11.28 限定某个目录禁止解析php 11.29 限制user_agent 11.30/11.31 php相关配置

时间  2019-11-12
标签 11.28 限定 某个 目录 禁止 解析 php 11.29 限制 user agent 11.30 11.31 相关 配置 栏目 PHP 繁體版
原文   原文链接

11.28 限定某个目录禁止php解析

本节内容应用于对静态文件目录或可写的目录进行优化设置,经过限制解析/访问权限来避免别恶意攻击,提升安全性。php

编辑虚拟主机配置文件:html

[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
    <Directory /data/wwwroot/111.com/upload>
        php_admin_flag engine off
        <FilesMatch (.*)\.php(.*)>
        Order allow,deny
        deny from,all
        </FilesMatch>
    </Directory>

添加PHP访问限制

说明: 若是只设置禁止PHP解析,用户访问PHP文件时会显示源代码,添加该参数能够避免用户看到服务器PHP源码,进一步提高安全性。mysql

建立相应的目录:linux

[root@cham002 ~]# cd /data/wwwroot/111.com/
[root@cham002 111.com]# mkdir upload
[root@cham002 111.com]# ls
123.php  admin  index.php  photo1.jpg  upload
[root@cham002 111.com]# cp 123.php upload/

测试:

[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php' -I
HTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 16:00:13 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php' 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/123.php
on this server.<br />
</p>
</body></html>

说明: 此时访问123.php的状态码为403,即没法访问!web

如今把FilesMatch  PHP访问限制这几行去掉sql

[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful
#来看看效果
[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php' 
<?php
echo " hello 123.php";
#直接解析不了,直接显示源代码

用浏览器打开的话会直接下载,说明没办法解析。shell

咱们从新打开,让它访问的机会都没有。apache

从新检测加载。vim

[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful

来看一看效果,直接Forbidden!!访问不存在的文件一样也是Forbidden。浏览器

 

11.29 限制user_agent

user_agent(用户代理):是指浏览器(搜索引擎)的信息包括硬件平台、系统软件、应用软件和用户我的偏好。

 

需求背景:
有时候网站受到CC攻击,其原理是:攻击者借助代理服务器(肉机)生成指向受害主机的合法请求,实现DDOS和假装。CC攻击的一个特色就是其useragent是一致的,因此,能够经过限制攻击者useragent的方法来阻断其攻击。

编辑虚拟主机配置文件:

[root@cham002 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
    
<IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
        RewriteRule  .*  -  [F]
    </IfModule>
说明: NC表示忽略大小写,OR选项表示或者(不加任何选项表而且)链接下一个条件,F=forbidden禁止。

:wq保存

检测加载
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful

测试:

[root@cham002 111.com]# !curl
curl -x127.0.0.1:80 'http://111.com/upload/123.php' 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/123.php
on this server.<br />
</p>
</body></html>
[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php'  -I
HTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 16:22:39 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/123.php'  -I
HTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 16:22:51 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1


[root@cham002 111.com]# tail /usr/local/apache2.4/logs/111.com-access_20171227.log 
127.0.0.1 - - [27/Dec/2017:00:02:50 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:02:57 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 200 29 "-" "curl/7.29.0"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET / HTTP/1.1" 200 18 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:47 +0800] "GET /123.php HTTP/1.1" 200 14 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:56 +0800] "GET /upload/123.php HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:08:06 +0800] "GET /upload/123.php HTTP/1.1" 403 223 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
127.0.0.1 - - [27/Dec/2017:00:22:27 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:39 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:51 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
[root@cham002 111.com]# tail /usr/local/apache2.4/logs/111.com-access_20171227.log 
127.0.0.1 - - [27/Dec/2017:00:02:50 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:02:57 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 200 29 "-" "curl/7.29.0"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET / HTTP/1.1" 200 18 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:47 +0800] "GET /123.php HTTP/1.1" 200 14 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:56 +0800] "GET /upload/123.php HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:08:06 +0800] "GET /upload/123.php HTTP/1.1" 403 223 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
127.0.0.1 - - [27/Dec/2017:00:22:27 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:39 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:51 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"


