Apache限定目录解析PHP,限制user_agent,PHP相关的配置

时间 2019-11-12

标签 apache 限定目录解析 php 限制 user agent 相关配置栏目 Apache 繁體版

原文原文链接

Apache限定目录解析PHP

配置前访问upload/index.php

[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
This is upload diretory

配置，/usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增长以下内容，从新加载配置

<Directory /usr/local/apache2.4/test-webroot/upload>
    php_admin_flag engine off
</Directory>
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful

测试

[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
<?php
echo "This is upload diretory\n";
?>

虽然解析不了PHP，但会打印源文件，能够再经过FilesMatch来禁止访问。配置

<Directory /usr/local/apache2.4/test-webroot/upload>
    <FilesMatch (.*).php(.*)>
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>

加载配置文件，测试

[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/index.php
on this server.<br />
</p>
</body></html>

限制user_agent

user_agent能够理解为浏览器标识
须要使用rewrite模块，去掉httpd.conf中的rewrite_module
配置前访问

[root@test-a ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:20 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:20 GMT
Content-Type: text/html; charset=UTF-8
[root@test-a ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I # 经过选项-A指定user_agent
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:35 GMT
Content-Type: text/html; charset=UTF-8

配置，/usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增长以下内容，从新加载配置。说明NC(no case)不区分大小写；OR或者，表示与下面的条件是或的关系；F(forbidden)禁止

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
    RewriteRule  .*  -  [F]
</IfModule>

从新加载配置，测试

[root@test-a ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 403 Forbidden
Date: Wed, 21 Nov 2018 01:39:00 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
[root@test-a ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:39:04 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:39:04 GMT
Content-Type: text/html; charset=UTF-8

PHP相关的配置

查看配置文件路径
方法1: /usr/local/php/bin/php -i|grep -i "loaded configuration file" # 不过这种方法不许确
方法2: 能够写个php文件利用phpinfo()访问查看php
在使用/usr/local/php/bin/php -i|grep -i "loaded configuration file"时，有警告提示,配置处理html

[root@test-a ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
PHP Warning:  Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in Unknown on line 0
Loaded Configuration File => /usr/local/php/etc/php.ini
#/usr/local/php/etc/php.ini中找到date.timezone设置成
date.timezone=Asia/Shanghai
#
# 加载，测试OK
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful                    [root@test-a ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
Loaded Configuration File => /usr/local/php/etc/php.ini

disable_functions，PHP有诸多内置的函数,有一些函数开放将会很是危险。所以,基于安全考虑应该把一些存在安全风险的函数禁掉(例如:phpinfo会显示服务器相关信息)

# vim /usr/local/php/etc/php.ini // 搜索disable_functions,编辑成以下
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp ,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsocko pen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_ close

配置error_log

# 从/usr/local/php/etc/php.ini中搜索log_errors,改为以下
log_errors = On
# 再搜索error_log,改成
error_log = /var/log/php/php_errors.log 
# 再搜索error_reporting,改成 
error_reporting = E_ALL & ~E_NOTICE
# 再搜索display_errors,改成 
display_errors = Off
log_errors能够设置为on或者off,若是想让PHP记录错误日志,须要设置为on；
error_log设定错误日志路径;
error_reporting设定错误日志的级别,E_ALL为全部类型的日志,无论是提醒仍是警告 都会记录。在开发环境下面设置为E_ALL,能够方便排查问题,但也会形成日志记录不少无心义的内容。&符号表示而且,~表示排除,因此两个组合在一块儿就是在E_ALL的基础上排除掉notice相关的日志。display_errors设置为on,则会把错误日志直接显示在浏览器里,这样对于用户访问来讲体验很差,并且还会暴露网站的一些文件路径等重要信息,因此要设置为off。

配置open_basedir，将网站限定在指定目录里
默认站点在/usr/local/php/etc/php.ini配置 open_basedir = /tmp:/usr/local/apache2.4/test-webroot
虚拟站点配置是在对应站点目录配置中配置: php_admin_value open_basedir "/data/wwwroot/www.123.com/:/tmp/"

注意，/tmp的主要做用是网站的一些临时文件须要访问该目录，好比上传文件时。web