十一周一次课

11.25配置防盗链

11.26访问控制Directory

11.27访问控制FilesMatch

11.25配置防盗链

• 通过限制referer来实现防盗链的功能

• 配置文件增加如下内容

SetEnvIfNoCase Referer "http://www.123.com" local_ref

SetEnvIfNoCase Referer "http://123.com" local_ref

SetEnvIfNoCase Referer "^$" local_ref

Order Allow,Deny

Allow from env=local_ref

</filesmatch>

</Directory>

• curl -e "http://www.aminglinux.com/123.html" 自定义referer

配置防盗链

防盗链，就是不让别人盗用你网站上的资源，这个资源，通常指的是图片、视频、歌曲、文档等。

referer的概念

你通过A网站的一个页面http://a.com/a.html 里面的链接去访问B网站的一个页面http：//b.com/b.html ，那么这个B网站页面的referer就是http://a.com/a.html。也就是说，一个referer其实就是一个网址。

1.配置防盗链

参考配置文件内容如下：

<Directory /data/wwwroot/111.com>
        SetEnvIfNoCase Referer "http://111.com" local_ref
        SetEnvIfNoCase Referer "http://111.com" local_ref
        SetEnvIfNoCase Referer "^$" local_ref
        <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
            Order Allow,Deny
            Allow from env=local_ref
        </filesmatch>
    </Directory>

[root@tianqi-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

</Directory>
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://aaa.com" local_ref
#SetEnvIfNoCase Referer "^$" local_ref
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</Directory>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>

[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 ~]#

2.测试网页访问：

浏览器访问：http://111.com/eagle1.jpg

//解释说明：

首先定义允许访问链接的referer，其中^$为空referer，当直接在浏览器里输入图片地址去访问它时，它的referer就为空。然后又使用filesmatch来定义需要保护的文件类型，访问txt、doc、mp3、zip、rar、jpg、gif、png格式的文件，当访问这样的类型文件时就会被限制。

在其它网站上链接这个网址，还是打不开。

然后在虚拟主机配置文件里把第三方站点加入到白名单

在下面图片上把第三方站点网址加入到白名单，然后保存退出重新加载配置。

[root@tianqi-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

</Directory>
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
#SetEnvIfNoCase Referer "^$" local_ref
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</Directory>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>

[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 ~]#

在点击链接http://111.com/eagle1.jpg 访问就可以了，这就是referer，如下图

3.直接复制网址http://111.com/eagle1.jpg 在浏览器打开是显示Forbidden的。若想要直接能访问的话，需要把配置文件中的空referer的#去掉。

[root@tianqi-01 ~]# !vim
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

SetEnvIfNoCase Referer "^$" local_ref前的#去掉

测试语法错误并重新加载配置文件

[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 ~]#

在浏览器中输出网址http://111.com/eagle1.jpg ，是会直接显示图片的

//这个就叫做空referer

4.使用curl进行测试

[root@tianqi-01 ~]# curl -x127.0.0.1:80 111.com/eagle1.jpg -I
HTTP/1.1 200 OK
Date: Sun, 04 Mar 2018 08:34:15 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Last-Modified: Sun, 04 Mar 2018 02:41:55 GMT
ETag: "7e3b-5668d270ae2c0"
Accept-Ranges: bytes
Content-Length: 32315
Content-Type: image/jpeg

[root@tianqi-01 ~]#

也可以使用-e来模拟referer，这个referer一定要以http://开头，否则不管用。

[root@tianqi-01 ~]# curl -e "http://www.qq.com/123.txt" -x127.0.0.1:80 111.com/eagle1.jpg -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 08:37:20 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 ~]#

[root@tianqi-01 ~]# curl -e "http://111.com/123.txt" -x127.0.0.1:80 111.com/eagle1.jpg -I
HTTP/1.1 200 OK
Date: Sun, 04 Mar 2018 08:38:02 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Last-Modified: Sun, 04 Mar 2018 02:41:55 GMT
ETag: "7e3b-5668d270ae2c0"
Accept-Ranges: bytes
Content-Length: 32315
Content-Type: image/jpeg

