Apache限定目录解析PHP
- 配置前访问upload/index.php
[root@test-a ~]# curl -x192.168.77.139:80 'www.test.com/upload/index.php'
This is upload diretory
- 配置,/usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增加如下内容,重新加载配置
<Directory /usr/local/apache2.4/test-webroot/upload>
php_admin_flag engine off
</Directory>
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful
- 测试
[root@test-a ~]# curl -x192.168.77.139:80 'www.test.com/upload/index.php'
<?php
echo "This is upload diretory\n";
?>
- 虽然解析不了PHP,但会打印源文件,可以再通过FilesMatch来禁止访问。配置
<Directory /usr/local/apache2.4/test-webroot/upload>
<FilesMatch (.*).php(.*)>
Order allow,deny
Deny from all
</FilesMatch>
</Directory>
- 加载配置文件,测试
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a ~]# curl -x192.168.77.139:80 'www.test.com/upload/index.php'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/index.php
on this server.<br />
</p>
</body></html>
限制user_agent
- user_agent可以理解为浏览器标识
- 需要使用rewrite模块,去掉httpd.conf中的rewrite_module
- 配置前访问
[root@test-a ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:20 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:20 GMT
Content-Type: text/html; charset=UTF-8
[root@test-a ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I # 通过选项-A指定user_agent
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:35 GMT
Content-Type: text/html; charset=UTF-8
- 配置,/usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增加如下内容,重新加载配置。说明NC(no case)不区分大小写;OR或者,表示与下面的条件是或的关系;F(forbidden)禁止
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
- 重新加载配置,测试
[root@test-a ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 403 Forbidden
Date: Wed, 21 Nov 2018 01:39:00 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
[root@test-a ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:39:04 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:39:04 GMT
Content-Type: text/html; charset=UTF-8
PHP相关的配置
-
查看配置文件路径
方法1: /usr/local/php/bin/php -i|grep -i "loaded configuration file" # 不过这种方法不准确
方法2: 可以写个php文件利用phpinfo()访问查看 -
在使用/usr/local/php/bin/php -i|grep -i "loaded configuration file"时,有警告提示,配置处理
[root@test-a ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
PHP Warning: Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in Unknown on line 0
Loaded Configuration File => /usr/local/php/etc/php.ini
#/usr/local/php/etc/php.ini中找到date.timezone设置成
date.timezone=Asia/Shanghai
#
# 加载,测试OK
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful [root@test-a ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
Loaded Configuration File => /usr/local/php/etc/php.ini
- disable_functions,PHP有诸多内置的函数,有一些函数开放将会非常危险。因此,基于安全考虑应该把一些存在安全风险的函数禁掉(例如:phpinfo会显示服务器相关信息)
# vim /usr/local/php/etc/php.ini // 搜索disable_functions,编辑成如下
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp ,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsocko pen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_ close
- 配置error_log
# 从/usr/local/php/etc/php.ini中搜索log_errors,改成如下
log_errors = On
# 再搜索error_log,改为
error_log = /var/log/php/php_errors.log
# 再搜索error_reporting,改为
error_reporting = E_ALL & ~E_NOTICE
# 再搜索display_errors,改为
display_errors = Off
log_errors可以设置为on或者off,如果想让PHP记录错误日志,需要设置为on;
error_log设定错误日志路径;
error_reporting设定错误日志的级别,E_ALL为所有类型的日志,不管是提醒还是警告 都会记录。在开发环境下面设置为E_ALL,可以方便排查问题,但也会造成日志记录很多无意义的内容。&符号表示并且,~表示排除,所以两个组合在一起就是在E_ALL的基础上排除掉notice相关的日志。display_errors设置为on,则会把错误日志直接显示在浏览器里,这样对于用户访问来说体验不好,而且还会暴露网站的一些文件路径等重要信息,所以要设置为off。
- 配置open_basedir,将网站限定在指定目录里
默认站点在/usr/local/php/etc/php.ini配置 open_basedir = /tmp:/usr/local/apache2.4/test-webroot
虚拟站点配置是在对应站点目录配置中配置: php_admin_value open_basedir "/data/wwwroot/www.123.com/:/tmp/"
注意,/tmp的主要作用是网站的一些临时文件需要访问该目录,比如上传文件时。