• 周日. 11月 27th, 2022

5G编程聚合网

5G时代下一个聚合的编程学习网

热门标签

LAMP架构二

admin

11月 28, 2021

安装PHP7

1.查看php配置文件信息(phpinfo),php有两个配置文件开发环境和生产环境

[[email protected] php-5.6.30]# /usr/local/php/bin/php -i |less

2.我们将配置文件放到/usr/local/php/etc/php.ini下

[[email protected] php-5.6.30]# cp php.ini-production /usr/local/php/etc/php.ini
[[email protected] php-5.6.30]# 

3.安装php7(bz2的压缩包用 tar -jxvf解压)

[[email protected] php-7.1.6]# cd /usr/local/src/^C                             
[[email protected] php-7.1.6]# wget http://mirrors.sohu.com/php/php-7.1.6.tar.gz^C
[[email protected] php-7.1.6]# tar -zxvf php-7.1.6.tar.gz ^C
[[email protected] php-7.1.6]# cd php-7.1.6/^C
[[email protected] php-7.1.6]# 

4.php7配置文件

[[email protected] php-7.1.6]# ./configure --prefix=/usr/local/php7 
--with-apxs2=/usr/local/apache2.4/bin/apxs
--with-config-file-path=/usr/local/php7/etc
--with-pdo-mysql=/usr/local/mysql
--with-mysqli=/usr/local/mysql/bin/mysql_config
--with-libxml-dir
--with-gd
--with-jpeg-dir
--with-png-dir
--with-freetype-dir
--with-iconv-dir
--with-zlib-dir
--with-bz2
--with-openssl
--with-mcrypt
--enable-soap
--enable-gd-native-ttf
--enable-mbstring
--enable-sockets
--enable-exif

5.make && make install

6.查看文件php7模块文件

[[email protected] php-7.1.6]# ls /usr/local/apache2.4/modules/libphp7.so 
/usr/local/apache2.4/modules/libphp7.so
[[email protected] php-7.1.6]# du -sh /usr/local/apache2.4/modules/libphp7.so  
37M     /usr/local/apache2.4/modules/libphp7.so
[[email protected] php-7.1.6]# 

7.发现apache加载了

php5_module (shared)

php7_module (shared)

[[email protected] php-7.1.6]# /usr/local/apache2.4/bin/apachectl -M
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 mpm_event_module (static)
 authn_file_module (shared)
 authn_core_module (shared)
 authz_host_module (shared)
 authz_groupfile_module (shared)
 authz_user_module (shared)
 authz_core_module (shared)
 access_compat_module (shared)
 auth_basic_module (shared)
 reqtimeout_module (shared)
 filter_module (shared)
 mime_module (shared)
 log_config_module (shared)
 env_module (shared)
 headers_module (shared)
 setenvif_module (shared)
 version_module (shared)
 unixd_module (shared)
 status_module (shared)
 autoindex_module (shared)
 dir_module (shared)
 alias_module (shared)
 php5_module (shared)
 php7_module (shared)
[[email protected] php-7.1.6]# 

8.想要只支持一个php怎么做呢,修改httpd.conf,将php5模块所在的行注释掉

[[email protected] php-7.1.6]# !vim
vim /usr/local/apache2.4/conf/httpd.conf
[[email protected] php-7.1.6]# 

Apache和PHP结合

1.解决启动apache提示警告信息文件,编辑apache配置文件将ServerName注释状态打开

2.启动apache,查看httpd服务是否启动成功

[[email protected] php-7.1.6]# /usr/local/apache2.4/bin/apachectl restart
[[email protected] php-7.1.6]# ps aux|grep httpd
daemon    60694  0.0  0.3 435528  3740 ?        Sl   09:42   0:00 /usr/local/apache2.4/bin/httpd -k start
daemon    60695  0.0  0.3 435528  3736 ?        Sl   09:42   0:00 /usr/local/apache2.4/bin/httpd -k start
daemon    60696  0.0  0.3 435528  3740 ?        Sl   09:42   0:00 /usr/local/apache2.4/bin/httpd -k start
root      60779  2.0  0.0 112680   976 pts/5    S+   09:42   0:00 grep --color=auto httpd
root      99405  0.0  0.6 146616  6988 ?        Ss   2月01   0:07 /usr/local/apache2.4/bin/httpd -k start
[[email protected] php-7.1.6]# 

