11.28 限定某个目录禁止解析php 11.29 限制user_agent 11.30/11.31 php相关配置
生活随笔
收集整理的這篇文章主要介紹了
11.28 限定某个目录禁止解析php 11.29 限制user_agent 11.30/11.31 php相关配置
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
-?11.28?限定某個目錄禁止解析php
-?11.29?限制user_agent
-?11.30/11.31?php相關配置
-?擴展
-?apache開啟壓縮?http://ask.apelearn.com/question/5528
-?apache2.2到2.4配置文件變更?http://ask.apelearn.com/question/7292
-?apache?options參數?http://ask.apelearn.com/question/1051
-?apache禁止trace或track防止xss?http://ask.apelearn.com/question/1045
-?apache?配置https?支持ssl?http://ask.apelearn.com/question/1029#?11.28?限定某個目錄禁止解析php-?如果有一個目錄是可以上傳圖片,但是可能被有心之人上傳php上去,因為httpd開放了php模塊,所以如果被人上傳了***文件(php類型),httpd就有可能會進行執行,一旦執行,就會讓對方獲得我們服務器的root權限,或者是被惡意刪除或修改一些參數,導致服務器癱瘓或者是被***-?案列:一臺服務器,網站被***,但不知道是什么原因,不知道怎么***的,也不知道***到什么程度,只知道他們公司的數據庫泄露了,數據是一些電話號碼,***并沒有去刪除數據,因為他知道這個服務器的數據庫里,電話號碼每天都在增長,他就可以源源不斷的獲得新的電話號碼,獲得的電話號碼可以賣給第三方;
-?[?]?解決方式:
-?把一個沒有在這個服務器提交過的電話號碼,在這個服務器的網站上提交一次,結果,馬上就有人打電話過來,證明,***獲得電話號碼,到打電話給新的用戶,這套體系,已經完全自動化了(每天都會去抓取一個新的電話號碼來隊列,然后馬上賣給第三方,第三方馬上打電話給這個用戶),所以就猜測,網站的程序(php)存在漏洞,另一種可能就是sql注入的漏洞(可以把查詢的sql通過一些特殊的提交,提交到服務器上,服務器就會把這個sql語句轉換成正常的查詢,最終獲得一些數據回來);但是sql注入漏洞,很容易修復,只要在網站提交的入口,增加一些特殊符號的過濾,就能完全的阻斷sql注入的漏洞。
首先抓包,監控數據的查詢,因為電話號碼是通過查詢了數據來的,寫一個死循環的腳本,每隔一分鐘抓一次查詢數據,抓完以后生成一個日志文件,
查看日志以后,發現有一條sql查詢,和網站源生的查詢不一樣,通過日志定位到了時間點,然后就去web服務器上查看時間點的訪問日志,通過日志查看到了一個非常特殊的請求,名字是以php結尾的文件,而且這個php文件是在圖片的目錄下進行訪問的,然后去查看這個php?文件,發現這個文件內容,是獲取服務器的權限,相當于在服務器開了一個后門;這個問題產生的根本原因,就是因為上傳圖片目錄并沒有禁止解析php-?所謂SQL注入,就是通過把SQL命令插入到Web表單提交或輸入域名或頁面請求的查詢字符串,最終達到欺騙服務器執行惡意的SQL命令。具體來說,它是利用現有應用程序,將(惡意的)SQL命令注入到后臺數據庫引擎執行的能力,它可以通過在Web表單中輸入(惡意)SQL語句得到一個存在安全漏洞的網站上的數據庫,而不是按照設計者意圖去執行SQL語句。[1]??比如先前的很多影視網站泄露VIP會員密碼大多就是通過WEB表單遞交查詢字符暴出的,這類表單特別容易受到SQL注入式***..
-?那么怎么配置設置禁止php?解析
-?-?核心配置文件內容<Directory?/data/wwwroot/www.123.com/upload>php_admin_flag?engine?off</Directory>
-??curl測試時直接返回了php源代碼,并未解析
-??首先編輯虛擬主機配置文件
```#</FilesMatch>?#</Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allowDeny?from?allAllow?from?127.0.0.1</FilesMatch></Directory><Directory?/data/wwwroot/111.com>SetEnvIfNoCase?Referer?"http://111.com"?local_refSetEnvIfNoCase?Referer?"http://aaa.com"?local_refSetEnvIfNoCase?Referer?"^$"?local_ref<FilesMatch?"\.(txt|doc|mp3|zip|rar|jpg|gif|png)">Order?Allow,DenyAllow?from?env=local_ref</FilesMatch></Directory>
```
-?改為
```#</FilesMatch>?#</Directory><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off<FilesMatch?(.*)\.php(.*)>Order?allow,denyDeny?from?all</FilesMatch></Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allowDeny?from?allAllow?from?127.0.0.1</FilesMatch></Directory><Directory?/data/wwwroot/111.com>SetEnvIfNoCase?Referer?"http://111.com"?local_refSetEnvIfNoCase?Referer?"http://aaa.com"?local_refSetEnvIfNoCase?Referer?"^$"?local_ref
:wq???????
```
-?檢查語法,重新加載配置
```
[root@localhost?~]#?/usr/local/apache2.4/bin/apachectl?-t
Syntax?OK
[root@localhost?~]#?/usr/local/apache2.4/bin/apachectl?graceful
[root@localhost?~]#?[root@localhost?~]#?cd?/data/wwwroot/111.com
[root@localhost?111.com]#?ls
123.php??admin??index.php??qq.png
[root@localhost?111.com]#?mkdir?upload
[root@localhost?111.com]#?ls
123.php??admin??index.php??qq.png??upload
[root@localhost?111.com]#?cp?123.php?upload/[root@localhost?111.com]#?!curl
curl?-x127.0.0.1:80?'http://111.com/admin.php?/alsjdf'?-I
HTTP/1.1?404?Not?Found
Date:?Thu,?12?Oct?2017?12:41:28?GMT
Server:?Apache/2.4.27?(Unix)?PHP/7.1.6
Content-Type:?text/html;?charset=iso-8859-1```
-?再來訪問下
```
[root@localhost?111.com]#?curl?-x127.0.0.1:80?'http://111.com/upload/123.php'?-I
HTTP/1.1?403?Forbidden
Date:?Thu,?12?Oct?2017?12:42:49?GMT
Server:?Apache/2.4.27?(Unix)?PHP/7.1.6
Content-Type:?text/html;?charset=iso-8859-1[root@localhost?111.com]#?curl?-x127.0.0.1:80?'http://111.com/upload/123.php'
<!DOCTYPE?HTML?PUBLIC?"-//IETF//DTD?HTML?2.0//EN">
<html><head>
<title>403?Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You?don't?have?permission?to?access?/upload/123.php
on?this?server.<br?/>
</p>
</body></html>
[root@localhost?111.com]#?
