十一周一次课

时间 2019-12-06

标签十一周 11周一次繁體版

原文原文链接

十一周一次课php

11.25配置防盗链css

11.26访问控制Directoryhtml

11.27访问控制FilesMatchlinux

11.25配置防盗链apache

• 经过限制referer来实现防盗链的功能vim

• 配置文件增长以下内容windows

<Directory /data/wwwroot/www.123.com>浏览器

SetEnvIfNoCase Referer "http://www.123.com" local_refcurl

SetEnvIfNoCase Referer "http://123.com" local_refide

SetEnvIfNoCase Referer "^$" local_ref

Order Allow,Deny

Allow from env=local_ref

</filesmatch>

</Directory>

• curl -e "http://www.aminglinux.com/123.html" 自定义referer

配置防盗链

防盗链，就是不让别人盗用你网站上的资源，这个资源，一般指的是图片、视频、歌曲、文档等。

referer的概念

你经过A网站的一个页面http://a.com/a.html 里面的连接去访问B网站的一个页面http：//b.com/b.html ，那么这个B网站页面的referer就是http://a.com/a.html。也就是说，一个referer其实就是一个网址。

1.配置防盗链

参考配置文件内容以下：

<Directory /data/wwwroot/111.com>
        SetEnvIfNoCase Referer "http://111.com" local_ref
        SetEnvIfNoCase Referer "http://111.com" local_ref
        SetEnvIfNoCase Referer "^$" local_ref
        <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
            Order Allow,Deny
            Allow from env=local_ref
        </filesmatch>
    </Directory>

[root@tianqi-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

</Directory>
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://aaa.com" local_ref
#SetEnvIfNoCase Referer "^$" local_ref
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</Directory>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>

[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 ~]#

2.测试网页访问：

浏览器访问：http://111.com/eagle1.jpg

//解释说明：

首先定义容许访问连接的referer，其中^$为空referer，当直接在浏览器里输入图片地址去访问它时，它的referer就为空。而后又使用filesmatch来定义须要保护的文件类型，访问txt、doc、mp三、zip、rar、jpg、gif、png格式的文件，当访问这样的类型文件时就会被限制。

在其它网站上连接这个网址，仍是打不开。

而后在虚拟主机配置文件里把第三方站点加入到白名单

在下面图片上把第三方站点网址加入到白名单，而后保存退出从新加载配置。

[root@tianqi-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

</Directory>
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
#SetEnvIfNoCase Referer "^$" local_ref
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</Directory>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>

[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 ~]#

在点击连接http://111.com/eagle1.jpg 访问就能够了，这就是referer，以下图

3.直接复制网址http://111.com/eagle1.jpg 在浏览器打开是显示Forbidden的。若想要直接能访问的话，须要把配置文件中的空referer的#去掉。

[root@tianqi-01 ~]# !vim
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

SetEnvIfNoCase Referer "^$" local_ref前的#去掉

测试语法错误并从新加载配置文件

[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 ~]#

在浏览器中输出网址http://111.com/eagle1.jpg ，是会直接显示图片的

//这个就叫作空referer

4.使用curl进行测试

[root@tianqi-01 ~]# curl -x127.0.0.1:80 111.com/eagle1.jpg -I
HTTP/1.1 200 OK
Date: Sun, 04 Mar 2018 08:34:15 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Last-Modified: Sun, 04 Mar 2018 02:41:55 GMT
ETag: "7e3b-5668d270ae2c0"
Accept-Ranges: bytes
Content-Length: 32315
Content-Type: image/jpeg

[root@tianqi-01 ~]#

也可使用-e来模拟referer，这个referer必定要以http://开头，不然无论用。

[root@tianqi-01 ~]# curl -e "http://www.qq.com/123.txt" -x127.0.0.1:80 111.com/eagle1.jpg -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 08:37:20 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 ~]#

[root@tianqi-01 ~]# curl -e "http://111.com/123.txt" -x127.0.0.1:80 111.com/eagle1.jpg -I
HTTP/1.1 200 OK
Date: Sun, 04 Mar 2018 08:38:02 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Last-Modified: Sun, 04 Mar 2018 02:41:55 GMT
ETag: "7e3b-5668d270ae2c0"
Accept-Ranges: bytes
Content-Length: 32315
Content-Type: image/jpeg

