LAMP架构 (Ⅲ ) ——防盗链、访问控制、php配置
LAMP架构 (Ⅲ )
十五 、配置防盗链
防盗链,通俗讲就是不让别人盗用你网站上的资源,这个资源指的是图片、视频、歌曲、文档等,在这以前须要理解一下referer的概念,若是你经过A网站的一个页面http://a.com/a.html里面的连接去访问B网站的一个页面http://b.com/b.html,那么这个B网站页面的referer就是http://a.com/a.html。也就是说,一个referer就是一个网址。php
打开虚拟主机配置文件,按如下内容配置虚拟主机;css
[root@ying01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf //编辑虚拟主机配置文件
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref // 定义容许访问连接的referer
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref //把空referer设为白名单,即直接访问的地址
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
Order Allow,Deny //白名单地址allow,其余deny
Allow from env=local_ref // 白名单为local_ref对应的地址
</FilesMatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
改完配置,仍是须要检测语法,以及重启httpdhtml
[root@ying01 ~]# /usr/local/apache2.4/bin/apachectl -t //更改配置后,须要检查配置语法 Syntax OK [root@ying01 ~]# /usr/local/apache2.4/bin/apachectl graceful //重启httpd
如今用111.com/1.jpg 测试这个配置内容;mysql
[root@ying01 ~]# ls /data/wwwroot/111.com/ 123.php 1.jpg index.php [root@ying01 111.com]# curl -x192.168.112.136:80 -I 111.com/1.jpg //直接访问,状态200,至关于空refer HTTP/1.1 200 OK Date: Sat, 30 Jun 2018 10:18:47 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Last-Modified: Tue, 26 Jun 2018 08:19:48 GMT ETag: "8967-56f8729511100" Accept-Ranges: bytes Content-Length: 35175 Content-Type: image/jpeg [root@ying01 111.com]# curl -e "http://www.qq.com/1.jpg" -x192.168.112.136:80 -I 111.com/1.jpg HTTP/1.1 403 Forbidden //定义refer为qq,此为禁止refer Date: Sat, 30 Jun 2018 10:19:22 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -e "http://111.com/1.jpg" -x192.168.112.136:80 -I 111.com/1.jpg HTTP/1.1 200 OK //定义refer为111.com,能够访问 Date: Sat, 30 Jun 2018 10:19:59 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Last-Modified: Tue, 26 Jun 2018 08:19:48 GMT ETag: "8967-56f8729511100" Accept-Ranges: bytes Content-Length: 35175 Content-Type: image/jpeg [root@ying01 111.com]# curl -e "http://ask.apelearn.com/lkkh.gif" -x192.168.112.136:80 -I 111.com/1.jpg HTTP/1.1 200 OK //定义refer为ask.apelearn.com,能够访问 Date: Sun, 01 Jul 2018 01:04:12 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Last-Modified: Tue, 26 Jun 2018 08:19:48 GMT ETag: "8967-56f8729511100" Accept-Ranges: bytes Content-Length: 35175 Content-Type: image/jpeg
总结:git
- 当须要访问111.com/1.jpg这个图片的时候:
- 直接访问访问图片;
由于已经定义为空refer: **SetEnvIfNoCase Referer "^$" local_ref **github
- 经过制定的refer来访问;
已经定义111.com引用者: SetEnvIfNoCase Referer "http://111.com" local_ref
已经定义ask.apelearn.com引用者: SetEnvIfNoCase Referer "http://ask.apelearn.com" local_refredis
- 可是这个只是针对如下几种格式的内容:
FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">sql
好比:咱们来访问111.com/index.php,那么能够任意被引用;shell
[root@ying01 111.com]# curl -e "http://www.baidu.com" -x192.168.112.136:80 -I 111.com/index.php HTTP/1.1 200 OK //用百度,也能够访问index.php Date: Sun, 01 Jul 2018 01:14:23 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@ying01 111.com]# curl -e "http://www.126.com" -x192.168.112.136:80 -I 111.com/index.php HTTP/1.1 200 OK //用126,也能够访问index.php,因此这个refer,能够任意指定 Date: Sun, 01 Jul 2018 01:16:12 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8
十六 、访问控制
对于一些比较重要的网站内容,除了可使用用户认证限制访问以外,还能够经过其余一些方法作到限制,好比限制IP,也能够限制user_agent。限制IP指的是限制访问网址的来源IP,而限制user_agent,一般用来限制恶意或者不正常的请求.apache
16.1 访问控制Directory
在虚拟主机配置文件里面,按下面内容配置;
[root@ying01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
如下为配置内容:
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com/admin> //增长admin目录
Order deny,allow //按先拒绝,再容许执行
Deny from all //拒绝全部
Allow from 127.0.0.1 //容许ip
