Apache Optimization - Access Control

11.25 Configuring anti-leech

Edit the virtual host configuration file:

[root@1 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/111.com"
    ServerName 111.com
    ServerAlias www.example.com
    <Directory /data/wwwroot/111.com>
        SetEnvIfNoCase Referer "http://111.com" local_ref
        SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
        SetEnvIfNoCase Referer "^$" local_ref
        #定义referer白名单
        <FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
            Order Allow,Deny
            Allow from env=local_ref
        #定义规则：允许变量local_ref指定的referer访问，拒绝其他所有访问。   
        </FilesMatch>
    </Directory>

    ErrorLog "logs/111.com-error_log"
    SetEnvIf Request_URI ".*\.gif$" img
    SetEnvIf Request_URI ".*\.jpg$" img
    SetEnvIf Request_URI ".*\.png$" img
    SetEnvIf Request_URI ".*\.bmp$" img
    SetEnvIf Request_URI ".*\.swf$" img
    SetEnvIf Request_URI ".*\.js$" img
    SetEnvIf Request_URI ".*\.css$" img
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
    #CustomLog "logs/111.com-access_log" combined env=!img
</VirtualHost>  

检测语法错误并重载：
[root@1 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@1 ~]# /usr/local/apache2.4/bin/apachectl graceful

Note:  If "^#" (empty referer) is not added to the referer whitelist, direct access to the specified content will be denied.

curl command

curl -e specified referer

[root@1 ~]# curl -e "http://ask.apelearn.com/" -x192.168.8.131:80 111.com/baidu.png -I

11.26 Access Control Directory

Edit the virtual host configuration file:

在配置文件加入如下参数： 
[root@1 admin]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

……
    <Directory /data/wwwroot/111.com/admin/>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
        #只允许IP--127.0.0.1访问“/data/wwwroot/111.com/admin/”目录中的内容
    </Directory>
……

[root@1 admin]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@1 admin]# /usr/local/apache2.4/bin/apachectl graceful

测试：
[root1 admin]# curl -x127.0.0.1:80 111.com/admin/index.php
121212

更换IP访问：
[root@1 admin]# curl -x192.168.8.131:80 111.com/admin/index.php -I
HTTP/1.1 403 Forbidden
Date: Wed, 02 Aug 2017 08:48:49 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1

#报错（403）！！！即，只有指定IP--127.0.0.1可以访问该目录。  

**Description:** This section is used to set the permission of the specified IP to access the specified directory!

11.27 Access Control FilesMatch

使用FilesMatch参数：  

[root@1 admin]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
……
    <Directory /data/wwwroot/111.com>
        <FilesMatch admin.php(.*)>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
        </FilesMatch>
    </Directory>
……

[root@1 admin]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@1 admin]# /usr/local/apache2.4/bin/apachectl graceful


[root@1 admin]# curl -x127.0.0.1:80 111.com/admin.php -I
HTTP/1.1 404 Not Found
Date: Wed, 02 Aug 2017 09:24:22 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1

#因为访问的文件不存在，所以报错：404！  

Description:  This section applies to setting permissions on certain requests.

Extension:

Apache several methods to limit ip

• Disable access to certain files/directories

  Add the Files option to control, for example, to not allow access to files with the .inc extension, to protect the php class library:

  <Files~"\.inc$">
  Order Allow,Deny
  Deny from all
  </Files>
  

• Disallow access to certain specified directories

  You can use <DirectoryMatch> for regular matching:

  <Directory~"^/var/www/(.+/)*[0-9]{3}">
  Order Allow,Deny
  Deny from all
  </Directory>
  

You can also use the directory global path

• Prohibition by file matching, such as prohibiting all access to images:

  <FilesMatch \.?i:gif|jpe?g|png)$>
  Order Allow,Deny
  Deny from all
  <FilesMatch>
  

• Forbidden access to URL-relative paths

  <Location /dir/>
  Order Allow,Deny
  Deny from all
  </Location>
  

apache set custom header

1. Before setting custom headers, you need to check whether your httpd (Apache) has mod_headers loaded

[root@1 ~]# /usr/local/apache2/bin/apachectl -M

If it is not loaded, it needs to be loaded with configuration.
2. Set the header

Add the following parameters to the Apache configuration file:

Header add MyHeader "Hello"

apache's keepalive and keepalivetimeout

  In APACHE's httpd.conf, KeepAlive refers to keeping the connection active, similar to Mysql's permanent connection. In other words, if KeepAlive is set to On, then requests from the same client do not need to be connected again, avoiding the need to create a new connection for each request and increase the burden on the server.

  The connection active time of KeepAlive is of course limited by KeepAliveTimeOut. If the time between the second request and the first request exceeds the KeepAliveTimeOut, the first connection will be interrupted, and a second connection will be created.

  Therefore, under normal circumstances, websites with more pictures should set KeepAlive to On. But how many seconds KeepAliveTimeOut should be set to is a question worth discussing.

  If KeepAliveTimeOut is set too short, for example, 1 second, then APACHE will frequently establish new connections, which will of course consume a lot of resources; conversely, if KeepAliveTimeOut is set too long, for example, 300 seconds, then There must be a lot of useless connections in APACHE that will take up the server's resources, which is not a good thing.

  Therefore, how much KeepAliveTimeOut should be set depends on the traffic of the website and the configuration of the server.

  In fact, this is somewhat similar to the mechanism of MySql. KeepAlive is equivalent to mysql_connect or mysql_pconnect, and KeepAliveTimeOut is equivalent to wait_timeout.