11.28 Restricting a directory to prohibit parsing php
Core configuration file content
<Directory /data/wwwroot/110.com/upload>
php_admin_flag engine off
</Directory>
The php source code was directly returned during the curl test, and it was not parsed
It is better to add a layer of FilesMatch restrictions, if not, the original code will be accessed
11.29 Restricting user_agent
To prevent cc attack
user_agent can be understood as browser identification
Core configuration file content
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
Meaning of F Forbidden
NC ignore case, OR or, match 1or2
curl -A "123123" 指定user_agent
cul common options:
-A specifies user_agent
-x is equivalent to omitting hosts
-I only returns the status code, not the content
-e specifies the referer, which must start with http:////Access from web page 1 to web page 2, the referer of web page 2 is "the address of web page 1"
11.30/11.31 php related configuration
View php configuration file location
This method is not very accurate, the most correct method is to create a phpinfo php file under your website, and view it through the php file
/usr/local/php7/bin/php -i|grep -i "loaded configuration file"
php.ini common configuration
date.timezone=Asia/Shanghai
禁用危险函数, 搜索disable_functions , phpinfo 自己加上 disable_functions=eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
display_errors=off //Whether to display errors on the page If not, define log_errors
log_errors=on //Whether the error log is turned on, if so, you need to define log_errors and error_log, error_reporting
error_log = /tmp/php_errors.log //Define the path of the error log
error_reporting=E_ALL & ~E_NOTICE //The level of error logging,
If the programmer defines the error log not output in the php code, the error log will not be output either
After defining the error log, use: /usr/local/apache2.4/bin/apachectl graceful , and then generate the error log file /tmp/php_errors.log
If you are safe, you can also create an error log file yourself and set permissions:
touch /tmp/php_errors.log
chmod 666 /tmp/php_errors.log
The log is performed as a deamon process. Sometimes an error log is defined, but the log is never generated. It is necessary to check whether the directory where the error log is defined has write permission, and the file writer is deamon.