[root@tianqi-01 ~]#

[root@tianqi-01 ~]# curl -e "http://www.qq.com/123.txt" -x127.0.0.1:80 111.com/eagle1.jpg1 -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 08:39:03 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 logs]# tail /usr/local/apache2.4/logs/111.com-access_20180304.log
127.0.0.1 - - [04/Mar/2018:12:10:46 +0800] "GET HTTP://111.com/123.php HTTP/1.1" 200 7 "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:12:14:43 +0800] "GET HTTP://111.com/123.php HTTP/1.1" 200 7 "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:12:17:23 +0800] "HEAD HTTP://111.com/123.png.png1 HTTP/1.1" 404 - "-" "curl/7.29.0"
192.168.11.1 - - [04/Mar/2018:12:24:36 +0800] "GET / HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
192.168.11.1 - - [04/Mar/2018:12:24:49 +0800] "GET /eagle1jpg HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
192.168.11.1 - - [04/Mar/2018:16:09:54 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/eagle1.jpg" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
127.0.0.1 - - [04/Mar/2018:16:39:03 +0800] "HEAD HTTP://111.com/eagle1.jpg1 HTTP/1.1" 403 - "http://www.qq.com/123.txt" "curl/7.29.0" //这个就是它的referer
[root@tianqi-01 logs]#

11.26访问控制Directory

• 核心配置文件内容

Order deny,allow

Deny from all

Allow from 127.0.0.1

</Directory>

• curl测试状态码为403则被限制访问了

访问控制Directory

对于一些比较重要的网站内容,除了可使用用户认证限制访问以外,还能够经过其余一些方法作到限制,好比能够限制IP,也能够限制user_agent,限制IP指的是限制访问网站的来源IP,而限制user_agent,一般用来限制恶意或者不正常的请求。

1.修改虚拟主机配置：

[root@tianqi-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
# <Directory /data/wwwroot/111.com>
#<FilesMatch 123.php>
#AllowOverride AuthConfig
#AuthName "111.com user auth"
#AuthType Basic
#AuthUserFile /data/.htpasswd
#require valid-user
#</FilesMatch>
<Directory /data/wwwroot/111.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</Directory>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
//解释说明：

使用<Directory>来指定要限制访问的目录，order定义控制顺序，哪一个在前面就先匹配哪一个规则(无论下面的规则先后顺序)，在本例中deny在前面，因此要先匹配Deny from all,这样全部的来源IP都会被限制，而后匹配Allow from 127.0.0.1,这样又容许了127.0.0.1这个IP。最终的效果是，只容许来源IP为127.0.0.1的访问。

检测配置文件是否有语法错误，并从新加载配置文件

[root@tianqi-01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 111.com]#

[root@tianqi-01 ~]# cd /data/wwwroot/111.com/
[root@tianqi-01 111.com]# ls
123.php eagle1.jpg index.php
[root@tianqi-01 111.com]# mkdir /data/wwwroot/111.com/admin //建立admin目录，模拟网站后台
[root@tianqi-01 111.com]# ls
123.php admin eagle1.jpg index.php
[root@tianqi-01 111.com]# touch /data/wwwroot/111.com/admin/index.php//在后台目录下面建立文件
[root@tianqi-01 111.com]# ls admin/
index.php
[root@tianqi-01 111.com]# vim admin/index.php //写入内容
[root@tianqi-01 111.com]# cat !$
cat admin/index.php
123456789
[root@tianqi-01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php -I
HTTP/1.1 200 OK
Date: Sun, 04 Mar 2018 11:35:53 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8

[root@tianqi-01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php
123456789

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 111.com/admin/index.php -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 11:42:17 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x127.0.01:80 111.com/admin/index.php
123456789