说明: curl -A 指定useragent。
[root@cham002 111.com]# curl -A "chamlinux chamlinux" -x127.0.0.1:80 'http://111.com/123.php'  -I
HTTP/1.1 200 OK
Date: Tue, 26 Dec 2017 16:25:36 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8

[root@cham002 111.com]# tail /usr/local/apache2.4/logs/111.com-access_20171227.log 
127.0.0.1 - - [27/Dec/2017:00:02:57 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 200 29 "-" "curl/7.29.0"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET / HTTP/1.1" 200 18 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:47 +0800] "GET /123.php HTTP/1.1" 200 14 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:56 +0800] "GET /upload/123.php HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:08:06 +0800] "GET /upload/123.php HTTP/1.1" 403 223 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
127.0.0.1 - - [27/Dec/2017:00:22:27 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:39 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:51 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:25:36 +0800] "HEAD http://111.com/123.php HTTP/1.1" 200 - "-" "chamlinux chamlinux"
[root@cham002 111.com]#

 

11.30 PHP相关配置

查看PHP配置文件:

[root@cham002 php-7.1.6]# /usr/local/php/bin/php -i|grep -i "loaded configuration file" 
Loaded Configuration File => /usr/local/php/etc/php.ini
PHP Warning:  Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in Unknown on line 0


[root@cham002 php-7.1.6]# /usr/local/php7/bin/php -i|grep -i "loaded configuration file" 
Loaded Configuration File => /usr/local/php7/etc/php.ini
[root@cham002 111.com]# ls
123.php  admin  index.php  photo1.jpg  upload
 
[root@cham002 111.com]# vim index.php 
<?php
#echo "welcome to 111.com";
phpinfo();
#?>
[root@cham002 111.com]# cd /usr/local/src/php-7.1.6/

[root@cham002 php-7.1.6]# cp php.ini-development  /usr/local/php7/etc/php.ini

[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 php-7.1.6]# vim /usr/local/php7/etc/php.ini
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 php-7.1.6]# vim /usr/local/php7/etc/php.ini
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK

PHP参数

设定时区

date.timezone

一些功能选

disable_function=

项:“eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo ”

以上功能选项能够经过“disable_function”来限制,以达到提升网站安全性的目的:

display_errors=On/Off :设定是否显示错误缘由,须要注意的是,此处设置为off(防止用户看到)后必须设置错误日志,设定保存路径,和错误日志级别,不然将没法查找错误缘由 

display_errors = Off

日志相关

log_errors=On/Off 开启/关闭错误日志

log_errors = On
这样就是打开

定义路径错误日志记录路径

设定错误日志的保存路径。若是定义好路径后没法生产日志,此时须要检查日志文件所在目录是否有写(w)权限

error_log = /tmp/php_errors.log

定义error_log错误日志的级别(若是级别太高,很是严谨的话,仅仅会记录一些比较严峻的错误。像通常警告就不记录。)” 设定错误日志级别,级别有:E_ ALL 、~E_ NOTICE 、~E_ STRICT 、~E_DEPRECATED(能够自由组合)。生产环境使用:E_ ALL & ~E_ NOTICE就能够。

