LAMP架构(三)
配置防盗链
防盗链原理:
http标准协议中有专门的字段记录referer,http请求中会包含来自哪个url的点击来源,通过这个referer字段可以检测是否别的网站发送的请求。一来可以追溯上一个入站地址是什么
二来对于资源文件,可以跟踪到包含显示他的网页地址是什么因此所有防盗链方法都是基于这个referer字段
防盗链的作用:
所谓安全防盗链,是一种加了防盗链签名的URL,经过签名的URL能够跟服务器的安全机制进行配合,可以将URL的使用权限定在您的APP上,恶意第三方拿到URL也不能使用和传播。
防盗链是一种机制,也可以说是一种技术.目的就是防止自己网站上的东西(如图片,文件 etc。)被其他用户采用其他的技术手段来访问或者下载,为什么设置防盗链呢,因为涉及到一些利益的问题。因为盗链的话就会分散主网站的流量,流量即利益所在。防盗链是如何实现的呢,或者是怎么才能做到自己网站上的东西不被别人盗链呢,要说这个就有必要说说他的原理。我们知道在网络上我们每次发送一个请求的时候都会生成一个http请求,然后服务器会对这个http请求进行解析,那么一个http请求中有什么标志或者说是什么作用来实现防止盗链的作用呢:主要是该站点在得知有请求时,会先判断请求头中的信息,如果请求头中有referer信息,然后根据自己的规则来判断referer头信息是否符合要求,referer 信息是请求该图片的来源地址。1、正常使用百度贴吧查看图片的请求头信息:referer:http://tieba.baidu.com/2、通过第三方查看图片的请求头信息:referer:http://localhost/booledu/http/index.html
配置虚拟机文件:vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
#</FilesMatch> #</Directory> <Directory /data/wwwroot/111.com> ##定义防盗目录 SetEnvIfNoCase Referer "http://111.com" local_ref ##定义白名单 SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref ##定义猿课白名单 #SetEnvIfNoCase Referer "^$" local_ref ##把空的referer也加入白名单 <FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)"> ##定义规则 Order Allow,Deny ##order定义Allow和Deny的顺序,是先允许还是否认掉,并不是以下面的允许规则或否认规则的先后顺序来定的。 Allow from env=local_ref ##只写了允许规则的内容,否认规则没写 </FilesMatch> </Directory> ErrorLog "logs/111.com-error_log"
检查语法,加载配置
测试:
下面页面的referer是由上面跳来的。直接在网址上输入http://111.com/zz.png是看不到图片的。
如果想直接在网址上输入网址http://111.com/zz.png也可以直接看到图片,需要更改配置
配置虚拟机文件:vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
#SetEnvIfNoCase Referer "^$" local_ref ##把空的referer也加入白名单
把空的referer前面的#去掉注释,启用,检查语法,加载配置
测试:
curl测试:-e加网址
[[email protected] ~]# curl -e "http://111.com/123.txt" -x127.0.0.1:80 111.com/zz.png -I HTTP/1.1 200 OK Date: Sun, 01 Jul 2018 11:26:15 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Last-Modified: Wed, 16 Aug 2017 14:02:27 GMT ETag: "5a8a1-556df588ec2c0" Accept-Ranges: bytes Content-Length: 370849 Content-Type: image/png [[email protected] ~]# curl -e "http://www.qq.com/123.txt" -x127.0.0.1:80 111.com/zz.png -I HTTP/1.1 403 Forbidden Date: Sun, 01 Jul 2018 11:26:22 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
访问控制Directory(针对目录)
配置虚拟机配置文件:vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
#</Directory> <Directory /data/wwwroot/111.com/admin/> ##admin是一个后台就是规定的目录,必须用绝对路径 Order deny,allow ##定义deny和allow的顺序 Deny from all ##控制语句,拒绝所有IP Allow from 127.0.0.1 ##控制语句,控制的对象就是来源的IP,允许该IP </Directory> <Directory /data/wwwroot/111.com>
检查语法,加载配置
测试:
用允许的IP去访问是正常的,显示200状态码
[[email protected] ~]# curl -x127.0.0.1:80 111.com/admin/index.php -I HTTP/1.1 200 OK Date: Sun, 01 Jul 2018 11:52:51 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [[email protected] ~]# curl -x127.0.0.1:80 111.com/admin/index.php welcome!