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
测试前的准备工做
[root@ying01 111.com]# ls 123.php 1.jpg 1.txt ceshi.png index.php [root@ying01 111.com]# mkdir admin //在111.com下建立admin目录 [root@ying01 111.com]# touch admin/index.php //在admin下建立index.php文件 [root@ying01 111.com]# echo "qeqe2222" >> admin/index.php [root@ying01 111.com]# cat !$ cat admin/index.php qeqe2222 [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl graceful //httpd重启
在容许IP 127.0.0.1下,访问admin目录
[root@ying01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php -I //能够正常访问 HTTP/1.1 200 OK Date: Sun, 01 Jul 2018 01:56:52 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@ying01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php //可以输出 qeqe2222 [root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/admin/asdsf -I HTTP/1.1 404 Not Found //404表明容许访问,此页面没有 Date: Sun, 01 Jul 2018 02:05:08 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
用ifconfig,查看本机有3个IP;
[root@ying01 111.com]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.112.136 netmask 255.255.255.0 broadcast 192.168.112.255
inet6 fe80::16dc:89c:b761:e115 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:87:3f:91 txqueuelen 1000 (Ethernet)
RX packets 8986 bytes 758369 (740.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4496 bytes 555923 (542.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.112.158 netmask 255.255.255.0 broadcast 192.168.112.255
ether 00:0c:29:87:3f:91 txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0 //已经定义allow
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 516 bytes 44492 (43.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 516 bytes 44492 (43.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
那么使用除127.0.0.1这个IP外,其余IP测试状况;
[root@ying01 111.com]# curl -x192.168.112.158:80 111.com/admin/index -I HTTP/1.1 403 Forbidden //此IP下禁止访问 Date: Sun, 01 Jul 2018 03:10:05 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x192.168.112.136:80 111.com/admin/index -I HTTP/1.1 403 Forbidden //此IP下禁止访问 Date: Sun, 01 Jul 2018 03:10:19 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
16.2 访问控制FilesMatch
编辑虚拟主机配置文件,进行FilesMatch配置;既要匹配文件,又要限制IP;
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com> //在111.com目录下
<Filesmatch admin.php(.*)> //文件匹配admin.php后面跟任意的字符
Order deny,allow
Deny from all
Allow from 127.0.0.1 //只容许127.0.0.1访问
</Filesmatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
在知足admin.php 下,不一样IP下,进行访问测试;
[root@ying01 111.com]# curl -x192.168.112.136:80 http://111.com/admin.phpsaaaaaaaaaaaa -I //知足admin.php HTTP/1.1 403 Forbidden //由于只容许IP:127.0.0.1访问 Date: Sun, 01 Jul 2018 14:55:48 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x192.168.112.136:80 'http://111.com/admin.php#aaaaaaaaaaaa' -I //知足admin.php HTTP/1.1 403 Forbidden //由于只容许IP:127.0.0.1访问 Date: Sun, 01 Jul 2018 15:00:45 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x127.0.0.1:80 'http://111.com/admin.php#aaaaaaaaaaaa' -I //加上单引号,是由于有特殊符号# HTTP/1.1 404 Not Found //可以链接,可是无此页面 Date: Sun, 01 Jul 2018 15:01:10 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/admin.phpsaaaaaaaaaaaa -I HTTP/1.1 404 Not Found //可以链接,可是无此页面 Date: Sun, 01 Jul 2018 15:02:51 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
试验结果:只有127.0.0.1可以访问 admin.php(.*)的网页。其他IP,无此权限;
16.3 限定某个目录禁止解析php
有这样一种状况,有些站点和论坛是容许上传图片到服务器,他们上传一些php或者js到服务器,而后被咱们执行加载,从而对数据形成威胁。 为了不这种事情的发生,咱们须要限制上传类型。
编辑虚拟主机配置文件,进行如下配置;
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com/upload> //在111.com定义upload目录
