎn)，模擬多個(gè)用戶（多少線程就是多少用戶）不停的進(jìn)行訪問（訪問那些需要大量數(shù)據(jù)操作，就是需要大量CPU時(shí)間的頁面）.這一點(diǎn)用一個(gè)一般的性能測試軟件就可以做到大量模擬用戶并發(fā)。 -?肉雞?（受***遠(yuǎn)程控制的電腦），肉雞也稱傀儡機(jī)，是指可以被***遠(yuǎn)程控制的機(jī)器。比如用”灰鴿子”等誘導(dǎo)客戶點(diǎn)擊或者電腦被***攻破或用戶電腦有漏洞被種植了***，***可以隨意操縱它并利用它做任何事情。 肉雞通常被用作DDOS***。可以是各種系統(tǒng)，如windows、linux、unix等，更可以是一家公司、企業(yè)、學(xué)校甚至是政府軍隊(duì)的服務(wù)器。-?首先打開虛擬主機(jī)配置文件 ```#<Directory?/data/wwwroot/111.com>#?<FilesMatch?123.php>????#???AllowOverride?AuthConfig?#???AuthName?"111.com?user?auth"?#???AuthType?Basic?#???AuthUserFile?/data/.htpasswd?#???require?valid-user#</FilesMatch>?#</Directory><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off<FilesMatch?(.*)\.php(.*)>Order?allow,denyDeny?from?all</FilesMatch></Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allowDeny?from?allAllow?from?127.0.0.1</FilesMatch></Directory>--?插入?--?????????????????????????????????????????????????????????????44,5??????????61% ``` -?添加配置文件后，然后?檢查配置文件，重新加載配置文件 ```#<Directory?/data/wwwroot/111.com>#?<FilesMatch?123.php>????#???AllowOverride?AuthConfig?#???AuthName?"111.com?user?auth"?#???AuthType?Basic?#???AuthUserFile?/data/.htpasswd?#???require?valid-user#</FilesMatch>?#</Directory><IfModule?mod_rewrite.c>RewriteEngine?onRewriteCond?%{HTTP_USER_AGENT}??.*curl.*?[NC,OR]RewriteCond?%{HTTP_USER_AGENT}??.*baidu.com.*?[NC]RewriteRule??.*??-??[F]</IfModule><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off<FilesMatch?(.*)\.php(.*)>Order?allow,denyDeny?from?all</FilesMatch></Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allow :wq?[root@localhost?111.com]#?vim?/usr/local/apache2.4/conf/extra/httpd-vhosts.conf [root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?-t Syntax?OK [root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?graceful [root@localhost?111.com]#?```-?再來訪問下 ``` [root@localhost?111.com]#?!curl curl?-x127.0.0.1:80?'http://111.com/upload/123.php' <!DOCTYPE?HTML?PUBLIC?"-//IETF//DTD?HTML?2.0//EN"> <html><head> <title>403?Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You?don't?have?permission?to?access?/upload/123.php on?this?server.<br?/> </p> </body></html> [root@localhost?111.com]#?curl?-x127.0.0.1:80?'http://111.com/upload/123.php'?-I HTTP/1.1?403?Forbidden Date:?Thu,?12?Oct?2017?13:41:04?GMT Server:?Apache/2.4.27?(Unix)?PHP/7.1.6 Content-Type:?text/html;?charset=iso-8859-1[root@localhost?111.com]#?[root@localhost?111.com]#?curl?-x127.0.0.1:80?'http://111.com/123.php'?-I HTTP/1.1?403?Forbidden Date:?Thu,?12?Oct?2017?13:41:49?GMT Server:?Apache/2.4.27?(Unix)?PHP/7.1.6 Content-Type:?text/html;?charset=iso-8859-1[root@localhost?111.com]#?```-?查看下日志文件 ``` [root@localhost?111.com]#?tail?/usr/local/apache2.4/logs/123.com-access_20171012.log 192.168.202.1?-?-?[12/Oct/2017:20:51:50?+0800]?"GET?/favicon.ico?HTTP/1.1"?404?209?"http://111.com/123.php"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:20:54:14?+0800]?"GET?/123.php?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:20:54:16?+0800]?"GET?/123.php?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:20:54:29?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:21:22:31?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:21:22:32?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:21:22:34?+0800]?"GET?/?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 127.0.0.1?-?-?[12/Oct/2017:21:40:54?+0800]?"GET?http://111.com/upload/123.php?HTTP/1.1"?403?223?"-"?"curl/7.29.0" 127.0.0.1?-?-?[12/Oct/2017:21:41:04?+0800]?"HEAD?http://111.com/upload/123.php?HTTP/1.1"?403?-?"-"?"curl/7.29.0" 127.0.0.1?-?-?[12/Oct/2017:21:41:49?+0800]?"HEAD?http://111.com/123.php?HTTP/1.1"?403?-?"-"?"curl/7.29.0" [root@localhost?111.com]#? ``` -?再來試下 -?curl?-A?"aminlinux?aminglinux"?-x127.0.0.1:80?'http://111.com/123.php'?-I?可以crul?-A?可以指定user_agent -?curl?