3.查看服务器是否开启80端口,发现并没有开启

[[email protected] php-7.1.6]# iptables -nvL

4.临时将80端口规则加到防火墙中(-I 添加规则、-D 删除规则),发现浏览器可以访问服务器了,telnet也可以连接服务器了

[[email protected] php-7.1.6]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT

5.编辑apache配置文件denied改为granted

6.查看配置文件是否有语法错误

[[email protected] local]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[[email protected] local]# 

7.重新加载配置文件

[[email protected] local]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] local]# 

8.添加配置文件,检查配置文件是否正常。

[[email protected] local]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[[email protected] local]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] local]# 

9.可以正常访问服务器

10.支持php

 Apache默认虚拟主机

1.编辑httpd.conf文件去掉虚拟主机配置文件#号

2.编辑虚拟主机配置文件并建立相对应的目录

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "/data/wwwroot/abc.com"
    ServerName abc.com
    ServerAlias www.abc.com www.123.com
    ErrorLog "logs/abc.com-error_log"
    CustomLog "logs/abc.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "/data/wwwroot/111.com"
    ServerName 111.com
    ServerAlias www.example.com
    ErrorLog "logs/111.com-error_log"
    CustomLog "logs/111.com-access_log" common
</VirtualHost>
[[email protected] ~]# mkdir /data/wwwroot/
[[email protected] ~]# mkdir /data/wwwroot/abc.com
[[email protected] ~]# mkdir /data/wwwroot/111.com
[[email protected] ~]# vim /data/wwwroot/abc.com/index.php
[[email protected] ~]# 

3.创建index.php文件并写点代码

[[email protected] ~]# vim /data/wwwroot/111.com/index.php
[[email protected] ~]# 

  

4.检查配置文件

[[email protected] ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful   
[[email protected] ~]# 

5.curl命令来检测是否可以访问-x 选项可以为CURL添加代理功能,用浏览器看需要本地做host

[[email protected] ~]# curl -x10.21.95.122:80 abc.com
abc.com[[email protected] ~]# curl -x10.21.95.122:80 abce.com
abc.com[[email protected] ~]# curl -x10.21.95.122:80 abcee.com
abc.com[[email protected] ~]# curl -x10.21.95.122:80 www.example.com
111.com[[email protected] ~]# 

6.打开虚拟主机配置文件,主配置文件将失效

 Apache用户认证  

 1.修改虚拟主机配置文件

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "/data/wwwroot/111.com"
    ServerName 111.com
    ServerAlias www.example.com
        <Directory /data/wwwroot/111.com>
                AllowOverride AuthConfig
                AuthName "Restricted Files"
                AuthType Basic
                AuthUserFile /data/.htpasswd
                Require valid-user
        </Directory>
    ErrorLog "logs/111.com-error_log"
    CustomLog "logs/111.com-access_log" common
</VirtualHost>

2.生成用户密码文件

[[email protected] ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
[[email protected] ~]# /usr/local/apache2.4/bin/htpasswd -c -m /data/.htpasswd apache
New password: 
Re-type new password: 
Adding password for user apache
[[email protected] ~]# 
[[email protected] ~]# /usr/local/apache2.4/bin/htpasswd -m /data/.htpasswd apache1
New password: 
Re-type new password: 
Adding password for user apache1
[[email protected] ~]# cat /data/.htpasswd                                       apache:$apr1$7yblTxbh$nuIrcwIU3nlsee3Aek8jJ.
apache1:$apr1$1bnu4tPX$/u15wjn1vuexrW8ROHC9u0
[[email protected] ~]# 
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl -t                     Syntax OK
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful   
[[email protected] ~]# 