```
-?先把filesmatch?注釋掉
```#</FilesMatch>?#</Directory><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off#<FilesMatch?(.*)\.php(.*)>#Order?allow,deny#Deny?from?all#</FilesMatch></Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allowDeny?from?allAllow?from?127.0.0.1</FilesMatch></Directory><Directory?/data/wwwroot/111.com>SetEnvIfNoCase?Referer?"http://111.com"?local_refSetEnvIfNoCase?Referer?"http://aaa.com"?local_ref
:wq??[root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?-t
Syntax?OK
[root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?graceful
[root@localhost?111.com]#?```
-?再來訪問
```
[root@localhost?111.com]#?!curl
curl?-x127.0.0.1:80?'http://111.com/upload/123.php'
<?
echo?"123.php";
[root@localhost?111.com]#?
```
用windows訪問下看下
-?-?這個時候進一步限制它?連讓它訪問的機會都沒有,更別說去解析php了
-?再次打開配置文件?把剛剛注釋的取消,
```
-???#</Directory><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off<FilesMatch?(.*)\.php(.*)>Order?allow,denyDeny?from?all</FilesMatch>[root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?-t
Syntax?OK
[root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?graceful```
-?再來訪問
-?直接提示無法訪問403
禁止php解析,是為讓服務器更加安全,尤其是針對可以寫的目錄;可以寫的目錄,一般是不需要解析php,這個需要牢記,一般靜態文件存放的目錄是不允許解析php?的
#?11.29?限制user_agent
-?有時候,網站會受到一種叫?cc?***,CC***就是***,通過軟件,肉雞同時去訪問一個站點,超過服務器的并發,就會導致站點宕機;通過肉雞,軟件去訪問站點,就是普通的訪問,沒有什么特殊的,只是讓站點超過并發導致嚴重超負荷而宕機,所以沒辦法去進行控制;所謂CC***都會有一個規律的特征,就是user_agent是一致的,比如同一個IP、同一個標識、同一個地址;遇到這種規律的user_agent頻繁訪問的情況我們就可以判定他就是CC***,我們就可以通過限制他的user_agent?減輕服務器壓力,只需要讓他從正常訪問的200,限制為403,就能減輕服務器的壓力,因為403僅僅是一個請求,只會使用到很少的帶寬,畢竟他沒有牽扯到php?和mysql
cc***
-?***者借助代理服務器生成指向受害主機的合法請求,實現DDOS和偽裝就叫:CC(ChallengeCollapsar)。
CC主要是用來***頁面的。大家都有這樣的經歷,就是在訪問論壇時,如果這個論壇比較大,訪問的人比較多,打開頁面的速度會比較慢,訪問的人越多,論壇的頁面越多,數據庫壓力就越大,被訪問的頻率也越高,占用的系統資源也就相當可觀。
-?一個靜態頁面不需要服務器多少資源,甚至可以說直接從內存中讀出來發給你就可以了,但是論壇就不一樣了,我看一個帖子,系統需要到數據庫中判斷我是否有讀帖子的權限,如果有,就讀出帖子里面的內容,顯示出來——這里至少訪問了2次數據庫,如果數據庫的數據容量有200MB大小,系統很可能就要在這200MB大小的數據空間搜索一遍,這需要多少的CPU資源和時間?如果我是查找一個關鍵字,那么時間更加可觀,因為前面的搜索可以限定在一個很小的范圍內,比如用戶權限只查用戶表,帖子內容只查帖子表,而且查到就可以馬上停止查詢,而搜索肯定會對所有的數據進行一次判斷,消耗的時間是相當的大。
CC就是充分利用了這個特點,模擬多個用戶(多少線程就是多少用戶)不停的進行訪問(訪問那些需要大量數據操作,就是需要大量CPU時間的頁面).這一點用一個一般的性能測試軟件就可以做到大量模擬用戶并發。
-?肉雞?(受***遠程控制的電腦),肉雞也稱傀儡機,是指可以被***遠程控制的機器。比如用”灰鴿子”等誘導客戶點擊或者電腦被***攻破或用戶電腦有漏洞被種植了***,***可以隨意操縱它并利用它做任何事情。
肉雞通常被用作DDOS***。可以是各種系統,如windows、linux、unix等,更可以是一家公司、企業、學校甚至是政府軍隊的服務器。-?首先打開虛擬主機配置文件
```#<Directory?/data/wwwroot/111.com>#?<FilesMatch?123.php>????#???AllowOverride?AuthConfig?#???AuthName?"111.com?user?auth"?#???AuthType?Basic?#???AuthUserFile?/data/.htpasswd?#???require?valid-user#</FilesMatch>?#</Directory><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off<FilesMatch?(.*)\.php(.*)>Order?allow,denyDeny?from?all</FilesMatch></Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allowDeny?from?allAllow?from?127.0.0.1</FilesMatch></Directory>--?插入?--?????????????????????????????????????????????????????????????44,5??????????61%
```
-?添加配置文件后,然后?檢查配置文件,重新加載配置文件
```#<Directory?/data/wwwroot/111.com>#?<FilesMatch?123.php>????#???AllowOverride?AuthConfig?#???AuthName?"111.com?user?auth"?#???AuthType?Basic?#???AuthUserFile?/data/.htpasswd?#???require?valid-user#</FilesMatch>?#</Directory><IfModule?mod_rewrite.c>RewriteEngine?onRewriteCond?%{HTTP_USER_AGENT}??.*curl.*?[NC,OR]RewriteCond?%{HTTP_USER_AGENT}??.*baidu.com.*?[NC]RewriteRule??.*??-??[F]</IfModule><Directory?/data/wwwroot/111.com/upload>php_admin_flag?engine?off<FilesMatch?(.*)\.php(.*)>Order?allow,denyDeny?from?all</FilesMatch></Directory><Directory?/data/wwwroot/111.com><FilesMatch??"admin.php(.*)">Order?deny,allow
:wq?[root@localhost?111.com]#?vim?/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
[root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?-t
Syntax?OK
[root@localhost?111.com]#?/usr/local/apache2.4/bin/apachectl?graceful
[root@localhost?111.com]#?```-?再來訪問下
```
[root@localhost?111.com]#?!curl
curl?-x127.0.0.1:80?'http://111.com/upload/123.php'
<!DOCTYPE?HTML?PUBLIC?"-//IETF//DTD?HTML?2.0//EN">
<html><head>
<title>403?Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You?don't?have?permission?to?access?/upload/123.php
on?this?server.<br?/>
</p>
</body></html>
[root@localhost?111.com]#?curl?-x127.0.0.1:80?'http://111.com/upload/123.php'?-I
HTTP/1.1?403?Forbidden
Date:?Thu,?12?Oct?2017?13:41:04?GMT
Server:?Apache/2.4.27?(Unix)?PHP/7.1.6