用允许的IP以外的IP,拒绝访问,显示403状态码;用允许的IP访问但不存在的页面,显示404状态码。
[[email protected] ~]# curl -x192.168.106.150:80 111.com/admin/index.php -I HTTP/1.1 403 Forbidden Date: Sun, 01 Jul 2018 11:55:05 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [[email protected] ~]# curl -x127.0.0.1:80 111.com/admin/djisjfisdjfk -I HTTP/1.1 404 Not Found Date: Sun, 01 Jul 2018 11:55:31 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
查看日志,访问目标IP127.0.0.1的源IP也是127.0.0.1;访问目标IP192.168.106.150的源IP是192.168.106.128;
[[email protected] ~]# tail /usr/local/apache2.4/logs/111.com-access_20180701.log 127.0.0.1 - - [01/Jul/2018:19:52:51 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 200 - "-" "curl/7.29.0" 127.0.0.1 - - [01/Jul/2018:19:53:02 +0800] "GET HTTP://111.com/admin/index.php HTTP/1.1" 200 9 "-" "curl/7.29.0" 192.168.106.128 - - [01/Jul/2018:19:55:05 +0800] "HEAD HTTP://111.com/admin/index.php HTTP/1.1" 403 - "-" "curl/7.29.0" 127.0.0.1 - - [01/Jul/2018:19:55:31 +0800] "HEAD HTTP://111.com/admin/djisjfisdjfk HTTP/1.1" 404 - "-" "curl/7.29.0"
访问控制-FilesMatch(针对单个访问链接)
配置虚拟机配置文件:vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
#</Directory> <Directory /data/wwwroot/111.com> <FilesMatch admin.php(.*)> Order deny,allow Deny from all Allow from 127.0.0.1 </FilesMatch> </Directory> <Directory /data/wwwroot/111.com>
检查语法,加载配置
测试:
##没有限制该目录,正常访问 [[email protected] ~]# curl -x192.168.106.150:80 http://111.com/admin/fjdifjdijf -I HTTP/1.1 404 Not Found Date: Sun, 01 Jul 2018 12:14:23 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 ##限制了该访问链接,显示403 [[email protected] ~]# curl -x192.168.106.150:80 http://111.com/admin.php?fjdifjd -I HTTP/1.1 403 Forbidden Date: Sun, 01 Jul 2018 12:17:26 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 ##允许的IP访问了限制的链接,通过限制 [[email protected] ~]# curl -x127.0.0.1:80 'http://111.com/admin.php?fjdifjd' -I ##有符号加单引号 HTTP/1.1 404 Not Found Date: Sun, 01 Jul 2018 12:17:43 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
限定某个目录禁止解析php
配置虚拟机配置文件:vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
#</Directory> <Directory /data/wwwroot/111.com/upload> ##目录upload,静态文件是不需要解析PHP的 php_admin_flag engine off ##禁止解析PHP </Directory> <Directory /data/wwwroot/111.com>
检查语法,加载配置
测试:访问禁止解析的php解析的upload目录,会把php文件下载下来
[[email protected] 111.com]# curl -x192.168.106.128:80 http://111.com/upload/123.php -I HTTP/1.1 403 Forbidden Date: Sun, 01 Jul 2018 12:56:52 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
为了避免下载这中情况,直接禁止掉返回就好,在虚拟机配置文件中加上下面四句
#</Directory> <Directory /data/wwwroot/111.com/upload> ##目录upload,静态文件是不需要解析PHP的 php_admin_flag engine off ##禁止解析PHP,只要有这句就够了 <FilesMatch (.*)\.php(.*)> ##从这里,加上这四行 Order allow,deny ## Deny from all ## </FilesMatch> ##到这里,是为了不解析的PHP的同时,也不要显示该PHP的源代码出来,403嘛 </Directory> <Directory /data/wwwroot/111.com>
访问控制 - user_agent
配置虚拟机配置文件:vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
#</Directory> <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] ##其中NC是忽略大小写,OR是或者在两条件之间代表是第一个或第二个条件 RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC] RewriteRule .* - [F] ##这行的Rule是直接[F]代表Forbidden的意思,这用法比较特殊 </IfModule> <Directory /data/wwwroot/111.com/upload>
检查语法,加载配置
测试:
[[email protected] 111.com]# curl -x192.168.106.128:80 http://111.com/123.php -I HTTP/1.1 403 Forbidden ##限制了curl的用户代理进行访问 Date: Sun, 01 Jul 2018 13:23:56 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 ##用选项-A可以指定user_agent [[email protected] 111.com]# curl -A "zyshan zyshan" -x192.168.106.128:80 http://111.com/123.php -I HTTP/1.1 200 OK Date: Sun, 01 Jul 2018 13:25:27 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8