php_admin_flag engine off //禁止php解析,全部访问都报403错误
<FilesMatch (.*)\.php(.*)> // .php 先后匹配任意字符
Order deny,allow //按禁止,容许执行
Deny from all //禁止所有
</Filesmatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
建立目录,并把123.php复制到upload,并重启配置;作好测试准备工做;
[root@ying01 111.com]# mkdir upload [root@ying01 111.com]# ls 123.php 1.jpg 1.txt admin ceshi.png index.php upload [root@ying01 111.com]# cp 123.php upload/ [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
进行测试,发现禁止解析php,也不能输出源代码;
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/upload/123.php -I HTTP/1.1 403 Forbidden Date: Sun, 01 Jul 2018 15:45:24 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/upload/123.php //禁止访问,也不能输出源代码 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /upload/123.php on this server.<br /> </p> </body></html>
再进行配置,把FilesMatch部分不执行,加上#号
[root@ying01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com/upload> //在111.com定义upload目录
php_admin_flag engine off //禁止php解析,全部访问都报403错误
#<FilesMatch (.*)\.php(.*)> // .php 先后匹配任意字符
# Order deny,allow //按禁止,容许执行
# Deny from all //禁止所有
#</Filesmatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
此时重启配置后,进行测试;结果不能解析php,只能输出源代码;
[root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/upload/123.php //不可以解析PHP,只是输出源代码 <?php echo "123.php";
总结:所以为了安全,咱们必须让其根本不能访问php(匹配.php),不给其解析机会;
16.4 限制user_agent
User Agent中文名为用户代理,简称 UA,它是一个特殊字符串头,使得服务器可以识别客户使用的操做系统及版本、CPU 类型、浏览器及版本、浏览器渲染引擎、浏览器语言、浏览器插件等。
当用crul访问的时候,user_agent的值为“curl/7.29.0”;所以咱们能够用其,来作实验;
第一步:把下面内容定义为虚拟主机的的配置文件
[root@ying01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<IfModule mod_rewrite.c>
RewriteEngine on //
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //匹配curl,不区分大小写,或者
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
第二步:直接用curl访问111.com目录下的123.php
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/123.php -I HTTP/1.1 403 Forbidden //禁止访问 Date: Sun, 01 Jul 2018 16:42:05 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
第三步:用curl -A指定user_agent的值
[root@ying01 111.com]# curl -A "123456" -x127.0.0.1:80 http://111.com/123.php -I //指定user_agent为123456 HTTP/1.1 200 OK //能够访问 Date: Sun, 01 Jul 2018 16:44:13 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@ying01 111.com]# curl -A "ying ying" -x127.0.0.1:80 http://111.com/123.php -I //指定user_agent为ying ying HTTP/1.1 200 OK //能够访问 Date: Sun, 01 Jul 2018 16:45:19 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8
第四步:调用访问日志;能够看出user_agent为"curl/7.29.0" ,也有"123456"和"ying ying"
[root@ying01 111.com]# tail -3 /usr/local/apache2.4/logs/111.com-access_20180702.log 127.0.0.1 - - [02/Jul/2018:00:42:05 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0" 127.0.0.1 - - [02/Jul/2018:00:44:13 +0800] "HEAD http://111.com/123.php HTTP/1.1" 200 - "-" "123456" 127.0.0.1 - - [02/Jul/2018:00:45:19 +0800] "HEAD http://111.com/123.php HTTP/1.1" 200 - "-" "ying ying"
总结:user_agent为"curl/7.29.0" 匹配配置文件,所以禁止访问;而用curl -A指定user_agent的值,则状态码为200;
十7、PHP配置
17.1 php的配置文件
试验准备工做;在111.com下,编辑index.php内容
[root@ying01 ~]# cd /data/wwwroot/111.com [root@ying01 111.com]# ls 123.php 1.jpg 1.txt admin ceshi.png index.php upload [root@ying01 111.com]# vim index.php <?php phpinfo();
此时咱们在浏览器上访问index.php, 发现** Loaded Configuration File**没有加载
此时把php.ini-development文件,复制到/usr/local/php7/etc/php.ini
[root@ying01 111.com]# /usr/local/php7/bin/php -i | grep -i 'loaded configuration file' Loaded Configuration File => [root@ying01 111.com]# cd /usr/local/src/php-7.1.6/ [root@ying01 php-7.1.6]# cp php.ini-development /usr/local/php7/etc/php.ini [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
