十一周一次课（3月6日）

Posted 2020-10-26

-----------------------------------------------------------------------------

11.25? 配置防盗链

我们的网站，被用户上传了很多图片，而用户又在他自己的网站上加上了我们网站图片的链接，就直接能访问了，这样可以节省他网站的宽带。

(1)修改虚拟主机配置文件，更改配置定义白名单和内容,只允许白名单访问

vim?? /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

?? <Directory /data/wwwroot/111.com>

??????? SetEnvIfNoCase Referer "http://111.com" local_ref

??????? SetEnvIfNoCase Referer "http://aaa.com" local_ref? #白名单站点

??????? SetEnvIfNoCase Referer "^$" local_ref??? #不是跳转过来的为空，空refer可以访问

??????? <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">#防盗链的访问内容

??????????? Order Allow,Deny????????? #顺序，先允许再拒绝

??????????? Allow from env=local_ref

??????? </filesmatch>

??? </Directory>

(2)检查，重新加载

/usr/local/apache2.4/bin/apachectl?? -t

/usr/local/apache2.4/bin/apachectl? graceful?

(3)

curl -x127.0.0.1:80 -I 111.com/xshell.png

-----------------------------------------------------------------------------

11.26 访问控制-Directory

(1)修改虚拟主机配置文件，增加配置，只有内部人可以访问，其它一律拒绝

vim?? /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<Directory /data/wwwroot/111.com/admin/>

??????? Order deny,allow???? #顺序，先拒绝再允许

??????? Deny from all??

??????? Allow from 127.0.0.1

</Directory>

(2)检查 更新

/usr/local/apache2.4/bin/apachectl?? -t

/usr/local/apache2.4/bin/apachectl? graceful?

(3)测试

curl -x127.0.0.1:80 -I 111.com/admin/index.php??

curl -x192.168.188.128:80 -I 111.com/admin/index.php??

-----------------------------------------------------------------------------

11.27 访问控制-FilesMatch

(1)修改虚拟主机配置文件，增加配置

vim?? /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<Directory /data/wwwroot/111.com>

??? <FilesMatch? "admin.php(.*)">

??????? Order deny,allow

??????? Deny from all

??????? Allow from 127.0.0.1

??? </FilesMatch>

</Directory>

(2)检查 更新

/usr/local/apache2.4/bin/apachectl?? -t

/usr/local/apache2.4/bin/apachectl? graceful?

(3)??

mkdir? admin

cp index.php?? admin/

curl -x127.0.0.1:80 -I 111.com/admin/index.php??

curl -x192.168.188.128:80 -I ‘111.com/admin.php?sadfaskgnaglnaiogiw‘ -I

-----------------------------------------------------------------------------

11.28 限定某个目标禁止解析php

(1)修改虚拟主机配置文件，增加配置updata目录蹦解析php

vim?? /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<Directory /data/wwwroot/111.com/upload>?? #updata目录蹦解析php

? php_admin_flag engine off

</Directory>

(2)检查 更新

/usr/local/apache2.4/bin/apachectl?? -t

/usr/local/apache2.4/bin/apachectl? graceful?

(3)

mkdir? upload

cp 123.php?? upload/

curl -x127.0.0.1:80? ‘http://111.com/upload/123.php‘??

-----------------------------------------------------------------------------

11.29 限定user_agent

(1)修改虚拟主机配置文件，增加配置

vim?? /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

?? <IfModule mod_rewrite.c>

??????? RewriteEngine on

??????? RewriteCond %{HTTP_USER_AGENT}? .*curl.* [NC,OR]

??????? RewriteCond %{HTTP_USER_AGENT}? .*baidu.com.* [NC]

??????? RewriteRule? .*? -? [F]

??? </IfModule>

(2)检查 更新

/usr/local/apache2.4/bin/apachectl?? -t

/usr/local/apache2.4/bin/apachectl? graceful?

(3)