-e?"http://"???也可以指定Referer? -?curl?-x指定， -?crul?-I?僅僅是查看它的狀態(tài)碼 ``` [root@localhost?111.com]#?curl?-A?"aminlinux?aminglinux"?-x127.0.0.1:80?'http://111.com/123.php'?-I HTTP/1.1?200?OK Date:?Thu,?12?Oct?2017?13:47:03?GMT Server:?Apache/2.4.27?(Unix)?PHP/7.1.6 X-Powered-By:?PHP/7.1.6 Content-Type:?text/html;?charset=UTF-8[root@localhost?111.com]#?curl?-A?"aminlinux?aminglinux"?-x127.0.0.1:80?'http://111.com/123.php' 123.php[root@localhost?111.com]#? [root@localhost?111.com]#? [root@localhost?111.com]#? ``` -?來看看訪問日志?user_agent?是"aminlinux?aminglinux" ``` [root@localhost?111.com]#?tail?/usr/local/apache2.4/logs/123.com-access_20171012.log 192.168.202.1?-?-?[12/Oct/2017:20:54:16?+0800]?"GET?/123.php?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:20:54:29?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:21:22:31?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:21:22:32?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 192.168.202.1?-?-?[12/Oct/2017:21:22:34?+0800]?"GET?/?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36" 127.0.0.1?-?-?[12/Oct/2017:21:40:54?+0800]?"GET?http://111.com/upload/123.php?HTTP/1.1"?403?223?"-"?"curl/7.29.0" 127.0.0.1?-?-?[12/Oct/2017:21:41:04?+0800]?"HEAD?http://111.com/upload/123.php?HTTP/1.1"?403?-?"-"?"curl/7.29.0" 127.0.0.1?-?-?[12/Oct/2017:21:41:49?+0800]?"HEAD?http://111.com/123.php?HTTP/1.1"?403?-?"-"?"curl/7.29.0" 127.0.0.1?-?-?[12/Oct/2017:21:47:03?+0800]?"HEAD?http://111.com/123.php?HTTP/1.1"?200?-?"-"?"aminlinux?aminglinux" 127.0.0.1?-?-?[12/Oct/2017:21:47:19?+0800]?"GET?http://111.com/123.php?HTTP/1.1"?200?7?"-"?"aminlinux?aminglinux" [root@localhost?111.com]#? ```#?11.30?PHP相關(guān)配置（上） -?查看php配置文件位置-?/usr/local/php/bin/php?-i|grep?-i?"loaded?configuration?file"? -??date.timezone? -??disable_functions eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close? -??error_log,?log_errors,?display_errors,?error_reporting -??open_basedir -??php_admin_value?open_basedir?"/data/wwwroot/111.com:/tmp/"-?列出111.com?目錄下文件目錄?修改inidex.php內(nèi)容 ``` [root@localhost?111.com]#?ls 123.php??admin??index.php??qq.png??upload [root@localhost?111.com]#?vi?index.php<?php echo?"111.com"; ~???????????????????????????????????????????????????????????????????????????????????????? ~????????????????????????????????????????????????????????????????????????????????????????~???????????????????????????????????????????????????????????????????????????????????????? ~???????????????????????????????????????????????????????????????????????????????????????? "index.php"?2L,?22C ``` -?修改為 ``` [root@localhost?111.com]#?vi?index.php<?php phpinfo(); ~???????????????????????????????????????????????????????????????????????????????????????? ~???????????????????????????????????????????????????????????????????????????????????????? ~????????????????????????????????????????????????????????????????????????????????????????:wq ``` -??去php包下面拷貝一個(gè)文件php.ini-development?到/usr/local/php7/etc/php.ini ``` [root@localhost?111.com]#?cd?/usr/local/src/php-7.1.6/ [root@localhost?php-7.1.6]#?cp?php.ini- php.ini-development??php.ini-production??? [root@localhost?php-7.1.6]#?cp?php.ini-development?/usr/local/php7/etc/php.ini [root@localhost?php-7.1.6]#? ``` -?重新加載下配置,再去windows瀏覽器里刷新下看下 ``` [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful ``` -?打開配置文件vim?/usr/local/php7/etc/php.ini?搜索disable_functions? ``` [root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini[PHP];;;;;;;;;;;;;;;;;;; ;?About?php.ini???; ;;;;;;;;;;;;;;;;;;; ;?PHP's?initialization?file,?generally?called?php.ini,?is?responsible?for ;?configuring?many?of?the?aspects?of?PHP's?behavior.;?PHP?attempts?to?find?and?load?this?configuration?from?a?number?of?locations. ;?The?following?is?a?summary?of?its?search?order: ;?1.?SAPI?module?specific?location. ;?2.?The?PHPRC?environment?variable.?