从新加载后,再用浏览器上访问index.php,此时** Loaded Configuration File**已经加载
17.2 危险函数的禁用
编辑/usr/local/php7/etc/php.ini配置文件
[root@ying01 php-7.1.6]# vim /usr/local/php7/etc/php.ini 如下为php.ini文件内容,搜索 disable_functions disable_functions =eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec, system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec, proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog, readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
这些函数都是比较危险的,为了安全,通常要把他们禁用;
eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
此时我已经把phpinfo,也禁用了;此时没法打开;
虽然不能访问了,可是它却在页面上显示错误信息; 为了避免让其显示
[root@ying01 php-7.1.6]# vim /usr/local/php7/etc/php.ini display_errors = off //把on改成off [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
此时再次在浏览器,刷新,结果成为一个空页面;
17.3 设置php的错误日志
虽然免除了危险,可是对于咱们管理员来讲,这个页面,不友好,没法判断此页面;此时须要设置错误日志;
再次打开php.ini配置文件
[root@ying01 php-7.1.6]# vim /usr/local/php7/etc/php.ini log_errors = On //须要执行,且为on error_log = /tmp/php_errors.log //定义错误日志目录
- 设置error_reporting 错误级别
; Common Values: ; E_ALL (Show all errors, warnings and notices including coding standards.) ; E_ALL & ~E_NOTICE (Show all errors, except for notices) ; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) ; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) ; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED ; Development Value: E_ALL ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT ; http://php.net/error-reporting error_reporting = E_ALL //默认为E_ALL,选择
选择生产环境的级别
error_reporting = E_ALL & ~E_NOTICE //在生产环境中,最经常使用的就是这个!有时候出现notice并非出错
加载,重启配置
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/index.php //继续访问,确定没有输出 [root@ying01 php-7.1.6]# ls /tmp/php_errors.log //可是此时有咱们设置的错误日志出现 /tmp/php_errors.log
查看看这个错误日志的权限,发现为daemon;说明跟httpd配置文件相关
[root@ying01 php-7.1.6]# ls -l /tmp/php_errors.log -rw-r--r-- 1 daemon daemon 1350 7月 2 11:02 /tmp/php_errors.log [root@ying01 php-7.1.6]# ps aux |grep httpd root 1471 0.0 0.7 258948 13608 ? Ss 09:40 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 2602 0.0 0.6 545776 12344 ? Sl 10:56 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 2603 0.0 1.9 1220144 36752 ? Sl 10:56 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 2604 0.0 0.8 744496 16400 ? Sl 10:56 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 2707 0.0 0.8 613424 16748 ? Sl 10:57 0:00 /usr/local/apache2.4/bin/httpd -k start root 2817 0.0 0.0 112724 984 pts/0 S+ 11:06 0:00 grep --color=auto httpd [root@ying01 php-7.1.6]#
查看php错误日志
[root@ying01 php-7.1.6]# cat /tmp/php_errors.log [02-Jul-2018 03:02:12 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [root@ying01 php-7.1.6]# [root@ying01 php-7.1.6]# vim /data/wwwroot/111.com/2.php //新建2.php [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php //空页面 [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I //出现500状态码 HTTP/1.0 500 Internal Server Error Date: Mon, 02 Jul 2018 03:12:56 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8 [root@ying01 php-7.1.6]# cat /tmp/php_errors.log //查看错误日志 [02-Jul-2018 02:57:11 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [02-Jul-2018 03:02:12 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2 [02-Jul-2018 03:12:42 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4 [02-Jul-2018 03:12:56 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
17.4 open_basedir配置
若是有一台服务器跑了不少个站点,其中就有一个站的程序写的很烂,漏洞百出,被***所劫持,只要一台被劫持,其它的服务器也就很快被搞定。为了防止这样的事情发生,如何搞定呢?