Content-Type:?text/html;?charset=iso-8859-1[root@localhost?111.com]#?[root@localhost?111.com]#?curl?-x127.0.0.1:80?'http://111.com/123.php'?-I
HTTP/1.1?403?Forbidden
Date:?Thu,?12?Oct?2017?13:41:49?GMT
Server:?Apache/2.4.27?(Unix)?PHP/7.1.6
Content-Type:?text/html;?charset=iso-8859-1[root@localhost?111.com]#?```-?查看下日志文件
```
[root@localhost?111.com]#?tail?/usr/local/apache2.4/logs/123.com-access_20171012.log
192.168.202.1?-?-?[12/Oct/2017:20:51:50?+0800]?"GET?/favicon.ico?HTTP/1.1"?404?209?"http://111.com/123.php"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:20:54:14?+0800]?"GET?/123.php?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:20:54:16?+0800]?"GET?/123.php?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:20:54:29?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:21:22:31?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:21:22:32?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:21:22:34?+0800]?"GET?/?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
127.0.0.1?-?-?[12/Oct/2017:21:40:54?+0800]?"GET?http://111.com/upload/123.php?HTTP/1.1"?403?223?"-"?"curl/7.29.0"
127.0.0.1?-?-?[12/Oct/2017:21:41:04?+0800]?"HEAD?http://111.com/upload/123.php?HTTP/1.1"?403?-?"-"?"curl/7.29.0"
127.0.0.1?-?-?[12/Oct/2017:21:41:49?+0800]?"HEAD?http://111.com/123.php?HTTP/1.1"?403?-?"-"?"curl/7.29.0"
[root@localhost?111.com]#?
```
-?再來試下
-?curl?-A?"aminlinux?aminglinux"?-x127.0.0.1:80?'http://111.com/123.php'?-I?可以crul?-A?可以指定user_agent
-?curl?-e?"http://"???也可以指定Referer?
-?curl?-x指定,
-?crul?-I?僅僅是查看它的狀態碼
```
[root@localhost?111.com]#?curl?-A?"aminlinux?aminglinux"?-x127.0.0.1:80?'http://111.com/123.php'?-I
HTTP/1.1?200?OK
Date:?Thu,?12?Oct?2017?13:47:03?GMT
Server:?Apache/2.4.27?(Unix)?PHP/7.1.6
X-Powered-By:?PHP/7.1.6
Content-Type:?text/html;?charset=UTF-8[root@localhost?111.com]#?curl?-A?"aminlinux?aminglinux"?-x127.0.0.1:80?'http://111.com/123.php'
123.php[root@localhost?111.com]#?
[root@localhost?111.com]#?
[root@localhost?111.com]#?
```
-?來看看訪問日志?user_agent?是"aminlinux?aminglinux"
```
[root@localhost?111.com]#?tail?/usr/local/apache2.4/logs/123.com-access_20171012.log
192.168.202.1?-?-?[12/Oct/2017:20:54:16?+0800]?"GET?/123.php?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:20:54:29?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:21:22:31?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:21:22:32?+0800]?"GET?/upload/123.php?HTTP/1.1"?403?223?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
192.168.202.1?-?-?[12/Oct/2017:21:22:34?+0800]?"GET?/?HTTP/1.1"?200?7?"-"?"Mozilla/5.0?(Windows?NT?6.1;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/61.0.3163.100?Safari/537.36"
127.0.0.1?-?-?[12/Oct/2017:21:40:54?+0800]?"GET?http://111.com/upload/123.php?HTTP/1.1"?403?223?"-"?"curl/7.29.0"
127.0.0.1?-?-?[12/Oct/2017:21:41:04?+0800]?"HEAD?http://111.com/upload/123.php?HTTP/1.1"?403?-?"-"?"curl/7.29.0"
127.0.0.1?-?-?[12/Oct/2017:21:41:49?+0800]?"HEAD?http://111.com/123.php?HTTP/1.1"?403?-?"-"?"curl/7.29.0"
127.0.0.1?-?-?[12/Oct/2017:21:47:03?+0800]?"HEAD?http://111.com/123.php?HTTP/1.1"?200?-?"-"?"aminlinux?aminglinux"
127.0.0.1?-?-?[12/Oct/2017:21:47:19?+0800]?"GET?http://111.com/123.php?HTTP/1.1"?200?7?"-"?"aminlinux?aminglinux"
[root@localhost?111.com]#?
```#?11.30?PHP相關配置(上)
-?查看php配置文件位置-?/usr/local/php/bin/php?-i|grep?-i?"loaded?configuration?file"?
-??date.timezone?
-??disable_functions
eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close?
-??error_log,?log_errors,?display_errors,?error_reporting
-??open_basedir
-??php_admin_value?open_basedir?"/data/wwwroot/111.com:/tmp/"-?列出111.com?目錄下文件目錄?修改inidex.php內容
```
[root@localhost?111.com]#?ls
123.php??admin??index.php??qq.png??upload
[root@localhost?111.com]#?vi?index.php<?php
echo?"111.com";
~????????????????????????????????????????????????????????????????????????????????????????
~????????????????????????????????????????????????????????????????????????????????????????~????????????????????????????????????????????????????????????????????????????????????????
~????????????????????????????????????????????????????????????????????????????????????????
"index.php"?2L,?22C
```
-?修改為
```
[root@localhost?111.com]#?vi?index.php<?php
phpinfo();
~????????????????????????????????????????????????????????????????????????????????????????
~????????????????????????????????????????????????????????????????????????????????????????