查看日志
192.168.106.128 - - [01/Jul/2018:21:23:56 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0" 192.168.106.128 - - [01/Jul/2018:21:25:27 +0800] "HEAD http://111.com/123.php HTTP/1.1" 200 - "-" "zyshan zyshan"
-A指定user_agent、-e指定referer,必须"http://"开头、-x相当于省略了host、-I仅显示状态码
PHP相关配置
1、如何准确找到PHP的配置文件,用浏览器去找是最准的。
去下载目录去拷贝开发版的配置文件到网址的根目录去,重新加载配置
[[email protected] 111.com]# cd /usr/local/src/php-7.1.6/ [[email protected] php-7.1.6]# cp php.ini-development /usr/local/php7/etc/php.ini [[email protected] php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
上面就是最准确的该网站的PHP配置文件php.ini
2、在php.ini配置文件中添加规则,如下所示,随便把phpinfo也禁掉,防止疏忽把phpinfo的网页也上传到服务器上让黑客什么的看到,该网页中会暴露我们的配置文件路径的重要信息,禁掉可以防止别有用心的举动。
测试:打开显示告警信息
3、定义时区,如果不定义有时候会有告警信息
vim /usr/local/php7/etc/php.ini 搜索/data.timezone可以定义上海或重庆
4、在禁止phpinfo时,为了避免网页显示告警信息,可以修改配置让告警信息不显示
测试:
[[email protected] php-7.1.6]# !curl curl -A "zyshan zyshan" -x192.168.106.128:80 http://111.com/123.php -I HTTP/1.1 200 OK Date: Sun, 01 Jul 2018 14:30:09 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [[email protected] php-7.1.6]# curl -A "zyshan zyshan" -x192.168.106.128:80 http://111.com/123.php 123.com[[email protected] php-7.1.6]#
5、禁掉了告警信息,所以要定义一下错误日志
vim /usr/local/php7/etc/php.ini 搜索/Log_errors = On 打开就是错误日志开启
定义错误日志路径
定义错误日志记录的级别
测试:
[[email protected] php-7.1.6]# curl -A "a" -x127.0.0.1:80 http://111.com/123.php 123.com[[email protected] php-7.1.6]# ls /tmp/ ##生成了错误日志 mysql.sock systemd-private-566fa5b368384acbba075e59e85a8c81-chronyd.service-TgHAlN pear systemd-private-566fa5b368384acbba075e59e85a8c81-vgauthd.service-BB1UWC php_errors.log systemd-private-566fa5b368384acbba075e59e85a8c81-vmtoolsd.service-XrUIEy [[email protected] php-7.1.6]# ls -l /tmp/php_errors.log -rw-r--r-- 1 daemon daemon 1752 7月 1 22:50 /tmp/php_errors.log ##日志的所有者,所属组 [[email protected] php-7.1.6]# [[email protected] php-7.1.6]# ps aux |grep httpd ##是httpd的服务的所有者 root 1922 0.0 0.7 258940 13696 ? Ss 19:25 0:01 /usr/local/apache2.4/bin/httpd -k start daemon 4679 0.0 0.6 545768 12380 ? Sl 22:50 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 4680 0.0 0.5 545768 10356 ? Sl 22:50 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 4681 0.0 0.7 613416 14520 ? Sl 22:50 0:00 /usr/local/apache2.4/bin/httpd -k start daemon 4765 0.0 0.7 613416 14524 ? Sl 22:50 0:00 /usr/local/apache2.4/bin/httpd -k start root 4829 0.0 0.0 112720 968 pts/0 R+ 22:53 0:00 grep --color=auto httpd [[email protected] php-7.1.6]# grep error_log /usr/local/php7/etc/php.ini ; server-specific log, STDERR, or a location specified by the error_log ; Set maximum length of log_errors. In error_log information about the source is error_log = /tmp/php_errors.log ;error_log = syslog ; OPcache error_log file name. Empty string assumes "stderr". ;opcache.error_log= [[email protected] php-7.1.6]# ##为了确保错误日志的生成,可以先创建这个错问文件赋予权限,这样可以避免所有者和权限的问题无法生成日志 [[email protected] php-7.1.6]# touch /tmp/php_errors.log ; chmod 777 /tmp/php_errors.log^C [[email protected] php-7.1.6]# cat /tmp/php_errors.log [01-Jul-2018 22:50:06 Asia/chongqing] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2
6、open_basedir目录隔离,避免一个网址的目录被黑了导致其他网址的目录同时被黑
配置虚拟机配置文件:vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
还有另一个网址,都添加上php_admin_value open_basedir "/data/wwwroot/111.com:/tmp/"这行
路径就是网址的根目录路,tmp目录是临时文件存放目录也要添加进去,否者临时文件都写不进去
PHP扩展模块安装