3.curl访问提示401 -I 只看状态码不看返回的内容

[[email protected] ~]# curl -x127.0.0.1:80 111.com -I
HTTP/1.1 401 Unauthorized
Date: Fri, 02 Feb 2018 07:44:52 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
WWW-Authenticate: Basic realm="Restricted Files"
Content-Type: text/html; charset=iso-8859-1

[[email protected] ~]# 

4.用浏览器访问,编辑客户端host文件,访问111.com

5.用curl方式输入用户名密码方式访问

[[email protected] ~]# curl -x127.0.0.1:80 -uapache:apache 111.com
111.com[[email protected] ~]# 

  

1.filesmatch指定文件认证

域名跳转

1.修改配置文件域名跳转需要在虚拟主机配置中添加别名和一个 rewrite 模块,如下,配置当访问 www.aaa.com 时跳转到 www.test.com

[[email protected] ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
    DocumentRoot "/data/www"
    ServerName www.test.com
    ServerAlias www.aaa.com
    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_HOST} ^www.aaa.com$    
        RewriteRule ^/(.*)$ http://www.test.com/$1 [R=301,L]
    </IfModule>
</VirtualHost>

  

[[email protected] ~]# /usr/local/apache2/bin/apachectl -t
[[email protected] ~]# /usr/local/apache2/bin/apachectl graceful

2.扩展:如果有多个域名跳转到一个域名如何配置,如下,配置当访问 www.aaa.com 或访问 www.bbb.com 时跳转到 www.test.com 

[[email protected] ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
    DocumentRoot "/data/www"
    ServerName www.test.com
    ServerAlias www.aaa.com     # 这里配置两个别名
    ServerAlias www.bbb.com
    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_HOST} ^www.aaa.com$ [OR]    # 这里末尾要加[OR],表示或者
        RewriteCond %{HTTP_HOST} ^www.bbb.com$
        RewriteRule ^/(.*)$ http://www.test.com/$1 [R=301,L]
    </IfModule>
</VirtualHost>

3.查看是否加载了rewrite模块

[[email protected] ~]# /usr/local/apache2.4/bin/apachectl -M |grep rewrite
[[email protected] ~]# vi /usr/local/apache2.4/conf/httpd.conf
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl -M |grep rewrite
 rewrite_module (shared)
[[email protected] ~]# 

  

[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful            
[[email protected] ~]# 

Apache访问日志

常用命令

1.查看apache的进程数 
ps -aux | grep httpd | wc -l 
2.分析日志查看当天的ip连接数 
cat default-access_log | grep “10/Dec/2010” | awk ‘{print $2}’ | sort | uniq -c | sort -nr 
3.查看指定的ip在当天究竟访问了什么url 
cat default-access_log | grep “10/Dec/2010” | grep “218.19.140.242” | awk ‘{print $7}’ | sort | uniq -c | sort -nr 
4.查看当天访问排行前10的url 
cat default-access_log | grep “10/Dec/2010” | awk ‘{print $7}’ | sort | uniq -c | sort -nr | head -n 10 
5.看到指定的ip究竟干了什么 
cat default-access_log | grep 218.19.140.242 | awk ‘{print $1″ “$8}’ | sort | uniq -c | sort -nr | less 
6.查看访问次数最多的几个分钟(找到热点) 
awk ‘{print $4}’ default-access_log |cut -c 14-18|sort|uniq -c|sort -nr|head

1.查看日志

[[email protected] ~]# cat /usr/local/apache2.4/logs/
111.com-access_log  abc.com-error_log   httpd.pid
111.com-error_log   access_log          
abc.com-access_log  error_log           
[[email protected] ~]# cat /usr/local/apache2.4/logs/111.com-access_log 
10.21.95.122 - - [02/Feb/2018:15:19:15 +0800] "GET HTTP://www.example.com/ HTTP/1.1" 200 7
127.0.0.1 - - [02/Feb/2018:15:44:52 +0800] "HEAD HTTP://111.com/ HTTP/1.1" 401 -
10.21.95.218 - - [02/Feb/2018:15:48:48 +0800] "GET / HTTP/1.1" 401 381
10.21.95.218 - apache [02/Feb/2018:15:50:00 +0800] "GET / HTTP/1.1" 401 381
10.21.95.218 - apache [02/Feb/2018:15:50:26 +0800] "GET / HTTP/1.1" 200 7
10.21.95.218 - apache [02/Feb/2018:15:50:26 +0800] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - apache [02/Feb/2018:15:53:11 +0800] "GET HTTP://111.com/ HTTP/1.1" 200 7
[[email protected] ~]# 