~????????????????????????????????????????????????????????????????????????????????????????:wq
```
-??去php包下面拷貝一個文件php.ini-development?到/usr/local/php7/etc/php.ini
```
[root@localhost?111.com]#?cd?/usr/local/src/php-7.1.6/
[root@localhost?php-7.1.6]#?cp?php.ini-
php.ini-development??php.ini-production???
[root@localhost?php-7.1.6]#?cp?php.ini-development?/usr/local/php7/etc/php.ini
[root@localhost?php-7.1.6]#?
```
-?重新加載下配置,再去windows瀏覽器里刷新下看下
```
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful
```
-?打開配置文件vim?/usr/local/php7/etc/php.ini?搜索disable_functions?
```
[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini[PHP];;;;;;;;;;;;;;;;;;;
;?About?php.ini???;
;;;;;;;;;;;;;;;;;;;
;?PHP's?initialization?file,?generally?called?php.ini,?is?responsible?for
;?configuring?many?of?the?aspects?of?PHP's?behavior.;?PHP?attempts?to?find?and?load?this?configuration?from?a?number?of?locations.
;?The?following?is?a?summary?of?its?search?order:
;?1.?SAPI?module?specific?location.
;?2.?The?PHPRC?environment?variable.?(As?of?PHP?5.2.0)
;?3.?A?number?of?predefined?registry?keys?on?Windows?(As?of?PHP?5.2.0)
;?4.?Current?working?directory?(except?CLI)
;?5.?The?web?server's?directory?(for?SAPI?modules),?or?directory?of?PHP
;?(otherwise?in?Windows)
;?6.?The?directory?from?the?--with-config-file-path?compile?time?option,?or?the
;?Windows?directory?(C:\windows?or?C:\winnt)
;?See?the?PHP?docs?for?more?specific?information.
;?http://php.net/configuration.file;?The?syntax?of?the?file?is?extremely?simple.??Whitespace?and?lines
;?beginning?with?a?semicolon?are?silently?ignored?(as?you?probably?guessed).
;?Section?headers?(e.g.?[Foo])?are?also?silently?ignored,?even?though
;?they?might?mean?something?in?the?future.;?Directives?following?the?section?heading?[PATH=/www/mysite]?only
;?apply?to?PHP?files?in?the?/www/mysite?directory.??Directives
;?following?the?section?heading?[HOST=www.example.com]?only?apply?to
;?PHP?files?served?from?www.example.com.??Directives?set?in?these
;?If?-1?is?used,?then?dtoa?mode?0?is?used?which?automatically?select?the?best
;?precision.
serialize_precision?=?-1;?open_basedir,?if?set,?limits?all?file?operations?to?the?defined?directory
;?and?below.??This?directive?makes?most?sense?if?used?in?a?per-directory
;?or?per-virtualhost?web?server?configuration?file.
;?http://php.net/open-basedir
;open_basedir?=;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?function?names.
;?http://php.net/disable-functions
disable_functions?=;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?class?names.
;?http://php.net/disable-classes
disable_classes?=;?Colors?for?Syntax?Highlighting?mode.??Anything?that's?acceptable?in
;?<span?style="color:????????">?would?work.
;?http://php.net/syntax-highlighting
;highlight.string??=?#DD0000
;highlight.comment?=?#FF9900
;highlight.keyword?=?#007700
;highlight.default?=?#0000BB314,1?????????15%```
-?默認這個是空的disable_functions?=
-?我們把所有的函數都禁掉
```
;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?function?names.
;?http://php.net/disable-functions
disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?class?names.
;?http://php.net/disable-classes
disable_classes?=;?Colors?for?Syntax?Highlighting?mode.??Anything?that's?acceptable?in
;?<span?style="color:????????">?would?work.
;?http://php.net/syntax-highlighting
;highlight.string??=?#DD0000
:wq??????[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t
Syntax?OK
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful
[root@localhost?php-7.1.6]#?```
-?去windows瀏覽器下刷新訪問,
-?當然我們會使用它這個phpinfo,打開配置文件把phpinfo?去掉
```
;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?function?names.
;?http://php.net/disable-functions
disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?class?names.
;?http://php.net/disable-classes
disable_classes?=;?Colors?for?Syntax?Highlighting?mode.??Anything?that's?acceptable?in
;?<span?style="color:????????">?would?work.
;?http://php.net/syntax-highlighting
;highlight.string??=?#DD0000
;highlight.comment?=?#FF9900
;highlight.keyword?=?#007700
:wq?????[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful
[root@localhost?php-7.1.6]#?```
-?第二個date.timezone,打開php配置文件?搜素timezone
```
[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini;extension=php_tidy.dll
;extension=php_xmlrpc.dll
;extension=php_xsl.dll;;;;;;;;;;;;;;;;;;;
;?Module?Settings?;
;;;;;;;;;;;;;;;;;;;[CLI?Server]
;?Whether?the?CLI?web?server?uses?ANSI?color?coding?in?its?terminal?output.
cli_server.color?=?On[Date]
;?Defines?the?default?timezone?used?by?the?date?functions
;?http://php.net/date.timezone
;date.timezone?=;?http://php.net/date.default-latitude
;date.default_latitude?=?31.7667;?http://php.net/date.default-longitude
;date.default_longitude?=?35.2333;?http://php.net/date.sunrise-zenith
;date.sunrise_zenith?=?90.583333;?http://php.net/date.sunset-zenith937,23????????48%
```
-?定義;date.timezone?=?Asia/Chongqing
-?再把disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo??加上?phpinfo
-?搜索display???把display_errors?=?On?改成Off?也就是說?我不需要把這些錯誤信息輸出到瀏覽器里
```
[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t
Syntax?OK
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful
[root@localhost?php-7.1.6]#?
```
-?再訪問下?變成了
-?使用curl?試下
```
[root@localhost?php-7.1.6]#?curl?-x127.0.0.1:80?http://111.com/index.php
<!DOCTYPE?HTML?PUBLIC?"-//IETF//DTD?HTML?2.0//EN">
<html><head>
<title>403?Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You?don't?have?permission?to?access?/index.php
on?this?server.<br?/>
</p>
</body></html>
```
-?還是403,是因為設了user_agent?
```
[root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/index.php?-I
HTTP/1.1?200?OK
Date:?Thu,?12?Oct?2017?14:31:51?GMT
Server:?Apache/2.4.27?(Unix)?PHP/7.1.6
X-Powered-By:?PHP/7.1.6
Content-Type:?text/html;?charset=UTF-8[root@localhost?php-7.1.6]#?