php编译完成,发现缺少某个模块,用扩展的方式去编译
下面安装一个redis的模块
[[email protected] wwwroot]# cd /usr/local/src [[email protected] src]# wget https://codeload.github.com/phpredis/phpredis/zip/develop [[email protected] src]# mv develop phpredis-develop.zip [[email protected] src]# unzip phpredis-develop.zip [[email protected] src]# cd phpredis-develop [[email protected] phpredis-develop]# ls arrays.markdown config.w32 INSTALL.markdown mkdeb.sh redis_array_impl.c redis_commands.h cluster_library.c COPYING ISSUE_TEMPLATE.md package.xml redis_array_impl.h redis_session.c cluster_library.h crc16.h liblzf php_redis.h redis.c redis_session.h cluster.markdown CREDITS library.c README.markdown redis_cluster.c rpm common.h debian library.h redis_array.c redis_cluster.h serialize.list config.m4 debian.control mkdeb-apache2.sh redis_array.h redis_commands.c tests [[email protected] phpredis-develop]# /usr/local/php7/bin/phpize Configuring for: PHP Api Version: 20131106 Zend Module Api No: 20131226 Zend Extension Api No: 220131226 Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF environment variable. Then, rerun this script. [[email protected] phpredis-develop]# yum install -y autoconf [[email protected] phpredis-develop]# /usr/local/php7/bin/phpize ##这样才算生成configure文件 Configuring for: PHP Api Version: 20131106 Zend Module Api No: 20131226 Zend Extension Api No: 220131226
[[email protected] phpredis-develop]# ./configure --with-php-config=/usr/local/php7/bin/php-config [[email protected] phpredis-develop]# make [[email protected] phpredis-develop]# make install Installing shared extensions: /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/ [[email protected] phpredis-develop]# ls /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/ opcache.so redis.so
查看扩展模块存放目录,我们可以在php.ini中去自定义该路径
[[email protected] phpredis-develop]# /usr/local/php7/bin/php -i |grep -i extension_dir extension_dir => /usr/local/php7/lib/php/extensions/no-debug-zts-20160303 => /usr/local/php7/lib/php/extensions/no-debug-zts-20160303 sqlite3.extension_dir => no value => no value [[email protected] phpredis-develop]# ls /usr/local/php7/lib/php/extensions/no-debug-zts-20160303 opcache.so redis.so [[email protected] phpredis-develop]# vi /usr/local/php7/etc/php.ini
[[email protected] phpredis-develop]# /usr/local/php7/bin/php -m |grep redis redis
如果PHP源码包下的/usr/local/src/php-7.1.6/ext/目录下有的模块目录,就不用下载,直接在该目录下执行
/usr/local/php7/bin/phpize
./configure --with-php-config=/usr/local/php7/bin/php-config
make && make install
扩展:
几种限制ip的方法 http://ask.apelearn.com/question/6519
apache 自定义header http://ask.apelearn.com/question/830
apache的keepalive和keepalivetimeout http://ask.apelearn.com/question/556
apache开启压缩 http://ask.apelearn.com/question/5528
apache2.2到2.4配置文件变更 http://ask.apelearn.com/question/7292
apache options参数 http://ask.apelearn.com/question/1051
apache禁止trace或track防止xss http://ask.apelearn.com/question/1045
apache 配置https 支持ssl http://ask.apelearn.com/question/1029
apache rewrite教程 http://coffeelet.blog.163.com/blog/static/13515745320115842755199/
http://www.cnblogs.com/top5/archive/2009/08/12/1544098.html
apache rewrite 出现死循环 http://ask.apelearn.com/question/1043
php错误日志级别参考 http://ask.apelearn.com/question/6973
php开启短标签 http://ask.apelearn.com/question/120
php.ini详解 http://legolas.blog.51cto.com/2682485/493917
Apache下开启图片防盗链功能
https://xiaozhou.net/enable_rewrite_module_of_apache-2012-02-15.html
Apache Options指令详解 http://www.365mini.com/page/apache-options-directive.htm