2.查看gz压缩包内容

zcat access_log.2018020209.gz |head

3.定义新的日志文件格式common改为combined,日志记录更详细。

4.让配置文件生效

[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful              
[[email protected] ~]# 

 访问日志不记录静态文件

1,当访问很多图片,文档等静态资源的时候,会加大你日志的容量,日志容量占用你磁盘空间后,会出现服务器宕机等很严重的问题,这时需要将日志进行配置优化。当访问网页时不记录这些图片、css、js等信息日志。

   SetEnvIf Request_URI ".*.gif$" img
    SetEnvIf Request_URI ".*.jpg$" img
    SetEnvIf Request_URI ".*.png$" img
    SetEnvIf Request_URI ".*.bmp$" img
    SetEnvIf Request_URI ".*.swf$" img
    SetEnvIf Request_URI ".*.js$" img
    SetEnvIf Request_URI ".*.css$" img
    CustomLog "logs/111.com-access_log" combined env=!img

2.重新加载配置文件

[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] ~]# curl -x127.0.0.1:80 111.com/aaaa.jpg                          <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /aaaa.jpg was not found on this server.</p>
</body></html>
[[email protected] ~]# 

3.访问不是规则包含的链接被记录到日志,jpg结尾的不记录到日志

[[email protected] ~]# curl -x127.0.0.1:80 111.com/aaaa.jpg1  
[[email protected] ~]# tail /usr/local/apache2.4/logs/111.com-access_log    
127.0.0.1 - - [02/Feb/2018:15:44:52 +0800] "HEAD HTTP://111.com/ HTTP/1.1" 401 -
10.21.95.218 - - [02/Feb/2018:15:48:48 +0800] "GET / HTTP/1.1" 401 381
10.21.95.218 - apache [02/Feb/2018:15:50:00 +0800] "GET / HTTP/1.1" 401 381
10.21.95.218 - apache [02/Feb/2018:15:50:26 +0800] "GET / HTTP/1.1" 200 7
10.21.95.218 - apache [02/Feb/2018:15:50:26 +0800] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - apache [02/Feb/2018:15:53:11 +0800] "GET HTTP://111.com/ HTTP/1.1" 200 7
10.21.95.218 - apache [02/Feb/2018:17:48:08 +0800] "GET / HTTP/1.1" 200 7
10.21.95.218 - apache [02/Feb/2018:18:11:59 +0800] "GET / HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
10.21.95.218 - apache [02/Feb/2018:18:12:00 +0800] "GET / HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
127.0.0.1 - - [05/Feb/2018:17:53:08 +0800] "GET HTTP://111.com/aaaa.jpg1 HTTP/1.1" 401 381 "-" "curl/7.29.0"
[[email protected] ~]# 

访问日志切割 

 

1.添加配置文件选项rotatelogs -l 切割命令 -l 指定以什么时间格式切割 86400 每天0点生成一个新的文件

2.生成了记录日期格式的日志文件111.com-access_20180206.log

[[email protected] ~]# curl -x127.0.0.1:80 111.com/index.php
111.com[[email protected] ~]# ls /usr/local/apache2.4/logs/
111.com-access_20180206.log  111.com-error_log   abc.com-error_log  error_log
111.com-access_log           abc.com-access_log  access_log         httpd.pid
[[email protected] ~]# 

 

[[email protected] ~]# cat /usr/local/apache2.4/logs/111.com-access_20180206.log 
127.0.0.1 - - [06/Feb/2018:09:14:26 +0800] "GET HTTP://111.com/123.php HTTP/1.1" 404 205 "-" "curl/7.29.0"
127.0.0.1 - - [06/Feb/2018:09:15:44 +0800] "GET HTTP://111.com/index.php HTTP/1.1" 200 7 "-" "curl/7.29.0"
[[email protected] ~]#  