[root@tianqi-01 111.com]# tail /usr/local/apache2.4/logs/111.com-access_20180304.log
127.0.0.1 - - [04/Mar/2018:12:17:23 +0800] "HEAD HTTP://111.com/123.png.png1 HTTP/1.1" 404 - "-" "curl/7.29.0"
192.168.11.1 - - [04/Mar/2018:12:24:36 +0800] "GET / HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
192.168.11.1 - - [04/Mar/2018:12:24:49 +0800] "GET /eagle1jpg HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
192.168.11.1 - - [04/Mar/2018:16:09:54 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/eagle1.jpg" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
127.0.0.1 - - [04/Mar/2018:16:39:03 +0800] "HEAD HTTP://111.com/eagle1.jpg1 HTTP/1.1" 403 - "http://www.qq.com/123.txt" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:35:53 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:39:19 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:41:32 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 403 224 "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:42:17 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:42:49 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 111.com/admin/index.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /admin/index.php
on this server.<br />
</p>
</body></html>
[root@tianqi-01 111.com]# curl -x192.168.11.136:80 111.com/admin/index.php -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 11:42:17 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 http://111.com/admin/adfafdafdas -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 11:44:49 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x127.0.0.1:80 http://111.com/admin/adfafdafdas -I
HTTP/1.1 404 Not Found
Date: Sun, 04 Mar 2018 11:53:35 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]#

//解释说明

本机有两个IP,一个是192.168.11.136,一个是127.0.0.1,经过这两个IP均可以访问到站点，而来源分别为172.16.111.110和127.0.0.1,其实和本机IP是同样的,curl测试状态码为403则限制访问了。

[root@tianqi-01 111.com]# !tail
tail /usr/local/apache2.4/logs/111.com-access_20180304.log
127.0.0.1 - - [04/Mar/2018:16:39:03 +0800] "HEAD HTTP://111.com/eagle1.jpg1 HTTP/1.1" 403 - "http://www.qq.com/123.txt" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:35:53 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:39:19 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:41:32 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 403 224 "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:42:17 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:42:49 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:44:00 +0800] "HEAD http://111.com/admin/adfafdafdas HTTP/1.1" 404 - "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:44:49 +0800] "HEAD http://111.com/admin/adfafdafdas HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:51:53 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:53:35 +0800] "HEAD http://111.com/admin/adfafdafdas HTTP/1.1" 404 - "-" "curl/7.29.0"
[root@tianqi-01 111.com]#

//解释说明

浏览器访问提示Forbidden，其实就是403,再来看日志，能够查看到对应的来源IP为192.168.11.136，但愿不要把来源IP和本机IP搞混了，前面实验中之因此本机IP和来源IP同样，就是由于它至关于本身访问本身，然后面用浏览器访问，至关于拿windows访问。

11.27访问控制FilesMatch

• 核心配置文件内容

Order deny,allow

Deny from all

Allow from 127.0.0.1

</FilesMatch>

</Directory>

1.针对某个文件来作限制。

[root@tianqi-01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
# <Directory /data/wwwroot/111.com>
#<FilesMatch 123.php>
#AllowOverride AuthConfig
#AuthName "111.com user auth"
#AuthType Basic
#AuthUserFile /data/.htpasswd
#require valid-user
#</FilesMatch>
<Directory /data/wwwroot/111.com>
<FilesMatch "admin.php(.*)">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</Directory>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>

2.检测与法并从新加载配置

[root@tianqi-01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 111.com]#

3.实验配置结果

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 http://111.com/admin/adffffffsa -I
HTTP/1.1 404 Not Found
Date: Sun, 04 Mar 2018 12:04:24 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 'http://111.com/admin.php?adffffffsa' -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 12:06:16 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x127.0.0.1:80 'http://111.com/admin.php?adffffffsa' -I
HTTP/1.1 404 Not Found
Date: Sun, 04 Mar 2018 12:07:00 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]#

//这个404意味着已经容许访问了

//总结：

这个和Directory的功能是一致的，可是有时候咱们仅仅是想有时候针对一个访问的连接去作控制，那你再去控制目录就不合适了，咱们须要适当灵活一些，知足一些个性化的需求。

友情连接：阿铭Linux