```
-?這樣是可以了,只不過他沒有任何的輸出,這個就不正常了,不是我們想要的,我們不知道它哪里有問題,一切都是未知的,這個時候需要配置一個錯誤日志
-?打開配置文件?搜索error_log
```
;?Log?errors?to?specified?file.?PHP's?default?behavior?is?to?leave?this?value
;?empty.
;?http://php.net/error-log
;?Example:
;error_log?=?php_errors.log
;?Log?errors?to?syslog?(Event?Log?on?Windows).
;error_log?=?syslog```
-?定義error_log?的日志路徑?,還要配置?它的級別,如果你定義的級別很高的話,它僅僅會記錄一些比較嚴峻的錯誤,一些不太嚴峻的錯誤,他就不計,像警告的不計,不計我也不知道錯誤在哪,所以可以把它搞得稍微放松一些,不要那么嚴謹
```
error_log?=?/tmp/php_errors.log
;?Log?errors?to?syslog?(Event?Log?on?Windows).
;error_log?=?syslog```
-?搜索error_reporting?
-?error_reporting?=?E_ALL這個是最不嚴謹的,在生產環境當中,我們用E_ALL?&?~E_NOTICE??(Show?all?errors,?except?for?notices)??因為在生產環境當中這個notice出現頻率很高的
```
;?Common?Values:
;???E_ALL?(Show?all?errors,?warnings?and?notices?including?coding?standards.)
;???E_ALL?&?~E_NOTICE??(Show?all?errors,?except?for?notices)
;???E_ALL?&?~E_NOTICE?&?~E_STRICT??(Show?all?errors,?except?for?notices?and?coding?standards?warnings.)
;???E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR??(Show?only?errors)
;?Default?Value:?E_ALL?&?~E_NOTICE?&?~E_STRICT?&?~E_DEPRECATED
;?Development?Value:?E_ALL
;?Production?Value:?E_ALL?&?~E_DEPRECATED?&?~E_STRICT
;?http://php.net/error-reporting
error_reporting?=?E_ALL
```-?再來用curl訪問下?,生成了php_errors.log
```
[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t
Syntax?OK
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful[root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/index.php
[root@localhost?php-7.1.6]#?ls?/tmp/
ks-script-sk5n23
mysql.sock
pear
php_errors.log
systemd-private-40d73240fa4b483bb2b7ae3d299e980d-vmtoolsd.service-w87bfr
yum.log
[root@localhost?php-7.1.6]#?
```
-?可以看下它的屬主屬組是誰,是daemon,daemon是httpd?的屬主
-?這個日志實際上是以這個進程的身份去生成的
```
[root@localhost?php-7.1.6]#?ls?-l?/tmp/php_errors.log?
-rw-r--r--.?1?daemon?daemon?135?10月?12?22:44?/tmp/php_errors.log
[root@localhost?php-7.1.6]#?[root@localhost?php-7.1.6]#?ps?aux?|grep?httpd
root???????2335??0.0??1.3?258884?13600??????????Ss???20:36???0:00?/usr/local/apache2.4/bin/httpd?-k?graceful
daemon?????3636??0.0??1.4?678896?14644??????????Sl???22:43???0:00?/usr/local/apache2.4/bin/httpd?-k?graceful
daemon?????3637??0.0??1.0?545712?10400??????????Sl???22:43???0:00?/usr/local/apache2.4/bin/httpd?-k?graceful
daemon?????3638??0.0??1.0?545712?10400??????????Sl???22:43???0:00?/usr/local/apache2.4/bin/httpd?-k?graceful
root???????3727??0.0??0.0?112680???976?pts/0????S+???22:46???0:00?grep?--color=auto?http
[root@localhost?php-7.1.6]#?```
-?這```
[root@localhost?php-7.1.6]#?grep?error_log?/usr/local/php7/etc/php.ini
;?server-specific?log,?STDERR,?or?a?location?specified?by?the?error_log
;?Set?maximum?length?of?log_errors.?In?error_log?information?about?the?source?is
error_log?=?/tmp/php_errors.log
;error_log?=?syslog
;?OPcache?error_log?file?name.?Empty?string?assumes?"stderr".
;opcache.error_log=
[root@localhost?php-7.1.6]#?[root@localhost?php-7.1.6]#?touch?/tmp/php_errors.log?;?chmod?777?/tmp/php_errors.log?^C
[root@localhost?php-7.1.6]#?cat?/tmp/php_errors.log?
[12-Oct-2017?14:44:09?UTC]?PHP?Warning:??phpinfo()?has?been?disabled?for?security?reasons?in?/data/wwwroot/111.com/index.php?on?line?2
[root@localhost?php-7.1.6]#?
```
-?phpinfo()?has?been?disabled?for?security?reasons?處于安全的原因把這個phpinfo?函數禁掉了-?來模擬一個錯誤
```
[root@localhost?php-7.1.6]#?vim?/data/wwwroot/111.com/2.php<?php
echo?123;
alksdkdkdlldldldd
~????????????????????????????????????????????????????????????????????????????????????????
~????????????????????????????????????????????????????????????????????????????????????????~????????????????????????????????????????????????????????????????????????????????????????
:wq????[root@localhost?php-7.1.6]#?vim?/data/wwwroot/111.com/2.php
[root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php?-I
HTTP/1.0?500?Internal?Server?Error
Date:?Thu,?12?Oct?2017?14:54:10?GMT
Server:?Apache/2.4.27?(Unix)?PHP/7.1.6
X-Powered-By:?PHP/7.1.6
Connection:?close
Content-Type:?text/html;?charset=UTF-8[root@localhost?php-7.1.6]#?
```-?可以看看它的錯誤日志?結果是?syntax?error
-?這個日志級別就比上面的高級了?一個是Warning?,一個是error,error?肯定比較嚴謹,很嚴重
```
[root@localhost?php-7.1.6]#?!cat
cat?/tmp/php_errors.log?
[12-Oct-2017?14:44:09?UTC]?PHP?Warning:??phpinfo()?has?been?disabled?for?security?reasons?in?/data/wwwroot/111.com/index.php?on?line?2
[12-Oct-2017?14:54:10?UTC]?PHP?Parse?error:??syntax?error,?unexpected?end?of?file?in?/data/wwwroot/111.com/2.php?on?line?4
[root@localhost?php-7.1.6]#?