(As?of?PHP?5.2.0) ;?3.?A?number?of?predefined?registry?keys?on?Windows?(As?of?PHP?5.2.0) ;?4.?Current?working?directory?(except?CLI) ;?5.?The?web?server's?directory?(for?SAPI?modules),?or?directory?of?PHP ;?(otherwise?in?Windows) ;?6.?The?directory?from?the?--with-config-file-path?compile?time?option,?or?the ;?Windows?directory?(C:\windows?or?C:\winnt) ;?See?the?PHP?docs?for?more?specific?information. ;?http://php.net/configuration.file;?The?syntax?of?the?file?is?extremely?simple.??Whitespace?and?lines ;?beginning?with?a?semicolon?are?silently?ignored?(as?you?probably?guessed). ;?Section?headers?(e.g.?[Foo])?are?also?silently?ignored,?even?though ;?they?might?mean?something?in?the?future.;?Directives?following?the?section?heading?[PATH=/www/mysite]?only ;?apply?to?PHP?files?in?the?/www/mysite?directory.??Directives ;?following?the?section?heading?[HOST=www.example.com]?only?apply?to ;?PHP?files?served?from?www.example.com.??Directives?set?in?these ;?If?-1?is?used,?then?dtoa?mode?0?is?used?which?automatically?select?the?best ;?precision. serialize_precision?=?-1;?open_basedir,?if?set,?limits?all?file?operations?to?the?defined?directory ;?and?below.??This?directive?makes?most?sense?if?used?in?a?per-directory ;?or?per-virtualhost?web?server?configuration?file. ;?http://php.net/open-basedir ;open_basedir?=;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?function?names. ;?http://php.net/disable-functions disable_functions?=;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?class?names. ;?http://php.net/disable-classes disable_classes?=;?Colors?for?Syntax?Highlighting?mode.??Anything?that's?acceptable?in ;?<span?style="color:????????">?would?work. ;?http://php.net/syntax-highlighting ;highlight.string??=?#DD0000 ;highlight.comment?=?#FF9900 ;highlight.keyword?=?#007700 ;highlight.default?=?#0000BB314,1?????????15%``` -?默認(rèn)這個(gè)是空的disable_functions?= -?我們把所有的函數(shù)都禁掉 ``` ;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?function?names. ;?http://php.net/disable-functions disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?class?names. ;?http://php.net/disable-classes disable_classes?=;?Colors?for?Syntax?Highlighting?mode.??Anything?that's?acceptable?in ;?<span?style="color:????????">?would?work. ;?http://php.net/syntax-highlighting ;highlight.string??=?#DD0000 :wq??????[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t Syntax?OK [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful [root@localhost?php-7.1.6]#?``` -?去windows瀏覽器下刷新訪問， -?當(dāng)然我們會(huì)使用它這個(gè)phpinfo,打開配置文件把phpinfo?去掉 ``` ;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?function?names. ;?http://php.net/disable-functions disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?class?names. ;?http://php.net/disable-classes disable_classes?=;?Colors?for?Syntax?Highlighting?mode.??Anything?that's?acceptable?in ;?<span?style="color:????????">?would?work. ;?http://php.net/syntax-highlighting ;highlight.string??=?#DD0000 ;highlight.comment?=?#FF9900 ;highlight.keyword?=?#007700 :wq?????[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful [root@localhost?php-7.1.6]#?``` -?第二個(gè)date.timezone,打開php配置文件?搜素timezone ``` [root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini;extension=php_tidy.dll ;extension=php_xmlrpc.dll ;extension=php_xsl.dll;;;;;;;;;;;;;;;;;;; ;?Module?Settings?; ;;;;;;;;;;;;;;;;;;;[CLI?Server] ;?Whether?the?CLI?web?server?uses?ANSI?color?coding?in?its?terminal?output. cli_server.color?=?On[Date] ;?Defines?the?default?timezone?used?by?the?date?functions ;?http://php.net/date.timezone ;date.timezone?=;?http://php.net/date.default-latitude ;date.default_latitude?=?31.7667;?http://php.net/date.default-longitude ;date.default_longitude?