3.还需要写一个任务计划超过多少天的日志删除减小空间占用crontab

00 * * * * find /applog/app -type f -mtime +1 -exec rm -f {} ;

静态元素过期时间

1.在虚拟主机配置文件中添加expires_module模块配置文件

[[email protected] 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 

  

<IfModule mod_expires.c>
     ExpiresActive on
     ExpiresByType image/gif "access plus 1 days"
     ExpiresByType image/jpeg "access plus 24 hours"
     ExpiresByType image/png "access plus 24 hours"
     ExpiresByType test/css "now plus 2 hours"
     ExpiresByType application/x-javascripts "now plus 2 hours"
     ExpiresByType application/x-shockwave-flash "now plus 2 hours"
     ExpiresDefault "now plus 0 min"
</IfModule>
[[email protected] 111.com]# /usr/local/apache2.4/bin/apachectl -t

2.查看模块是否打开,打开expires模块

[[email protected] 111.com]# /usr/local/apache2.4/bin/apachectl -M|grep expires
[[email protected] 111.com]# 

[[email protected] 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] 111.com]# /usr/local/apache2.4/bin/apachectl -M|grep expires   
 expires_module (shared)
[[email protected] 111.com]# 

配置防盗链

1.配置文件增加,111.com和aaa.com允许,其他的拒绝

    <Directory /data/wwwroot/111.com>           
    SetEnvIfNoCase Referer "http://111.com" local_ref            
    SetEnvIfNoCase Referer "http://aaa.com" local_ref
    <filesmatch ".(txt|doc|mp3|zip|rar|jpg|gif|png)">
        Order Allow,Deny
        Allow from env=local_ref
        Deny from all
    </filesmatch>
    </Directory>

 

[[email protected] ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf        
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl -t                         Syntax OK
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful               
[[email protected] ~]# 

2.直接不能访问,应该ref为空,必须把这个图片放到111.com和aaa.com相关的内容里,来源ref是白名单的情况才能访问。

3.如果想在浏览器直接能访问配置空ref

SetEnvIfNoCase Referer "^$" local_ref

[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful

4.可以用curl -e 直接创造referrer

[[email protected] ~]# curl -e "http://111.com/a.jpg" -x127.0.0.1:80 111.com/a.jpg -I 
HTTP/1.1 200 OK
Date: Tue, 06 Feb 2018 03:45:11 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
Last-Modified: Sat, 12 Aug 2017 09:29:53 GMT
ETag: "8f393-5568b126b0640"
Accept-Ranges: bytes
Content-Length: 586643
Cache-Control: max-age=86400
Expires: Wed, 07 Feb 2018 03:45:11 GMT
Content-Type: image/jpeg

[[email protected] ~]#

访问控制Directory

1.添加配置文件,创建admin目录添加index.php文件

1.看Order后面的,哪个在前,哪个在后

2.如果deny在前,那么就需要看deny from 这句,然后看allow from这一句

3.规则是一条一条的匹配的,不管是deny在前面还是allow在前,都是会生效的。比如例子中。先deny了所有,然后又allow了127.0.0.1,所以127.0.0.1是通过的。