```
-??有時候,定義了一個錯誤日志,但是這個錯誤日志始終沒有生成,那么就需要檢查一下定義錯誤日志所在的目錄,到底httpd有沒有寫權限,
最保險的辦法,就是在所在目錄創建一個錯誤日志的文件,然后賦予它777的權限,這樣就不需要擔心這個文件httpd是否有寫權限了-?前面是一些安全相關的函數,下面一個是怎么樣去打開?調試?錯誤日志的,因為排查一個問題沒有錯誤日志是不行的#?11.31?PHP相關配置(下)
-?下面來介紹一個安全相關的參數
-??open_basedir
-??php_admin_value?open_basedir?"/data/wwwroot/111.com:/tmp/"
-?安全相關的參數
一臺服務器上,運行了多個站點,有一臺服務器假如代碼有問題,結果這個站點被******了,被***拿到了權限,***拿了權限肯定會繼續往里***,繼續往里***,就會有可能***到其他的站點,同時導致其他的站點被黑
open_basedir??限制不能串崗
open_basedir?=?/data/wwwroot/1111.com:/tmp
這里配置?/tmp的目的是因為,打開任何文件的時候都會產生一個緩存文件,如果不允許/tmp的話會導致任何站點都沒有辦法訪問-?打開php配置文件,搜索open_basedir
```
[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini;?open_basedir,?if?set,?limits?all?file?operations?to?the?defined?directory
;?and?below.??This?directive?makes?most?sense?if?used?in?a?per-directory
;?or?per-virtualhost?web?server?configuration?file.
;?http://php.net/open-basedir
;open_basedir?=```
-?定義?open_basedir?=?/data/wwwroot/111.com:/tmp
-?假如故意寫錯,現在?open_basedir?=?/data/wwwroot/1111.com:/tmp
```
open_basedir?=?/data/wwwroot/1111.com:/tmp;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?function?names.
;?http://php.net/disable-functions
disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo:wq??
```-?訪問下```
[root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php?-I
HTTP/1.0?500?Internal?Server?Error
Date:?Thu,?12?Oct?2017?15:10:58?GMT
Server:?Apache/2.4.27?(Unix)?PHP/7.1.6
X-Powered-By:?PHP/7.1.6
Connection:?close
Content-Type:?text/html;?charset=UTF-8
```
-?把2.php改正,同樣還是錯誤500```
[root@localhost?php-7.1.6]#?vi?/data/wwwroot/111.com/2.php<?php
echo?123;
alksdkdkdlldldldd
~????????????????????????????????????????????????????????????????????????????????????????
~????????????????????????????????????????????????????????????????????????????????????????
~??????????
[root@localhost?php-7.1.6]#?vi?/data/wwwroot/111.com/2.php改正了
<?php
echo?123;
~????????????????????????????????????????????????????????????????????????????????????????
~????????????????????????????????????????????????????????????????????????????????????????~????????????????????????????????????????????????????????????????????????????????????????
~????????????????????????????????????????????????????????????????????????????????????????
:wq[root@localhost?php-7.1.6]#?vi?/data/wwwroot/111.com/2.php
[root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php?-I
HTTP/1.0?500?Internal?Server?Error
Date:?Thu,?12?Oct?2017?15:13:37?GMT
Server:?Apache/2.4.27?(Unix)?PHP/7.1.6
X-Powered-By:?PHP/7.1.6
Connection:?close
Content-Type:?text/html;?charset=UTF-8[root@localhost?php-7.1.6]#?```-?看看它的錯誤輸出?/data/wwwroot/111.com/2.php)?is?not?within?the?allowed?path(s):?(/data/wwwroot/1111.com:/tmp)?in?Unknown?on?line?0???2.php并沒有在運行的目錄下,所以它才是把報錯500```
[root@localhost?php-7.1.6]#?!cat
cat?/tmp/php_errors.log?
[12-Oct-2017?14:44:09?UTC]?PHP?Warning:??phpinfo()?has?been?disabled?for?security?reasons?in?/data/wwwroot/111.com/index.php?on?line?2
[12-Oct-2017?14:54:10?UTC]?PHP?Parse?error:??syntax?error,?unexpected?end?of?file?in?/data/wwwroot/111.com/2.php?on?line?4
[12-Oct-2017?15:10:58?UTC]?PHP?Warning:??Unknown:?open_basedir?restriction?in?effect.?File(/data/wwwroot/111.com/2.php)?is?not?within?the?allowed?path(s):?(/data/wwwroot/1111.com:/tmp)?in?Unknown?on?line?0
[12-Oct-2017?15:10:58?UTC]?PHP?Warning:??Unknown:?failed?to?open?stream:?Operation?not?permitted?in?Unknown?on?line?0
[12-Oct-2017?15:10:58?UTC]?PHP?Fatal?error:??Unknown:?Failed?opening?required?'/data/wwwroot/111.com/2.php'?(include_path='.:/usr/local/php7/lib/php')?in?Unknown?on?line?0
[12-Oct-2017?15:13:37?UTC]?PHP?Warning:??Unknown:?open_basedir?restriction?in?effect.?File(/data/wwwroot/111.com/2.php)?is?not?within?the?allowed?path(s):?(/data/wwwroot/1111.com:/tmp)?in?Unknown?on?line?0
[12-Oct-2017?15:13:37?UTC]?PHP?Warning:??Unknown:?failed?to?open?stream:?Operation?not?permitted?in?Unknown?on?line?0
[12-Oct-2017?15:13:37?UTC]?PHP?Fatal?error:??Unknown:?Failed?opening?required?'/data/wwwroot/111.com/2.php'?(include_path='.:/usr/local/php7/lib/php')?in?Unknown?on?line?0
[root@localhost?php-7.1.6]#?
```-?現在進入php配置文件?把它改成?改到我們這個目錄下
```
open_basedir?=?/data/wwwroot/111.com:/tmp;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?function?names.
;?http://php.net/disable-functions
disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?class?names.