=?35.2333;?http://php.net/date.sunrise-zenith ;date.sunrise_zenith?=?90.583333;?http://php.net/date.sunset-zenith937,23????????48% ``` -?定義;date.timezone?=?Asia/Chongqing -?再把disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo??加上?phpinfo -?搜索display???把display_errors?=?On?改成Off?也就是說?我不需要把這些錯(cuò)誤信息輸出到瀏覽器里 ``` [root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t Syntax?OK [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful [root@localhost?php-7.1.6]#? ``` -?再訪問下?變成了  -?使用curl?試下 ``` [root@localhost?php-7.1.6]#?curl?-x127.0.0.1:80?http://111.com/index.php <!DOCTYPE?HTML?PUBLIC?"-//IETF//DTD?HTML?2.0//EN"> <html><head> <title>403?Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You?don't?have?permission?to?access?/index.php on?this?server.<br?/> </p> </body></html> ``` -?還是403，是因?yàn)樵O(shè)了user_agent? ``` [root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/index.php?-I HTTP/1.1?200?OK Date:?Thu,?12?Oct?2017?14:31:51?GMT Server:?Apache/2.4.27?(Unix)?PHP/7.1.6 X-Powered-By:?PHP/7.1.6 Content-Type:?text/html;?charset=UTF-8[root@localhost?php-7.1.6]#? ``` -?這樣是可以了，只不過他沒有任何的輸出，這個(gè)就不正常了，不是我們想要的，我們不知道它哪里有問題，一切都是未知的，這個(gè)時(shí)候需要配置一個(gè)錯(cuò)誤日志 -?打開配置文件?搜索error_log ``` ;?Log?errors?to?specified?file.?PHP's?default?behavior?is?to?leave?this?value ;?empty. ;?http://php.net/error-log ;?Example: ;error_log?=?php_errors.log ;?Log?errors?to?syslog?(Event?Log?on?Windows). ;error_log?=?syslog``` -?定義error_log?的日志路徑?，還要配置?它的級別，如果你定義的級別很高的話，它僅僅會(huì)記錄一些比較嚴(yán)峻的錯(cuò)誤，一些不太嚴(yán)峻的錯(cuò)誤，他就不計(jì)，像警告的不計(jì)，不計(jì)我也不知道錯(cuò)誤在哪，所以可以把它搞得稍微放松一些，不要那么嚴(yán)謹(jǐn) ``` error_log?=?/tmp/php_errors.log ;?Log?errors?to?syslog?(Event?Log?on?Windows). ;error_log?=?syslog``` -?搜索error_reporting? -?error_reporting?=?E_ALL這個(gè)是最不嚴(yán)謹(jǐn)?shù)?#xff0c;在生產(chǎn)環(huán)境當(dāng)中，我們用E_ALL?&?~E_NOTICE??(Show?all?errors,?except?for?notices)??因?yàn)樵谏a(chǎn)環(huán)境當(dāng)中這個(gè)notice出現(xiàn)頻率很高的 ``` ;?Common?Values: ;???E_ALL?(Show?all?errors,?warnings?and?notices?including?coding?standards.) ;???E_ALL?&?~E_NOTICE??(Show?all?errors,?except?for?notices) ;???E_ALL?&?~E_NOTICE?&?~E_STRICT??(Show?all?errors,?except?for?notices?and?coding?standards?warnings.) ;???E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR??(Show?only?errors) ;?Default?Value:?E_ALL?&?~E_NOTICE?&?~E_STRICT?&?~E_DEPRECATED ;?Development?Value:?E_ALL ;?Production?Value:?E_ALL?&?~E_DEPRECATED?&?~E_STRICT ;?http://php.net/error-reporting error_reporting?=?E_ALL ```-?再來用curl訪問下?,生成了php_errors.log ``` [root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t Syntax?OK [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful[root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/index.php [root@localhost?php-7.1.6]#?ls?/tmp/ ks-script-sk5n23 mysql.sock pear php_errors.log systemd-private-40d73240fa4b483bb2b7ae3d299e980d-vmtoolsd.service-w87bfr yum.log [root@localhost?php-7.1.6]#? ``` -?可以看下它的屬主屬組是誰,是daemon，daemon是httpd?的屬主 -?這個(gè)日志實(shí)際上是以這個(gè)進(jìn)程的身份去生成的 ``` [root@localhost?php-7.1.6]#?ls?-l?/tmp/php_errors.log? -rw-r--r--.?1?daemon?daemon?135?10月?12?22:44?/tmp/php_errors.log [root@localhost?php-7.1.6]#?[root@localhost?php-7.1.6]#?ps?aux?|grep?httpd root???????2335??0.0??1.3?258884?13600??????????Ss???20:36???0:00?/usr/local/apache2.4/bin/httpd?-k?graceful daemon?????3636??0.0??1.4?678896?14644??????????Sl???22:43???0:00?/usr/local/apache2.4/bin/httpd?-k?graceful daemon?????3637??0.0??1.0?545712?10400??????????Sl???22:43???0:00?/usr/local/apache2.4/bin/httpd?-k?graceful daemon?????3638??0.0??1.0?545712?10400??????????Sl???22:43???0:00?/usr/local/apache2.4/bin/httpd?-k?graceful root???????3727??0.0??0.0?112680???976?pts/0????S+???22:46???0:00?grep?--color=auto?http [root@localhost?php-7.1.6]#?``` -?這``` [root@localhost?php-7.1.6]#?grep?error_log?