- 在php配置文件中设置open_basedi
在php配置文件中,把111.com故意写成1111.com
[root@ying01 php-7.1.6]# vim /usr/local/php/etc/php.ini open_basedir = /data/wwwroot/1111.com:/tmp
重启配置,测试
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.0 500 Internal Server Error //出现500状态码 Date: Mon, 02 Jul 2018 03:33:14 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8
查看错误日志:php_errors.log
[root@ying01 php-7.1.6]# tail -3 /tmp/php_errors.log [02-Jul-2018 03:12:42 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4 [02-Jul-2018 03:12:56 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4 [02-Jul-2018 03:33:14 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
在php配置文件中,把错误的目录1111.com改成111.com
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.0 500 Internal Server Error Date: Mon, 02 Jul 2018 03:35:22 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8
- 针对不一样的虚拟主机限定不一样的open_basedir
按下图设置vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
重启配置后,能够访问成功;
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I HTTP/1.1 200 OK Date: Mon, 02 Jul 2018 04:06:09 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php 123[root@ying01 php-7.1.6]#
十8、 PHP扩展模块安装
18.1 下载模块包安装
下载源码包
[root@ying01 ~]# cd /usr/local/src/ [root@ying01 src]# wget https://codeload.github.com/phpredis/phpredis/zip/develop
更名,解压包
[root@ying01 src]# mv develop phpredis-develop.zip //更更名称 [root@ying01 src]# unzip phpredis-develop.zip //解压
使其生成configure 文件
[root@ying01 src]# cd phpredis-develop/ [root@ying01 phpredis-develop]# [root@ying01 phpredis-develop]# /usr/local/php7/bin/phpize Configuring for: PHP Api Version: 20160303 Zend Module Api No: 20160303 Zend Extension Api No: 320160303 Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF environment variable. Then, rerun this script.
提示缺乏autoconf包
[root@ying01 phpredis-develop]# yum install -y autoconf
将继续执行生成configure文件
[root@ying01 phpredis-develop]# /usr/local/php7/bin/phpize Configuring for: PHP Api Version: 20160303 Zend Module Api No: 20160303 Zend Extension Api No: 320160303 [root@ying01 phpredis-develop]# ls configure configure
配置、编译,安装
[root@ying01 phpredis-develop]# ./configure --with-php-config=/usr/local/php7/bin/php-config [root@ying01 phpredis-develop]# make [root@ying01 phpredis-develop]# make install
查看扩展模块存放目录
[root@ying01 phpredis-develop]# /usr/local/php7/bin/php -i |grep extension_dir extension_dir => /usr/local/php7/lib/php/extensions/no-debug-zts-20160303 => /usr/local/ph sqlite3.extension_dir => no value => no value
目录为空,此时在php.ini加载一条扩展语句
[root@ying01 phpredis-develop]# vim /usr/local/php7/etc/php.ini
此时查看存放扩展模块的目录,发现有刚才配置的 redis.so模块
[root@ying01 phpredis-develop]# /usr/local/php7/bin/php -m |grep redis redis [root@ying01 zip]# ls /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/ opcache.so redis.so
18.2 编译自带的PHP源码包
php7的源码包中,有不少自带的源码包。咱们不须要再次下载,直接编译便可!