;?http://php.net/disable-classes
disable_classes?=
:wq[root@localhost?php-7.1.6]#?vim?/usr/local/php7/etc/php.ini
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t
Syntax?OK
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful
[root@localhost?php-7.1.6]#?curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php
123[root@localhost?php-7.1.6]#?```
-?這個時候就不會報錯,就可以訪問-?但是改php.ini呢,有點問題,如果這個服務器上跑了N多個站點,怎么去做限制呢?你的網站全部再/wwwroot/目錄下?,限定在這個級別下,這又有何用呢?這個目錄下所有的網站,他都可以來去自如,不合適,那怎么樣才合適,你應該針對這些站點,針對這些網站?針對他們去做open_basedir,咱們php.ini是做不到的,因為php.ini?是針對所有站點的,
-?但是還有一個方法,去apache虛擬主機配置文件里去做
-?進入配置文件,改回來
```
;?http://php.net/open-basedir
open_basedir?=?;?This?directive?allows?you?to?disable?certain?functions?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?function?names.
;?http://php.net/disable-functions
disable_functions?=?eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo;?This?directive?allows?you?to?disable?certain?classes?for?security?reasons.
;?It?receives?a?comma-delimited?list?of?class?names.
;?http://php.net/disable-classes
disable_classes?=
:wq???????
```-??進入apache?虛擬主機配置文件
```
[root@localhost?php-7.1.6]#?vim?/usr/local/apache2.4/conf/extra/httpd-vhosts.conf<VirtualHost?*:80>DocumentRoot?"/data/wwwroot/abc.com"ServerName?abc.comServerAlias?www.abc.com?www.123.comphp_admin_value?open_basedir?"/data/wwwroot/abc.com:/tmp/"ErrorLog?"logs/abc.com-error_log"CustomLog?"logs/abc.com-access_log"?common
</VirtualHost><VirtualHost?*:80>DocumentRoot?"/data/wwwroot/111.com"ServerName?111.comServerAlias?www.example.com?2111.com.cn#<Directory?/data/wwwroot/111.com>#?<FilesMatch?123.php>????#???AllowOverride?AuthConfig?#???AuthName?"111.com?user?auth"?#???AuthType?Basic?#???AuthUserFile?/data/.htpasswd?#???require?valid-user#</FilesMatch>?#</Directory>php_admin_value?open_basedir?"/data/wwwroot/111.com:/tmp/[root@localhost?php-7.1.6]#?vim?/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?-t
Syntax?OK
[root@localhost?php-7.1.6]#?/usr/local/apache2.4/bin/apachectl?graceful
[root@localhost?php-7.1.6]#?!curl
curl?-A?"a"?-x127.0.0.1:80?http://111.com/2.php
123[root@localhost?php-7.1.6]#?```
-?這樣就可以了,針對不同的虛擬主機?限制不同的open_basedir###?擴展
-?[?]?apache開啟壓縮?http://ask.apelearn.com/question/5528-?這里的壓縮并不是對網站的圖片壓縮,而是對普通的靜態文件,諸如html,?js,?css?等元素壓縮。不要小看這個壓縮功能,如果一個網站的請求量很大的話,這樣可以節省海量帶寬,在我國帶寬資源非常昂貴,所以小小的一個壓縮功能可以為企業節省不少的成本呢!下面就來看看如何配置它?-?首先,需要看一下我們的apache是否支持壓縮功能。?
/usr/local/apache2/bin/apachectl?-l
看看是否有mod_deflate
如果這里沒有,那繼續看一下?
ls?/usr/local/apache2/modules/
下面有沒有?mod_deflate.so?這個文件-?如果這里也沒有,那說明你的apache不支持壓縮,需要重編譯一下,或者擴展形式安裝,或者重新編譯apache,?需要在編譯的時候,加上??--enable-deflate=shared??-?好,如果你的apache有了deflate這個模塊支持,也就支持了壓縮功能。-?下面該配置httpd.conf?了。
在httpd.conf?中增加?:LoadModule?deflate_module?modules/mod_deflate.so-?然后再增加如下配置:DeflateCompressionLevel?5
AddOutputFilterByType?DEFLATE?text/html?text/plain?text/xml?
AddOutputFilter?DEFLATE?js?css-?其中DeflateCompressionLevel??是指壓縮程度的等級,從1到9,9是最高等級。-?[?]?apache2.2到2.4配置文件變更?http://ask.apelearn.com/question/7292-?指令控制了在特定目錄中將使用哪些服務器特性。Options屬性有一個非常特別的功能:?如果你沒有用“+”或者“-”來增加或者減少一個功能的時候,每個之前定義的Options的所有功能都會被取消,?直到你又為它指定一些功能。所以options屬性在整體設置和虛擬主機設置的是不相關的,?互相不起作用,因為他們在特定的范圍內被重載了。??如果要在虛擬主機里面使用在整體設置中的Options的設置,?那么就不要在虛擬主機設置中指定Options屬性。如果要增加或者減少功能,?那么用“+”或者“-”符號來實??Options??指令控制了在特定目錄中將使用哪些服務器特性。??可選項能設置為??None??,在這種情況下,將不啟用任何額外特性。或設置為以下選項中的一個或多個:??
-?All?除MultiViews之外的所有特性。這是默認設置。?
ExecCGI?允許執行CGI腳本.?
-?FollowSymLinks?服務器會在此目錄中使用符號連接。??注意:即便服務器會使用符號連接,但它不會改變用于匹配配置段的路徑名。?如果此配置位于配置段中,則此設置會被忽略。
Includes?允許服務器端包含。
IncludesNOEXEC?允許服務器端包含,但禁用#exec命令和#exec?CGI。但仍可以從ScriptAliase目錄使用#include?虛擬CGI腳本。?
Indexes?如果一個映射到目錄的URL被請求,而此目錄中又沒有DirectoryIndex(例如:index.html)那么服務器會返回一個格式化后的目錄?列表。?
MultiViews?允許內容協商的多重視圖。?
SymLinksIfOwnerMatch?服務器僅在符號連接與其目的目錄或文件擁有者具有同樣的用戶id時才使用它。??注意:如果此配置出現在配置段中,此選項將被忽略。??一般來說,如果一個目錄被多次設置了??Options??,則最特殊的一個會被完全接受,而各個可選項的設定彼此并不融合。然而,如果所有施用于??Options??指令的可選項前都加有+或-符號,此可選項將被合并。所有前面加有+號的可選項將強制覆蓋當前可選項設置,而所有前面有-號的可選項將強制從當前可選項設置中去除。??