/usr/local/php7/etc/php.ini ;?server-specific?log,?STDERR,?or?a?location?specified?by?the?error_log ;?Set?maximum?length?of?log_errors.?In?error_log?information?about?the?source?is error_log?=?/tmp/php_errors.log ;error_log?=?syslog ;?OPcache?error_log?file?name.?Empty?string?assumes?"stderr". ;opcache.error_log= [root@localhost?php-7.1.6]#?[root@localhost?php-7.1.6]#?touch?/tmp/php_errors.log?;?chmod?777?/tmp/php_errors.log?^C [root@localhost?php-7.1.6]#?cat?/tmp/php_errors.log? [12-Oct-2017?14:44:09?UTC]?PHP?Warning:??phpinfo()?has?been?disabled?for?security?reasons?in?/data/wwwroot/111.com/index.php?on?line?2 [root@localhost?php-7.1.6]#? ``` -?phpinfo()?has?been?disabled?for?security?reasons?處于安全的原因把這個(gè)phpinfo?函數(shù)禁掉了-?來模擬一個(gè)錯(cuò)誤 ``` [root@localhost?php-7.1.6]#?vim?/data/wwwroot/111.com/2.php<?php echo?123; alksdkdkdlldldldd ~???????????????????????????????????????????????????????????????????????????????????????? ~????????????????????????????????????????????????????????????????????????????????????????~???????????????????????????????????????????????????????????????????????????????????????? :wq????[root@localhost?php-7.1.6]#?vim?/data/wwwroot/111.com/2.php [root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php?-I HTTP/1.0?500?Internal?Server?Error Date:?Thu,?12?Oct?2017?14:54:10?GMT Server:?Apache/2.4.27?(Unix)?PHP/7.1.6 X-Powered-By:?PHP/7.1.6 Connection:?close Content-Type:?text/html;?charset=UTF-8[root@localhost?php-7.1.6]#? ```-?可以看看它的錯(cuò)誤日志?結(jié)果是?syntax?error -?這個(gè)日志級別就比上面的高級了?一個(gè)是Warning?，一個(gè)是error，error?肯定比較嚴(yán)謹(jǐn)，很嚴(yán)重 ``` [root@localhost?php-7.1.6]#?!cat cat?/tmp/php_errors.log? [12-Oct-2017?14:44:09?UTC]?PHP?Warning:??phpinfo()?has?been?disabled?for?security?reasons?in?/data/wwwroot/111.com/index.php?on?line?2 [12-Oct-2017?14:54:10?UTC]?PHP?Parse?error:??syntax?error,?unexpected?end?of?file?in?/data/wwwroot/111.com/2.php?on?line?4 [root@localhost?php-7.1.6]#? ``` -??有時(shí)候，定義了一個(gè)錯(cuò)誤日志，但是這個(gè)錯(cuò)誤日志始終沒有生成，那么就需要檢查一下定義錯(cuò)誤日志所在的目錄，到底httpd有沒有寫權(quán)限， 最保險(xiǎn)的辦法，就是在所在目錄創(chuàng)建一個(gè)錯(cuò)誤日志的文件，然后賦予它777的權(quán)限，這樣就不需要擔(dān)心這個(gè)文件httpd是否有寫權(quán)限了-?前面是一些安全相關(guān)的函數(shù)，下面一個(gè)是怎么樣去打開?調(diào)試?錯(cuò)誤日志的，因?yàn)榕挪橐粋€(gè)問題沒有錯(cuò)誤日志是不行的#?11.31?PHP相關(guān)配置（下） -?下面來介紹一個(gè)安全相關(guān)的參數(shù) -??open_basedir -??php_admin_value?open_basedir?"/data/wwwroot/111.com:/tmp/" -?安全相關(guān)的參數(shù) 一臺(tái)服務(wù)器上，運(yùn)行了多個(gè)站點(diǎn)，有一臺(tái)服務(wù)器假如代碼有問題，結(jié)果這個(gè)站點(diǎn)被******了，被***拿到了權(quán)限，***拿了權(quán)限肯定會(huì)繼續(xù)往里***，繼續(xù)往里***，就會(huì)有可能***到其他的站點(diǎn)，同時(shí)導(dǎo)致其他的站點(diǎn)被黑 open_basedir??限制不能串崗 open_basedir?=?/data/wwwroot/1111.com:/tmp 這里配置?/tmp的目的是因?yàn)?#xff0c;打開任何文件的時(shí)候都會(huì)產(chǎn)生一個(gè)緩存文件，如果不允許/tmp的話會(huì)導(dǎo)致任何站點(diǎn)都沒有辦法訪問-?打開php配置文件,搜索open_basedir ``` [root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini;?open_basedir,?if?set,?limits?all?file?operations?to?the?defined?directory ;?and?below.??This?directive?makes?most?sense?if?used?in?a?per-directory ;?or?per-virtualhost?web?server?configuration?file. ;?http://php.net/open-basedir ;open_basedir?=``` -?定義?open_basedir?=?/data/wwwroot/111.com:/tmp -?假如故意寫錯(cuò)，現(xiàn)在?open_basedir?=?/data/wwwroot/1111.com:/tmp ``` open_basedir?=?/data/wwwroot/1111.com:/tmp;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?function?names. ;?http://php.net/disable-functions disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo:wq?? ```-?訪問下``` [root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php?-I HTTP/1.0?500?Internal?Server?Error Date:?Thu,?12?Oct?2017?15:10:58?GMT Server:?Apache/2.4.27?(Unix)?PHP/7.1.6 X-Powered-By:?PHP/7.1.6 Connection:?close Content-Type:?text/html;?charset=UTF-8 ``` -?把2.php改正，同樣還是錯(cuò)誤500``` [root@localhost?php-7.1.6]#?vi?