error_reporting = E_ALL

[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 php-7.1.6]# curl -A "a" -x127.0.0.1:80 http://111.com/index.php
[root@cham002 php-7.1.6]# ls /tmp/
mysql.sock      systemd-private-02f767b5881a41e284ed51ccdd17a7e8-vmtoolsd.service-5E7yid
pear            systemd-private-784ef142e2ac49208717f87ed079faeb-vmtoolsd.service-vHephM
php_errors.log
[root@cham002 php-7.1.6]# cat /tmp/php_errors.log 
[26-Dec-2017 17:16:28 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 3
[root@cham002 php-7.1.6]# ls -l /tmp/php_errors.log 
-rw-r--r-- 1 daemon daemon 135 12月 27 01:16 /tmp/php_errors.log
[root@cham002 php-7.1.6]# ps aux |grep httpd
root      2717  0.0  1.3 258996 13680 ?        Ss   12月25   0:06 /usr/local/apache2.4/bin/httpd -k start
daemon    8815  0.0  1.4 613472 14920 ?        Sl   01:16   0:00 /usr/local/apache2.4/bin/httpd -k start
daemon    8816  0.0  1.0 545824 10468 ?        Sl   01:16   0:00 /usr/local/apache2.4/bin/httpd -k start
daemon    8817  0.0  1.0 545824 10456 ?        Sl   01:16   0:00 /usr/local/apache2.4/bin/httpd -k start
root      8918  0.0  0.0 112684   976 pts/0    S+   01:17   0:00 grep --color=auto httpd

再模拟一个错误
[root@cham002 php-7.1.6]# vim /data/wwwroot/111.com/2.php
[root@cham002 php-7.1.6]# cat !$
cat /data/wwwroot/111.com/2.php
<?php
echo 123;
adsfasdffsdfsdfsdfsdfsdfsfdsfs
[root@cham002 php-7.1.6]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php
[root@cham002 php-7.1.6]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 26 Dec 2017 17:26:03 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Connection: close
Content-Type: text/html; charset=UTF-8

[root@cham002 php-7.1.6]# cat /tmp/php_errors.log 
[26-Dec-2017 17:16:28 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 3
[26-Dec-2017 17:25:53 UTC] PHP Parse error:  syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
[26-Dec-2017 17:26:03 UTC] PHP Parse error:  syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
有时候为了保险一点,不是已经在php.ini里面定义了error_log
[root@cham002 php-7.1.6]# grep error_log /usr/local/php7/etc/php.ini
; server-specific log, STDERR, or a location specified by the error_log
; Set maximum length of log_errors. In error_log information about the source is
error_log = /tmp/php_errors.log
;error_log = syslog
; OPcache error_log file name. Empty string assumes "stderr".
;opcache.error_log=
[root@cham002 php-7.1.6]# touch /tmp/php_error.log ; chamd 777 /tmp/php_errors.log  ^C
                         能够先建立好。再给他个777权限

安全参数“open_basedir”

open_basedir = /data/wwwroot/111.com:/tmp

译:若是设置了open_basedir选项,将会把全部关于文件的操做限制在指定目录及其子目录。
将该指令设定在每一个目录或者虚拟主机web服务器配置文件中很是重要。

[root@cham002 ~]# vim /data/wwwroot/111.com/2.php 咱们把2.php改正确
[root@cham002 ~]# cat /data/wwwroot/111.com/2.php 
<?php
echo 123;

[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 ~]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php -I
HTTP/1.1 200 OK
Date: Tue, 26 Dec 2017 17:42:32 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
[root@cham002 ~]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php 
123

说明: php.ini文件中的内容是针对全部虚拟主机进行的配置!!!!!!!!这点要明白。因此咱们取消掉

问题: 一台服务器运行着不止一台虚拟主机,因此在该文件下设置该选项并不合适。那么,该如何设定该配置呢?

办法: 分别在每一个虚拟主机的配置文件进行相关设置。

编辑虚拟主机配置文件:

[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
 php_admin_value open_basedir "/data/wwwroot/abc.com:/tmp/"


[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl graceful

[root@cham002 ~]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php 
123[root@cham002 ~]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php -I
HTTP/1.1 200 OK
Date: Tue, 26 Dec 2017 17:53:26 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8

说明: “php_admin_value”能够定义php.ini中的参数。使用该办法分别在每一个虚拟主机设定相关的“open_basedir”便可! 在此开放“/tmp/”目录是为了使临时文件能正常写入。

相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程