-?比如說,沒有任何+和-符號:Options?Indexes?FollowSymLinksOptions?Includes??-?則只有??Includes??設置到/web/docs/spec目錄上。
然而如果第二個??Options??指令使用了+和-符號:Options?Indexes?FollowSymLinksOptions?+Includes?-Indexes-?那么就會有??FollowSymLinks??和??Includes??設置到/web/docs/spec目錄上。-?[?]?apache?options參數?http://ask.apelearn.com/question/1051
-?參考:?http://www.dotblogs.com.tw/maple?...?e24_httpd_conf.aspx1.??訪問控制
2.2?的時候
Order?deny,allow
Deny?from?all
在?2.4?需要改成
Require?all?denied常用的配置有:
Require?all?denied???
Require?all?granted???
Require?host?xxx.com???
Require?ip?192.168.1?192.168.2???
Require?local2.?RewriteLogLevel??變為:logLevel
如,LogLevel?warn?rewrite:?warn3.?Namevirtualhost?被移除4.?網站壓縮,除了使用mod_deflate,還要mod_filter
使用ssl,除了使用mod_ssl,還需要mod_socache_shmcb-?[?]?apache禁止trace或track防止xss?http://ask.apelearn.com/question/1045
-?TRACE和TRACK是用來調試web服務器連接的HTTP方式。
支持該方式的服務器存在跨站腳本漏洞,通常在描述各種瀏覽器缺陷的時候,把"Cross-Site-Tracing"簡稱為XST。
***者可以利用此漏洞欺騙合法用戶并得到他們的私人信息。禁用trace可以使用rewrite功能來實現
RewriteEngine?On
RewriteCondi?%{REQUEST_METHOD}?^TRACE
RewriteRule?.*?-?[F]或者還可以直接在apache的配置文件中配置相應參數
TraceEnable?off-?[?]?apache?配置https?支持ssl?http://ask.apelearn.com/question/10291.?安裝openssl?
apache2.0?建議安裝0.9版本,我曾經試過2.0.59?對openssl-1.0編譯不過去
下載Openssl:http://www.openssl.org/source/tar?-zxf?openssl-0.9.8k.tar.gz????//解壓安裝包???cd?openssl-0.9.8k?????????????????//進入已經解壓的安裝包???./config??????????????????????????//配置安裝。推薦使用默認配置???make?&&?make?install??????????????//編譯及安裝???
openssl默認將被安裝到/usr/local/ssl?2.?讓apache支持ssl,編譯的時候,要指定ssl支持。
靜態或者動態
靜態方法即??--enable-ssl=static?--with-ssl=/usr/local/ssl
動態方法??--enable-ssl=shared?--with-ssl=/usr/local/ssl
其中第二種方法會在module/?目錄下生成?mod_ssl.so?模塊,而靜態不會有,當然第二種方法也需要在httpd.conf?中加入
LoadModule?ssl_module?modules/mod_ssl.so???3.?1????創建私鑰??
在創建證書請求之前,您需要首先生成服務器證書私鑰文件。??
cd?/usr/local/ssl/bin????????????????????//進入openssl安裝目錄??
openssl?genrsa?-out?server.key?2048??????//運行openssl命令,生成2048位長的私鑰server.key文件。如果您需要對?server.key?添加保護密碼,請使用?-des3?擴展命令。Windows環境下不支持加密格式私鑰,Linux環境下使用加密格式私鑰時,每次重啟Apache都需要您輸入該私鑰密碼(例:openssl?genrsa?-des3?-out?server.key?2048)。?
cp?server.key???/usr/local/apache/conf/ssl.key/3.2????生成證書請求(CSR)文件???
openssl?req?-new?-key?server.key?-out?certreq.csr???
Country?Name:???????????????????????????//您所在國家的ISO標準代號,中國為CN???
State?or?Province?Name:?????????????????//您單位所在地省/自治區/直轄市???
Locality?Name:??????????????????????????//您單位所在地的市/縣/區???
Organization?Name:??????????????????????//您單位/機構/企業合法的名稱???
Organizational?Unit?Name:???????????????//部門名稱???
Common?Name:????????????????????????????//通用名,例如:www.itrus.com.cn。此項必須與您訪問提供SSL服務的服務器時所應用的域名完全匹配。???
Email?Address:??????????????????????????//您的郵件地址,不必輸入,直接回車跳過???
"extra"attributes????????????????????????//以下信息不必輸入,回車跳過直到命令執行完畢。?3.3????備份私鑰并提交證書請求???
請將證書請求文件certreq.csr提交給天威誠信,并備份保存證書私鑰文件server.key,等待證書的簽發。服務器證書密鑰對必須配對使用,私鑰文件丟失將導致證書不可用。?4.安裝證書
4.1?獲取服務器證書中級CA證書???
為保障服務器證書在客戶端的兼容性,服務器證書需要安裝兩張中級CA證書(不同品牌證書,可能只有一張中級證書)。???
從郵件中獲取中級CA證書:???
將證書簽發郵件中的從BEGIN到?END結束的兩張中級CA證書內容(包括“-----BEGIN?CERTIFICATE-----”和“-----END?CERTIFICATE-----”)粘貼到同一個記事本等文本編輯器中,中間用回車換行分隔。修改文件擴展名,保存為conf/ssl.crt/intermediatebundle.crt文件(如果只有一張中級證書,則只需要保存并安裝一張中級證書)。???
4.2?獲取EV服務器證書???
將證書簽發郵件中的從BEGIN到?END結束的服務器證書內容(包括“-----BEGIN?CERTIFICATE-----”和“-----END?CERTIFICATE-----”)?粘貼到記事本等文本編輯器中,保存為ssl.crt/server.crt文件?4.3?apache的配置?2.0的配置
httpd.conf?中增加
```
Listen??443
NameVirtualHost?*:443DocumentRoot?"/data/web/www"ServerName?aaa.com:443ErrorLog?"logs/error.log"CustomLog?"logs/access.log"?combinedSSLEngine?onSSLCertificateFile?/usr/local/apache/conf/ssl.crt/server.crtSSLCertificateKeyFile?/usr/local/apache/conf/ssl.key/server.keySSLCertificateChainFile?/usr/local/apache/conf/ssl.crt/intermediatebundle.crt
```
轉載于:https://blog.51cto.com/ch71smas/1971889
與50位技術專家面對面20年技術見證,附贈技術全景圖總結
以上是生活随笔為你收集整理的11.28 限定某个目录禁止解析php 11.29 限制user_agent 11.30/11.31 php相关配置的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 关于Flex-Mvc的几个框架的简单介绍
- 下一篇: jmeter 查看提取的参数