/data/wwwroot/111.com/2.php<?php echo?123; alksdkdkdlldldldd ~???????????????????????????????????????????????????????????????????????????????????????? ~???????????????????????????????????????????????????????????????????????????????????????? ~?????????? [root@localhost?php-7.1.6]#?vi?/data/wwwroot/111.com/2.php改正了 <?php echo?123; ~???????????????????????????????????????????????????????????????????????????????????????? ~????????????????????????????????????????????????????????????????????????????????????????~???????????????????????????????????????????????????????????????????????????????????????? ~???????????????????????????????????????????????????????????????????????????????????????? :wq[root@localhost?php-7.1.6]#?vi?/data/wwwroot/111.com/2.php [root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php?-I HTTP/1.0?500?Internal?Server?Error Date:?Thu,?12?Oct?2017?15:13:37?GMT Server:?Apache/2.4.27?(Unix)?PHP/7.1.6 X-Powered-By:?PHP/7.1.6 Connection:?close Content-Type:?text/html;?charset=UTF-8[root@localhost?php-7.1.6]#?```-?看看它的錯(cuò)誤輸出?/data/wwwroot/111.com/2.php)?is?not?within?the?allowed?path(s):?(/data/wwwroot/1111.com:/tmp)?in?Unknown?on?line?0???2.php并沒有在運(yùn)行的目錄下，所以它才是把報(bào)錯(cuò)500``` [root@localhost?php-7.1.6]#?!cat cat?/tmp/php_errors.log? [12-Oct-2017?14:44:09?UTC]?PHP?Warning:??phpinfo()?has?been?disabled?for?security?reasons?in?/data/wwwroot/111.com/index.php?on?line?2 [12-Oct-2017?14:54:10?UTC]?PHP?Parse?error:??syntax?error,?unexpected?end?of?file?in?/data/wwwroot/111.com/2.php?on?line?4 [12-Oct-2017?15:10:58?UTC]?PHP?Warning:??Unknown:?open_basedir?restriction?in?effect.?File(/data/wwwroot/111.com/2.php)?is?not?within?the?allowed?path(s):?(/data/wwwroot/1111.com:/tmp)?in?Unknown?on?line?0 [12-Oct-2017?15:10:58?UTC]?PHP?Warning:??Unknown:?failed?to?open?stream:?Operation?not?permitted?in?Unknown?on?line?0 [12-Oct-2017?15:10:58?UTC]?PHP?Fatal?error:??Unknown:?Failed?opening?required?'/data/wwwroot/111.com/2.php'?(include_path='.:/usr/local/php7/lib/php')?in?Unknown?on?line?0 [12-Oct-2017?15:13:37?UTC]?PHP?Warning:??Unknown:?open_basedir?restriction?in?effect.?File(/data/wwwroot/111.com/2.php)?is?not?within?the?allowed?path(s):?(/data/wwwroot/1111.com:/tmp)?in?Unknown?on?line?0 [12-Oct-2017?15:13:37?UTC]?PHP?Warning:??Unknown:?failed?to?open?stream:?Operation?not?permitted?in?Unknown?on?line?0 [12-Oct-2017?15:13:37?UTC]?PHP?Fatal?error:??Unknown:?Failed?opening?required?'/data/wwwroot/111.com/2.php'?(include_path='.:/usr/local/php7/lib/php')?in?Unknown?on?line?0 [root@localhost?php-7.1.6]#? ```-?現(xiàn)在進(jìn)入php配置文件?把它改成?改到我們這個(gè)目錄下 ``` open_basedir?=?/data/wwwroot/111.com:/tmp;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?function?names. ;?http://php.net/disable-functions disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?class?names. ;?http://php.net/disable-classes disable_classes?= :wq[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t Syntax?OK [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful [root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php 123[root@localhost?php-7.1.6]#?``` -?這個(gè)時(shí)候就不會(huì)報(bào)錯(cuò)，就可以訪問-?但是改php.ini呢，有點(diǎn)問題，如果這個(gè)服務(wù)器上跑了N多個(gè)站點(diǎn)，怎么去做限制呢？你的網(wǎng)站全部再/wwwroot/目錄下?，限定在這個(gè)級別下，這又有何用呢？這個(gè)目錄下所有的網(wǎng)站，他都可以來去自如，不合適，那怎么樣才合適，你應(yīng)該針對這些站點(diǎn)，針對這些網(wǎng)站?針對他們?nèi)プ鰋pen_basedir，咱們php.ini是做不到的，因?yàn)閜hp.ini?是針對所有站點(diǎn)的， -?但是還有一個(gè)方法，去apache虛擬主機(jī)配置文件里去做 -?進(jìn)入配置文件,改回來 ``` ;?http://php.net/open-basedir open_basedir?=?;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?function?names. ;?http://php.net/disable-functions disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons. ;?It?receives?a?comma-delimited?list?of?class?names. ;?http://php.net/disable-classes disable_classes?