11.25 Configuring anti-leech
Edit the virtual host configuration file:
[root@1 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
#定义referer白名单
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
Order Allow,Deny
Allow from env=local_ref
#定义规则:允许变量local_ref指定的referer访问,拒绝其他所有访问。
</FilesMatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
#CustomLog "logs/111.com-access_log" combined env=!img
</VirtualHost>
检测语法错误并重载:
[root@1 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@1 ~]# /usr/local/apache2.4/bin/apachectl graceful
Note: If "^#" (empty referer) is not added to the referer whitelist, direct access to the specified content will be denied.
curl command
curl -e specified referer
[root@1 ~]# curl -e "http://ask.apelearn.com/" -x192.168.8.131:80 111.com/baidu.png -I
11.26 Access Control Directory
Edit the virtual host configuration file:
在配置文件加入如下参数:
[root@1 admin]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
……
<Directory /data/wwwroot/111.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
#只允许IP--127.0.0.1访问“/data/wwwroot/111.com/admin/”目录中的内容
</Directory>
……
[root@1 admin]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@1 admin]# /usr/local/apache2.4/bin/apachectl graceful
测试:
[root1 admin]# curl -x127.0.0.1:80 111.com/admin/index.php
121212
更换IP访问:
[root@1 admin]# curl -x192.168.8.131:80 111.com/admin/index.php -I
HTTP/1.1 403 Forbidden
Date: Wed, 02 Aug 2017 08:48:49 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
#报错(403)!!!即,只有指定IP--127.0.0.1可以访问该目录。
**Description:** This section is used to set the permission of the specified IP to access the specified directory!
11.27 Access Control FilesMatch
使用FilesMatch参数:
[root@1 admin]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
……
<Directory /data/wwwroot/111.com>
<FilesMatch admin.php(.*)>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
……
[root@1 admin]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@1 admin]# /usr/local/apache2.4/bin/apachectl graceful
[root@1 admin]# curl -x127.0.0.1:80 111.com/admin.php -I
HTTP/1.1 404 Not Found
Date: Wed, 02 Aug 2017 09:24:22 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
#因为访问的文件不存在,所以报错:404!
Description: This section applies to setting permissions on certain requests.
Extension:
Apache several methods to limit ip
-
Disable access to certain files/directories
Add the Files option to control, for example, to not allow access to files with the .inc extension, to protect the php class library:
<Files~"\.inc$"> Order Allow,Deny Deny from all </Files>
-
Disallow access to certain specified directories
You can use <DirectoryMatch> for regular matching:
<Directory~"^/var/www/(.+/)*[0-9]{3}"> Order Allow,Deny Deny from all </Directory>
You can also use the directory global path
-
Prohibition by file matching, such as prohibiting all access to images:
<FilesMatch \.?i:gif|jpe?g|png)$> Order Allow,Deny Deny from all <FilesMatch>
-
Forbidden access to URL-relative paths
<Location /dir/> Order Allow,Deny Deny from all </Location>
apache set custom header
- Before setting custom headers, you need to check whether your httpd (Apache) has mod_headers loaded
[root@1 ~]# /usr/local/apache2/bin/apachectl -M
If it is not loaded, it needs to be loaded with configuration.
2. Set the header
Add the following parameters to the Apache configuration file:
Header add MyHeader "Hello"
apache's keepalive and keepalivetimeout
In APACHE's httpd.conf, KeepAlive refers to keeping the connection active, similar to Mysql's permanent connection. In other words, if KeepAlive is set to On, then requests from the same client do not need to be connected again, avoiding the need to create a new connection for each request and increase the burden on the server.
The connection active time of KeepAlive is of course limited by KeepAliveTimeOut. If the time between the second request and the first request exceeds the KeepAliveTimeOut, the first connection will be interrupted, and a second connection will be created.
Therefore, under normal circumstances, websites with more pictures should set KeepAlive to On. But how many seconds KeepAliveTimeOut should be set to is a question worth discussing.
If KeepAliveTimeOut is set too short, for example, 1 second, then APACHE will frequently establish new connections, which will of course consume a lot of resources; conversely, if KeepAliveTimeOut is set too long, for example, 300 seconds, then There must be a lot of useless connections in APACHE that will take up the server's resources, which is not a good thing.
Therefore, how much KeepAliveTimeOut should be set depends on the traffic of the website and the configuration of the server.
In fact, this is somewhat similar to the mechanism of MySql. KeepAlive is equivalent to mysql_connect or mysql_pconnect, and KeepAliveTimeOut is equivalent to wait_timeout.