[root@tianqi-01 ~]#

[root@tianqi-01 ~]# curl -e "http://www.qq.com/123.txt" -x127.0.0.1:80 111.com/eagle1.jpg1 -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 08:39:03 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 logs]# tail /usr/local/apache2.4/logs/111.com-access_20180304.log
127.0.0.1 - - [04/Mar/2018:12:10:46 +0800] "GET HTTP://111.com/123.php HTTP/1.1" 200 7 "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:12:14:43 +0800] "GET HTTP://111.com/123.php HTTP/1.1" 200 7 "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:12:17:23 +0800] "HEAD HTTP://111.com/123.png.png1 HTTP/1.1" 404 - "-" "curl/7.29.0"
192.168.11.1 - - [04/Mar/2018:12:24:36 +0800] "GET / HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
192.168.11.1 - - [04/Mar/2018:12:24:49 +0800] "GET /eagle1jpg HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
192.168.11.1 - - [04/Mar/2018:16:09:54 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/eagle1.jpg" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
127.0.0.1 - - [04/Mar/2018:16:39:03 +0800] "HEAD HTTP://111.com/eagle1.jpg1 HTTP/1.1" 403 - "http://www.qq.com/123.txt" "curl/7.29.0" //这个就是它的referer
[root@tianqi-01 logs]#

11.26访问控制Directory

• 核心配置文件内容

Order deny,allow

Deny from all

Allow from 127.0.0.1

</Directory>

• curl测试状态码为403则被限制访问了

访问控制Directory

对于一些比较重要的网站内容,除了可以使用用户认证限制访问之外,还可以通过其他一些方法做到限制,比如可以限制IP,也可以限制user_agent,限制IP指的是限制访问网站的来源IP,而限制user_agent,通常用来限制恶意或者不正常的请求。

1.修改虚拟主机配置：

[root@tianqi-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
# <Directory /data/wwwroot/111.com>
#<FilesMatch 123.php>
#AllowOverride AuthConfig
#AuthName "111.com user auth"
#AuthType Basic
#AuthUserFile /data/.htpasswd
#require valid-user
#</FilesMatch>
<Directory /data/wwwroot/111.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</Directory>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
//解释说明：

使用<Directory>来指定要限制访问的目录，order定义控制顺序，哪个在前面就先匹配哪个规则(不管下面的规则前后顺序)，在本例中deny在前面，所以要先匹配Deny from all,这样所有的来源IP都会被限制，然后匹配Allow from 127.0.0.1,这样又允许了127.0.0.1这个IP。最终的效果是，只允许来源IP为127.0.0.1的访问。

检测配置文件是否有语法错误，并重新加载配置文件

[root@tianqi-01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 111.com]#

[root@tianqi-01 ~]# cd /data/wwwroot/111.com/
[root@tianqi-01 111.com]# ls
123.php eagle1.jpg index.php
[root@tianqi-01 111.com]# mkdir /data/wwwroot/111.com/admin //创建admin目录，模拟网站后台
[root@tianqi-01 111.com]# ls
123.php admin eagle1.jpg index.php
[root@tianqi-01 111.com]# touch /data/wwwroot/111.com/admin/index.php//在后台目录下面创建文件
[root@tianqi-01 111.com]# ls admin/
index.php
[root@tianqi-01 111.com]# vim admin/index.php //写入内容
[root@tianqi-01 111.com]# cat !$
cat admin/index.php
123456789
[root@tianqi-01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php -I
HTTP/1.1 200 OK
Date: Sun, 04 Mar 2018 11:35:53 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8

[root@tianqi-01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php
123456789

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 111.com/admin/index.php -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 11:42:17 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x127.0.01:80 111.com/admin/index.php
123456789