= :wq??????? ```-??進(jìn)入apache?虛擬主機(jī)配置文件 ``` [root@localhost?php-7.1.6]#?vim?/usr/local/apache2.4/conf/extra/httpd-vhosts.conf<VirtualHost?*:80>DocumentRoot?"/data/wwwroot/abc.com"ServerName?abc.comServerAlias?www.abc.com?www.123.comphp_admin_value?open_basedir?"/data/wwwroot/abc.com:/tmp/"ErrorLog?"logs/abc.com-error_log"CustomLog?"logs/abc.com-access_log"?common </VirtualHost><VirtualHost?*:80>DocumentRoot?"/data/wwwroot/111.com"ServerName?111.comServerAlias?www.example.com?2111.com.cn#<Directory?/data/wwwroot/111.com>#?<FilesMatch?123.php>????#???AllowOverride?AuthConfig?#???AuthName?"111.com?user?auth"?#???AuthType?Basic?#???AuthUserFile?/data/.htpasswd?#???require?valid-user#</FilesMatch>?#</Directory>php_admin_value?open_basedir?"/data/wwwroot/111.com:/tmp/[root@localhost?php-7.1.6]#?vim?/usr/local/apache2.4/conf/extra/httpd-vhosts.conf [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t Syntax?OK [root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful [root@localhost?php-7.1.6]#?!curl curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php 123[root@localhost?php-7.1.6]#?``` -?這樣就可以了，針對不同的虛擬主機(jī)?限制不同的open_basedir###?擴(kuò)展 -?[?]?apache開啟壓縮?http://ask.apelearn.com/question/5528-?這里的壓縮并不是對網(wǎng)站的圖片壓縮，而是對普通的靜態(tài)文件，諸如html,?js,?css?等元素壓縮。不要小看這個(gè)壓縮功能，如果一個(gè)網(wǎng)站的請求量很大的話，這樣可以節(jié)省海量帶寬，在我國帶寬資源非常昂貴，所以小小的一個(gè)壓縮功能可以為企業(yè)節(jié)省不少的成本呢！下面就來看看如何配置它？-?首先，需要看一下我們的apache是否支持壓縮功能。? /usr/local/apache2/bin/apachectl?-l 看看是否有mod_deflate 如果這里沒有，那繼續(xù)看一下? ls?/usr/local/apache2/modules/ 下面有沒有?mod_deflate.so?這個(gè)文件-?如果這里也沒有，那說明你的apache不支持壓縮，需要重編譯一下，或者擴(kuò)展形式安裝，或者重新編譯apache,?需要在編譯的時(shí)候，加上??--enable-deflate=shared??-?好，如果你的apache有了deflate這個(gè)模塊支持，也就支持了壓縮功能。-?下面該配置httpd.conf?了。 在httpd.conf?中增加?：LoadModule?deflate_module?modules/mod_deflate.so-?然后再增加如下配置：DeflateCompressionLevel?5 AddOutputFilterByType?DEFLATE?text/html?text/plain?text/xml? AddOutputFilter?DEFLATE?js?css-?其中DeflateCompressionLevel??是指壓縮程度的等級，從1到9，9是最高等級。-?[?]?apache2.2到2.4配置文件變更?http://ask.apelearn.com/question/7292-?指令控制了在特定目錄中將使用哪些服務(wù)器特性。Options屬性有一個(gè)非常特別的功能：?如果你沒有用“+”或者“-”來增加或者減少一個(gè)功能的時(shí)候，每個(gè)之前定義的Options的所有功能都會(huì)被取消，?直到你又為它指定一些功能。所以options屬性在整體設(shè)置和虛擬主機(jī)設(shè)置的是不相關(guān)的，?互相不起作用，因?yàn)樗麄冊谔囟ǖ姆秶鷥?nèi)被重載了。??如果要在虛擬主機(jī)里面使用在整體設(shè)置中的Options的設(shè)置，?那么就不要在虛擬主機(jī)設(shè)置中指定Options屬性。如果要增加或者減少功能，?那么用“+”或者“-”符號來實(shí)??Options??指令控制了在特定目錄中將使用哪些服務(wù)器特性。??可選項(xiàng)能設(shè)置為??None??，在這種情況下，將不啟用任何額外特性。或設(shè)置為以下選項(xiàng)中的一個(gè)或多個(gè)：?? -?All?除MultiViews之外的所有特性。這是默認(rèn)設(shè)置。? ExecCGI?允許執(zhí)行CGI腳本.? -?FollowSymLinks?服務(wù)器會(huì)在此目錄中使用符號連接。??注意：即便服務(wù)器會(huì)使用符號連接，但它不會(huì)改變用于匹配配置段的路徑名。?如果此配置位于配置段中，則此設(shè)置會(huì)被忽略。 Includes?允許服務(wù)器端包含。 IncludesNOEXEC?允許服務(wù)器端包含，但禁用#exec命令和#exec?CGI。但仍可以從ScriptAliase目錄使用#include?虛擬CGI腳本。? Indexes?如果一個(gè)映射到目錄的URL被請求，而此目錄中又沒有DirectoryIndex（例如：index.html）那么服務(wù)器會(huì)返回一個(gè)格式化后的目錄?列表。? MultiViews?允許內(nèi)容協(xié)商的多重視圖。? SymLinksIfOwnerMatch?服務(wù)器僅在符號連接與其目的目錄或文件擁有者具有同樣的用戶id時(shí)才使用它。??注意：如果此配置出現(xiàn)在配置段中，此選項(xiàng)將被忽略。??一般來說，如果一個(gè)目錄被多次設(shè)置了??Options??，則最特殊的一個(gè)會(huì)被完全接受，而各個(gè)可選項(xiàng)的設(shè)定彼此并不融合。然而，如果所有施用于??Options??指令的可選項(xiàng)前都加有+或-符號，此可選項(xiàng)將被合并。所有前面加有+號的可選項(xiàng)將強(qiáng)制覆蓋當(dāng)前可選項(xiàng)設(shè)置，而所有前面有-號的可選項(xiàng)將強(qiáng)制從當(dāng)前可選項(xiàng)設(shè)置中去除。?? -?比如說，沒有任何+和-符號：Options?Indexes?FollowSymLinksOptions?Includes??-?則只有??Includes??設(shè)置到/web/docs/spec目錄上。 然而如果第二個(gè)??Options??指令使用了+和-符號：Options?Indexes?FollowSymLinksOptions?+Includes?-Indexes-?那么就會(huì)有??FollowSymLinks??和??Includes??設(shè)置到/web/docs/spec目錄上。-?[?]?apache?options參數(shù)?http://ask.apelearn.com/question/1051 -?參考：?http://www.dotblogs.com.tw/maple?...?e24_httpd_conf.aspx1.??訪問控制 2.2?的時(shí)候 Order?deny,allow Deny?from?all 在?2.4?