Order allow ,deny

deny from all

allow from 127.0.0.1

这个就会deny所有了,127.0.0.1也会被deny。因为顺序是先allow然后deny,虽然一开始allow了127.0.0.1,但是后面有拒绝了它。

Order allow,deny

deny from all

上面的规则就表示,全部都不能通过

Order deny,allow

deny from all

上面的规则表示,全部都不能通过

Order deny,allow

只有顺序,没有具体规则,表示,全部都可以通行(默认的),因为allow在最后了。

Order allow,deny

这个表示,全部不能通行(默认的),因为deny在最后了。

讲完了allow ,deny我们再来看看具体的应用吧。

(1)某个目录做限制,比如该目录很重要,只允许我们公司的IP访问,当然这个目录可以使网站根目录,也就是整个站点都要做限制了。

<Directory /data/www/>              

Order deny,allow

Deny from all

Allow from 127.0.0.1              

</Directory>

说明:只允许127.0.0.1访问,其他IP全部拒绝掉。

 <Directory "/data/wwwroot/111.com/admin">
        Order deny,allow
        Deny from all    # 表示禁止 1.1.1.1 访问 abc 目录
        Allow from 127.0.0.1
    </Directory>
[[email protected] 111.com]# mkdir admin
[[email protected] 111.com]# touch index.php
[[email protected] 111.com]# echo 121212 > index.php 
[[email protected] 111.com]# cat index.php 
121212
[[email protected] 111.com]# 
[[email protected] admin]# curl -x127.0.0.1:80 111.com/admin/index.php -I
HTTP/1.1 200 OK
Date: Tue, 06 Feb 2018 04:55:21 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 06 Feb 2018 04:55:21 GMT
Content-Type: text/html; charset=UTF-8

[[email protected] admin]# 

  

[[email protected] admin]# curl -x10.21.95.122:80 111.com/admin/index.php -I         
HTTP/1.1 403 Forbidden
Date: Tue, 06 Feb 2018 04:56:25 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1

[[email protected] admin]#

访问控制FilesMatch

 1针对请求的uri去限制,前面安装的discuz论坛,访问后台是admin.php,那我们就可以针对admin.php做限制。

<filesmatch "(.*)admin(.*)">

              Order deny ,allow

              Deny from all

               Allow from 127.0.0.1

说明:这里用到了filesmatch语法,表示匹配的意思。

限定某个目录禁止解析php

1.某个目录下解析PHP,这个很有用,我们做网站安全的时候,这个用的很多,比如某些目录可以上传文件,为了避免上传文件有木马,所以我们禁止这个目录下面的 访问解析PHP。

2.配置文件添加如下代码,禁止upload目录下的php文件解析

    <Directory "/data/wwwroot/111.com/upload">
    php_admin_flag engine off
    <FilesMatch (.*).php(.*)>
    Order deny,allow
    Deny from all
    </FilesMatch>
    </Directory>
[[email protected] admin]# mkdir /data/wwwroot/111.com/upload
[[email protected] admin]# touch /data/wwwroot/111.com/upload/index.php
[[email protected] admin]# echo 111 > /data/wwwroot/111.com/upload/index.php 
[[email protected] admin]# 

3.php_admin_flag engine off这个语句就是禁止解析php的控制语句,但只这样配置还不够,因为这样配置之后用户依然可以访问PHP文件,只不过不解析了,但可以下载,用户下载PHP文件也是不合适的,所以有必要在禁止一下。

[[email protected] admin]# curl -x127.0.0.1:80 111.com/upload/index.php -I
HTTP/1.1 403 Forbidden
Date: Wed, 07 Feb 2018 01:41:52 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1

[[email protected] admin]# 

限制user_agent 

  <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]    # 如果要禁止多种浏>览器要在后面加[OR],表示或者 NC 忽略大小写
        RewriteCond %{HTTP_USER_AGENT} .*chrome.* [NC]     # 这里禁止 curl 和 chrome 访问我们的网站(只是做实验)
        RewriteRule .* - [F]                                # 表示 Forbidden 
    </IfModule>

 

[[email protected] admin]# /usr/local/apache2.4/bin/apachectl graceful -t    
Syntax OK
[[email protected] admin]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] admin]# curl -x127.0.0.1:80 111.com/upload/index.php -I       
HTTP/1.1 403 Forbidden
Date: Wed, 07 Feb 2018 02:33:37 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1

[[email protected] admin]# 

1. -A 模拟useragent

[[email protected] admin]# curl -A "sun sun" -x127.0.0.1:80 111.com/index.php -I     HTTP/1.1 200 OK
Date: Wed, 07 Feb 2018 02:35:50 GMT
Server: Apache/2.4.28 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Wed, 07 Feb 2018 02:35:50 GMT
Content-Type: text/html; charset=UTF-8

[[email protected] admin]# 

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注