[root@tianqi-01 111.com]# tail /usr/local/apache2.4/logs/111.com-access_20180304.log
127.0.0.1 - - [04/Mar/2018:12:17:23 +0800] "HEAD HTTP://111.com/123.png.png1 HTTP/1.1" 404 - "-" "curl/7.29.0"
192.168.11.1 - - [04/Mar/2018:12:24:36 +0800] "GET / HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
192.168.11.1 - - [04/Mar/2018:12:24:49 +0800] "GET /eagle1jpg HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
192.168.11.1 - - [04/Mar/2018:16:09:54 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/eagle1.jpg" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3343.4 Safari/537.36"
127.0.0.1 - - [04/Mar/2018:16:39:03 +0800] "HEAD HTTP://111.com/eagle1.jpg1 HTTP/1.1" 403 - "http://www.qq.com/123.txt" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:35:53 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:39:19 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:41:32 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 403 224 "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:42:17 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:42:49 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 111.com/admin/index.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /admin/index.php
on this server.<br />
</p>
</body></html>
[root@tianqi-01 111.com]# curl -x192.168.11.136:80 111.com/admin/index.php -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 11:42:17 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 http://111.com/admin/adfafdafdas -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 11:44:49 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x127.0.0.1:80 http://111.com/admin/adfafdafdas -I
HTTP/1.1 404 Not Found
Date: Sun, 04 Mar 2018 11:53:35 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]#

//解释说明

本机有两个IP,一个是192.168.11.136,一个是127.0.0.1,通过这两个IP都可以访问到站点，而来源分别为172.16.111.110和127.0.0.1,其实和本机IP是一样的,curl测试状态码为403则限制访问了。

[root@tianqi-01 111.com]# !tail
tail /usr/local/apache2.4/logs/111.com-access_20180304.log
127.0.0.1 - - [04/Mar/2018:16:39:03 +0800] "HEAD HTTP://111.com/eagle1.jpg1 HTTP/1.1" 403 - "http://www.qq.com/123.txt" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:35:53 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:39:19 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:41:32 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 403 224 "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:42:17 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:42:49 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:44:00 +0800] "HEAD http://111.com/admin/adfafdafdas HTTP/1.1" 404 - "-" "curl/7.29.0"
192.168.11.136 - - [04/Mar/2018:19:44:49 +0800] "HEAD http://111.com/admin/adfafdafdas HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:51:53 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 10 "-" "curl/7.29.0"
127.0.0.1 - - [04/Mar/2018:19:53:35 +0800] "HEAD http://111.com/admin/adfafdafdas HTTP/1.1" 404 - "-" "curl/7.29.0"
[root@tianqi-01 111.com]#

//解释说明

浏览器访问提示Forbidden，其实就是403,再来看日志，可以查看到对应的来源IP为192.168.11.136，希望不要把来源IP和本机IP搞混了，前面实验中之所以本机IP和来源IP一样，就是因为它相当于自己访问自己，而后面用浏览器访问，相当于拿windows访问。

11.27访问控制FilesMatch

• 核心配置文件内容

Order deny,allow

Deny from all

Allow from 127.0.0.1

</FilesMatch>

</Directory>

1.针对某个文件来做限制。

[root@tianqi-01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
# <Directory /data/wwwroot/111.com>
#<FilesMatch 123.php>
#AllowOverride AuthConfig
#AuthName "111.com user auth"
#AuthType Basic
#AuthUserFile /data/.htpasswd
#require valid-user
#</FilesMatch>
<Directory /data/wwwroot/111.com>
<FilesMatch "admin.php(.*)">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif｜png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</Directory>
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>

2.检测与法并重新加载配置

[root@tianqi-01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@tianqi-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@tianqi-01 111.com]#

3.实验配置结果

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 http://111.com/admin/adffffffsa -I
HTTP/1.1 404 Not Found
Date: Sun, 04 Mar 2018 12:04:24 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x192.168.11.136:80 'http://111.com/admin.php?adffffffsa' -I
HTTP/1.1 403 Forbidden
Date: Sun, 04 Mar 2018 12:06:16 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]# curl -x127.0.0.1:80 'http://111.com/admin.php?adffffffsa' -I
HTTP/1.1 404 Not Found
Date: Sun, 04 Mar 2018 12:07:00 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@tianqi-01 111.com]#

//这个404意味着已经允许访问了

//总结：

这个和Directory的功能是一致的，但是有时候我们仅仅是想有时候针对一个访问的链接去做控制，那你再去控制目录就不合适了，我们需要适当灵活一些，满足一些个性化的需求。

友情链接：阿铭Linux

十一周一次课

访问控制Directory

猜你喜欢