需要改成 Require?all?denied常用的配置有： Require?all?denied??? Require?all?granted??? Require?host?xxx.com??? Require?ip?192.168.1?192.168.2??? Require?local2.?RewriteLogLevel??變?yōu)?#xff1a;logLevel 如，LogLevel?warn?rewrite:?warn3.?Namevirtualhost?被移除4.?網(wǎng)站壓縮，除了使用mod_deflate，還要mod_filter 使用ssl，除了使用mod_ssl，還需要mod_socache_shmcb-?[?]?apache禁止trace或track防止xss?http://ask.apelearn.com/question/1045 -?TRACE和TRACK是用來調(diào)試web服務(wù)器連接的HTTP方式。 支持該方式的服務(wù)器存在跨站腳本漏洞，通常在描述各種瀏覽器缺陷的時(shí)候，把"Cross-Site-Tracing"簡稱為XST。 ***者可以利用此漏洞欺騙合法用戶并得到他們的私人信息。禁用trace可以使用rewrite功能來實(shí)現(xiàn) RewriteEngine?On RewriteCondi?%{REQUEST_METHOD}?^TRACE RewriteRule?.*?-?[F]或者還可以直接在apache的配置文件中配置相應(yīng)參數(shù) TraceEnable?off-?[?]?apache?配置https?支持ssl?http://ask.apelearn.com/question/10291.?安裝openssl? apache2.0?建議安裝0.9版本，我曾經(jīng)試過2.0.59?對openssl-1.0編譯不過去 下載Openssl：http://www.openssl.org/source/tar?-zxf?openssl-0.9.8k.tar.gz????//解壓安裝包???cd?openssl-0.9.8k?????????????????//進(jìn)入已經(jīng)解壓的安裝包???./config??????????????????????????//配置安裝。推薦使用默認(rèn)配置???make?&&?make?install??????????????//編譯及安裝??? openssl默認(rèn)將被安裝到/usr/local/ssl?2.?讓apache支持ssl，編譯的時(shí)候，要指定ssl支持。 靜態(tài)或者動(dòng)態(tài) 靜態(tài)方法即??--enable-ssl=static?--with-ssl=/usr/local/ssl 動(dòng)態(tài)方法??--enable-ssl=shared?--with-ssl=/usr/local/ssl 其中第二種方法會(huì)在module/?目錄下生成?mod_ssl.so?模塊，而靜態(tài)不會(huì)有，當(dāng)然第二種方法也需要在httpd.conf?中加入 LoadModule?ssl_module?modules/mod_ssl.so???3.?1????創(chuàng)建私鑰?? 在創(chuàng)建證書請求之前，您需要首先生成服務(wù)器證書私鑰文件。?? cd?/usr/local/ssl/bin????????????????????//進(jìn)入openssl安裝目錄?? openssl?genrsa?-out?server.key?2048??????//運(yùn)行openssl命令，生成2048位長的私鑰server.key文件。如果您需要對?server.key?添加保護(hù)密碼，請使用?-des3?擴(kuò)展命令。Windows環(huán)境下不支持加密格式私鑰，Linux環(huán)境下使用加密格式私鑰時(shí)，每次重啟Apache都需要您輸入該私鑰密碼（例：openssl?genrsa?-des3?-out?server.key?2048）。? cp?server.key???/usr/local/apache/conf/ssl.key/3.2????生成證書請求（CSR）文件??? openssl?req?-new?-key?server.key?-out?certreq.csr??? Country?Name：???????????????????????????//您所在國家的ISO標(biāo)準(zhǔn)代號，中國為CN??? State?or?Province?Name：?????????????????//您單位所在地省/自治區(qū)/直轄市??? Locality?Name：??????????????????????????//您單位所在地的市/縣/區(qū)??? Organization?Name：??????????????????????//您單位/機(jī)構(gòu)/企業(yè)合法的名稱??? Organizational?Unit?Name：???????????????//部門名稱??? Common?Name：????????????????????????????//通用名，例如：www.itrus.com.cn。此項(xiàng)必須與您訪問提供SSL服務(wù)的服務(wù)器時(shí)所應(yīng)用的域名完全匹配。??? Email?Address：??????????????????????????//您的郵件地址，不必輸入，直接回車跳過??? "extra"attributes????????????????????????//以下信息不必輸入，回車跳過直到命令執(zhí)行完畢。?3.3????備份私鑰并提交證書請求??? 請將證書請求文件certreq.csr提交給天威誠信，并備份保存證書私鑰文件server.key，等待證書的簽發(fā)。服務(wù)器證書密鑰對必須配對使用，私鑰文件丟失將導(dǎo)致證書不可用。?4.安裝證書 4.1?獲取服務(wù)器證書中級CA證書??? 為保障服務(wù)器證書在客戶端的兼容性，服務(wù)器證書需要安裝兩張中級CA證書(不同品牌證書，可能只有一張中級證書)。??? 從郵件中獲取中級CA證書：??? 將證書簽發(fā)郵件中的從BEGIN到?END結(jié)束的兩張中級CA證書內(nèi)容（包括“-----BEGIN?CERTIFICATE-----”和“-----END?CERTIFICATE-----”）粘貼到同一個(gè)記事本等文本編輯器中，中間用回車換行分隔。修改文件擴(kuò)展名，保存為conf/ssl.crt/intermediatebundle.crt文件(如果只有一張中級證書，則只需要保存并安裝一張中級證書)。??? 4.2?獲取EV服務(wù)器證書??? 將證書簽發(fā)郵件中的從BEGIN到?END結(jié)束的服務(wù)器證書內(nèi)容（包括“-----BEGIN?CERTIFICATE-----”和“-----END?CERTIFICATE-----”）?粘貼到記事本等文本編輯器中，保存為ssl.crt/server.crt文件?4.3?apache的配置?2.0的配置 httpd.conf?中增加 ``` Listen??443 NameVirtualHost?*:443DocumentRoot?"/data/web/www"ServerName?aaa.com:443ErrorLog?"logs/error.log"CustomLog?"logs/access.log"?combinedSSLEngine?onSSLCertificateFile?/usr/local/apache/conf/ssl.crt/server.crtSSLCertificateKeyFile?/usr/local/apache/conf/ssl.key/server.keySSLCertificateChainFile?/usr/local/apache/conf/ssl.crt/intermediatebundle.crt ```

轉(zhuǎn)載于:https://blog.51cto.com/ch71smas/1971889

與50位技術(shù)專家面對面20年技術(shù)見證，附贈(zèng)技術(shù)全景圖

總結(jié)

以上是生活随笔為你收集整理的11.28 限定某个目录禁止解析php 11.29 限制user_agent 11.30/11.31 php相关配置的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。