在php-7.1.6/etc目录下有不少目录;
root@ying01 phpredis-develop]# cd /usr/local/src/php-7.1.6/ [root@ying01 php-7.1.6]# cd ext/ [root@ying01 ext]# ls bcmath ext_skel interbase opcache pdo_sqlite skeleton tokenizer bz2 ext_skel_win32.php intl openssl pgsql snmp wddx calendar fileinfo json pcntl phar soap xml com_dotnet filter ldap pcre posix sockets xmlreader ctype ftp libxml pdo pspell spl xmlrpc curl gd mbstring pdo_dblib readline sqlite3 xmlwriter date gettext mcrypt pdo_firebird recode standard xsl dba gmp mysqli pdo_mysql reflection sysvmsg zip dom hash mysqlnd pdo_oci session sysvsem zlib enchant iconv oci8 pdo_odbc shmop sysvshm exif imap odbc pdo_pgsql simp
如今编译一个模块 zip
[root@ying01 phpredis-develop]# cd /usr/local/src/php-7.1.6/ [root@ying01 php-7.1.6]# cd ext/ //里面有zip模块 [root@ying01 ext]# ls bcmath ext_skel interbase opcache pdo_sqlite skeleton tokenizer bz2 ext_skel_win32.php intl openssl pgsql snmp wddx calendar fileinfo json pcntl phar soap xml com_dotnet filter ldap pcre posix sockets xmlreader ctype ftp libxml pdo pspell spl xmlrpc curl gd mbstring pdo_dblib readline sqlite3 xmlwriter date gettext mcrypt pdo_firebird recode standard xsl dba gmp mysqli pdo_mysql reflection sysvmsg zip dom hash mysqlnd pdo_oci session sysvsem zlib enchant iconv oci8 pdo_odbc shmop sysvshm exif imap odbc pdo_pgsql simplexml tidy [root@ying01 ext]# /usr/local/php7/bin/php -m |grep zip //在php加载模块中,查找zip [root@ying01 ext]# cd zip/ [root@ying01 zip]# ls config.m4 CREDITS lib php_zip.c tests zip_stream.c config.w32 examples LICENSE_libzip php_zip.h TODO [root@ying01 zip]# /usr/local/php7/bin/phpize Configuring for: PHP Api Version: 20160303 Zend Module Api No: 20160303 Zend Extension Api No: 320160303
配置、编译,安装
[root@ying01 zip]# ./configure --with-php-config=/usr/local/php7/bin/php-config [root@ying01 zip]# make [root@ying01 zip]# make install
查看目录,此时发现zip.so模块
Installing shared extensions: /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/ [root@ying01 zip]# ls /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/ opcache.so redis.so zip.so
相关文章
- 1. LAMP架构(七)配置防盗链,访问控制
- 2. LAMP架构(配置防盗链、访问控制Directory、访问控制FilesMatch)
- 3. LAMP架构设置防盗链及访问控制
- 4. 配置防盗链,访问控制
- 5. 配置防盗链,访问控制Directory,访问控制FilesMatch
- 6. 配置防盗链 访问控制Directory 访问控制FilesMatch······
- 7. 11.25 配置防盗链,访问控制Directory ,访问控制FilesMatch
- 8. 配置防盗链、访问控制Directory、访问控制FilesMatch
- 9. 配置防盗链 访问控制Directory 访问控制FilesMatch
- 10. 配置防盗链、 访问控制Directory 、访问控制FilesMatch
- 更多相关文章...
- • Swift 访问控制 - Swift 教程
- • Maven 构建配置文件 - Maven教程
- • IDEA下SpringBoot工程配置文件没有提示
- • IntelliJ IDEA 代码格式化配置和快捷键
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. LAMP架构(七)配置防盗链,访问控制
- 2. LAMP架构(配置防盗链、访问控制Directory、访问控制FilesMatch)
- 3. LAMP架构设置防盗链及访问控制
- 4. 配置防盗链,访问控制
- 5. 配置防盗链,访问控制Directory,访问控制FilesMatch
- 6. 配置防盗链 访问控制Directory 访问控制FilesMatch······
- 7. 11.25 配置防盗链,访问控制Directory ,访问控制FilesMatch
- 8. 配置防盗链、访问控制Directory、访问控制FilesMatch
- 9. 配置防盗链 访问控制Directory 访问控制FilesMatch
- 10. 配置防盗链、 访问控制Directory 、访问控制FilesMatch