1.8.11 限定目录禁止解析php

1.8.11 限定目录禁止解析php

#核心配置文件内容
    <Directory /data/wwwroot/www.123.com/upload>
        php_admin_flag engine off
#       <FilesMatch (.*)\.php(.*)>
#       Order allow,deny
#       Deny from all
#       </FilesMatch>
    </Directory>
#curl测试时直接返回了php源代码，并未解析

编辑配置测试：

[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/111.com"
    ServerName www.111.com
    ServerAlias 111.com
    <Directory /data/wwwroot/111.com>
       php_admin_flag engine off
    </Directory>
    ErrorLog "logs/111.com-error_log"
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@Dasoncheng ~]# curl www.111.com/admin.php
<?php
echo "Welcome to the page of admin\n"
?>
[root@Dasoncheng ~]# curl www.111.com/admin/index.php
<?php
echo "This page is forbidden;\n"
?>
##能够看出上面index.php页面就没有解析出来！

只达到这样的效果确定是不行的！那怎么办呢？
我来教你：

[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/111.com"
    ServerName www.111.com
    ServerAlias 111.com
    <Directory /data/wwwroot/111.com>
       php_admin_flag engine off
       <FilesMatch (.*)\.php*>
         Order allow,deny
         Deny from all
       </FilesMatch>
    </Directory>
    ErrorLog "logs/111.com-error_log"
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful

测试：

[root@Dasoncheng ~]# curl www.111.com/admin.php -I
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl www.111.com/admin/index.php -I
HTTP/1.1 403 Forbidden

搞定！大吉大利、今晚吃鸡……
目的：防止他人上传并执行恶意php执行脚本！（禁止执行PHP脚本，获取权限。如php一句话木马）

1.8.12 限制user_agent

user_agent能够理解为浏览器标识  
 核心配置文件内容  
   <IfModule mod_rewrite.c>  //再次用到rewrite模块   
        RewriteEngine on     
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]  //条件OR是或者，上下两个条件；NC是不区分大小写（对agent）   
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]  //条件   
        RewriteRule  .*  -  [F]  //规则，直接forbidden   
    </IfModule>   
 curl -A "123123" 指定user_agent

编辑配置：

[root@Dasoncheng ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/111.com"
    ServerName www.111.com
    ServerAlias 111.com
    <IfModule mod_rewrite.c>
       RewriteEngine on
       RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
       RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
       RewriteRule .* - [F]
    </IfModule>
    ErrorLog "logs/111.com-error_log"
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined
</VirtualHost>
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@Dasoncheng ~]# /usr/local/apache2.4/bin/apachectl graceful

测试：

[root@Dasoncheng ~]# curl www.111.com/admin/admin.html
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl -A "baidu.com" www.111.com/admin/admin.html -I
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl -A "www.baidu.com" www.111.com/admin/admin.html
HTTP/1.1 403 Forbidden
[root@Dasoncheng ~]# curl -A "google.com" www.111.com/admin/admin.html
echo "This is a html page"

小提示：
目的：限制来源agent访问代理！限制来源agent，减轻服务器压力
需求背景：被攻击，来源agent 访问地址 时间一致；咱们经过限制agent访问代理来处理流量；
curl -A “aminglinu” 指定agent为aminglinux
curl -e “http://” 指定referer为http://*
curl -x 指定域名host（省得修改hosts文件）
curl -I 只查看访问状态，不显示内容！

几种限制ip的方法 http://www.lishiming.net/thread-6519-1-1.html
apache 自定义header http://www.aminglinux.com/bbs/thread-830-1-1.html
apache的keepalive和keepalivetimeout http://www.aminglinux.com/bbs/thread-556-1-1.html