1.配置防盗链
防盗链,也就是不想让别人访问你网站上的资源,资源通常是指图片、视频、歌曲、文档等。
编辑虚拟主机配置文件,新增如下字段:
<Directory /data/wwwroot/aaa.com> SetEnvIfNoCase Referer "http://aaa.com" local_ref SetEnvIfNoCase Referer "http://yu.com" local_ref SetEnvIfNoCase Referer "^$" local_ref <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)"> Order Allow,Deny Allow from env=local_ref </filesmatch> </Directory>
首先定义允许访问的链接的referer,一个referer就是一个网址,其中^$为空是指空referer,当直接在浏览器中输入图片地址时,它的referer就为空,然后使用filesmatch定义需要保护的文件类型,当访问txt、doc、mp3等格式的文件时,就会被限制。
重新加载配置;
[root@yuioplvlinux-128 ~]# /usr/local/apache2/bin/apachectl -t Syntax OK [root@yuioplvlinux-128 ~]# /usr/local/apache2/bin/apachectl graceful
使用curl测试,其中-e表示模拟referer,当访问图片时,提示403,表示不被允许;
[root@yuioplvlinux-128 ~]# curl -e "http://www.qq.com" -x127.0.0.1:80 aaa.com -I
HTTP/1.1 200 OK
Date: Thu, 31 May 2018 15:19:34 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Last-Modified: Mon, 28 May 2018 13:30:54 GMT
ETag: "8-56d4420899e92"
Accept-Ranges: bytes
Content-Length: 8
Cache-Control: max-age=0
Expires: Thu, 31 May 2018 15:19:34 GMT
Content-Type: text/html
[root@yuioplvlinux-128 ~]# curl -e "http://www.qq.com" -x127.0.0.1:80 aaa.com/62.jpg -I
HTTP/1.1 403 Forbidden
Date: Thu, 31 May 2018 15:20:14 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
2.访问控制
2.1访问控制-Directory
编辑虚拟主机配置文件,新增如下字段:
<Directory /data/wwwroot/aaa.com/admin/> Order deny,allow Deny from all Allow from 127.0.0.1 </Directory>
是用来Directory指定要限制访问的目录,order定义控制顺序,哪个在前面就先匹配哪个规则,比如,先拒绝所有IP访问,然后允许127.0.0.1这个IP去访问。最终的效果就是,只允许来源IP为127.0.0.1的访问。
重新加载配置文件后,使用curl测试;
[root@yuioplvlinux-128 ~]# curl -x127.0.0.1:80 aaa.com/admin/123.php -I #127.0.0.1可以正常访问 HTTP/1.1 200 OK Date: Thu, 31 May 2018 15:38:56 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Cache-Control: max-age=0 Expires: Thu, 31 May 2018 15:38:56 GMT Content-Type: text/html; charset=UTF-8 [root@yuioplvlinux-128 ~]# curl -x192.168.30.136:80 aaa.com/admin/123.php #访问被拒,403 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /admin/123.php on this server.<br /> </p> </body></html> [root@yuioplvlinux-128 ~]# curl -x192.168.30.128:80 aaa.com/admin/123.php #访问被拒,403 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /admin/123.php on this server.<br /> </p> </body></html>
查看对应的日志文件;
[root@yuioplvlinux-128 ~]# tail /usr/local/apache2/logs/aaa.com-access_20180531_log 127.0.0.1 - - [31/May/2018:23:19:34 +0800] "HEAD HTTP://aaa.com/ HTTP/1.1" 200 - "http://www.qq.com" "curl/7.29.0" 127.0.0.1 - - [31/May/2018:23:34:39 +0800] "HEAD HTTP://aaa.com/admin/1.php HTTP/1.1" 404 - "-" "curl/7.29.0" 127.0.0.1 - - [31/May/2018:23:37:33 +0800] "HEAD HTTP://aaa.com/admin/123.php HTTP/1.1" 200 - "-" "curl/7.29.0" 127.0.0.1 - - [31/May/2018:23:37:51 +0800] "GET HTTP://aaa.com/admin/123.php HTTP/1.1" 200 7 "-" "curl/7.29.0" 127.0.0.1 - - [31/May/2018:23:38:56 +0800] "HEAD HTTP://aaa.com/admin/123.php HTTP/1.1" 200 - "-" "curl/7.29.0" 127.0.0.1 - - [31/May/2018:23:39:06 +0800] "GET HTTP://aaa.com/admin/123.php HTTP/1.1" 200 7 "-" "curl/7.29.0" 192.168.30.128 - - [31/May/2018:23:39:19 +0800] "GET HTTP://aaa.com/admin/123.php HTTP/1.1" 403 222 "-" "curl/7.29.0" 192.168.30.128 - - [31/May/2018:23:41:24 +0800] "GET HTTP://aaa.com/admin/123.php HTTP/1.1" 403 222 "-" "curl/7.29.0"
也可在浏览器中访问,提示Forbidden,其实也就是403。
2.2 访问控制Filesmatch
也可以单独对某个文件来做限制;
将刚才新增的字段改为如下所示:
<Directory /data/wwwroot/aaa.com> <FilesMatch "admin.php(.*)"> Order deny,allow Deny from all Allow from 127.0.0.1 </FilesMatch> </Directory>
重新加载配置,使用curl进行测试;
[root@yuioplvlinux-128 ~]# curl -x192.168.30.128:80 aaa.com/admin.php=?niuocvowv -I HTTP/1.1 403 Forbidden Date: Thu, 31 May 2018 16:07:37 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@yuioplvlinux-128 ~]# curl -x127.0.0.1:80 aaa.com/admin.php=?niuocvowv -I HTTP/1.1 404 Not Found Date: Thu, 31 May 2018 16:07:54 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
因为文件时不存在的,使用192.168.30.128访问时,会提示403,访问被拒,只有使用127.0.0.1访问时,才会返回404,文件不存在。