1. 程式人生 > >Apache限定目錄解析PHP,限制user_agent,PHP相關的配置

Apache限定目錄解析PHP,限制user_agent,PHP相關的配置

Apache限定目錄解析PHP

  • 配置前訪問upload/index.php
[[email protected] ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
This is upload diretory
  • 配置,/usr/local/apache2.4/conf/extra/httpd-vhosts.conf對應的虛擬網站增加如下內容,重新載入配置
<Directory /usr/local/apache2.4/test-webroot/upload>
    php_admin_flag engine off
</Directory>
[
[email protected]
~]# /usr/local/apache2.4/bin/apachectl graceful
  • 測試
[[email protected] ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
<?php
echo "This is upload diretory\n";
?>
  • 雖然解析不了PHP,但會列印原始檔,可以再通過FilesMatch來禁止訪問。配置
<Directory /usr/local/apache2.4/test-webroot/upload>
    <FilesMatch (.*).php(.*)>
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>
  • 載入配置檔案,測試
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] ~]# curl  -x192.168.77.139:80 'www.test.com/upload/index.php'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/index.php
on this server.<br />
</p>
</body></html>

限制user_agent

  • user_agent可以理解為瀏覽器標識
  • 需要使用rewrite模組,去掉httpd.conf中的rewrite_module
  • 配置前訪問
[[email protected] ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:20 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:20 GMT
Content-Type: text/html; charset=UTF-8
[[email protected] ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I # 通過選項-A指定user_agent
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:32:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:32:35 GMT
Content-Type: text/html; charset=UTF-8
  • 配置,/usr/local/apache2.4/conf/extra/httpd-vhosts.conf對應的虛擬網站增加如下內容,重新載入配置。說明NC(no case)不區分大小寫;OR或者,表示與下面的條件是或的關係;F(forbidden)禁止
<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
    RewriteRule  .*  -  [F]
</IfModule>
  • 重新載入配置,測試
[[email protected] ~]# curl -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 403 Forbidden
Date: Wed, 21 Nov 2018 01:39:00 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
[[email protected] ~]# curl -A myagent -x127.0.0.1:80 "www.qq.com/index.php" -I
HTTP/1.1 200 OK
Date: Wed, 21 Nov 2018 01:39:04 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
X-Powered-By: PHP/5.6.32
Cache-Control: max-age=0
Expires: Wed, 21 Nov 2018 01:39:04 GMT
Content-Type: text/html; charset=UTF-8

PHP相關的配置

  • 檢視配置檔案路徑
    方法1: /usr/local/php/bin/php -i|grep -i "loaded configuration file" # 不過這種方法不準確
    方法2: 可以寫個php檔案利用phpinfo()訪問檢視

  • 在使用/usr/local/php/bin/php -i|grep -i "loaded configuration file"時,有警告提示,配置處理

[[email protected] ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
PHP Warning:  Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in Unknown on line 0
Loaded Configuration File => /usr/local/php/etc/php.ini
#/usr/local/php/etc/php.ini中找到date.timezone設定成
date.timezone=Asia/Shanghai
#
# 載入,測試OK
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful                    [[email protected] ~]# /usr/local/php/bin/php -i | grep -i "loaded configuration file"
Loaded Configuration File => /usr/local/php/etc/php.ini
  • disable_functions,PHP有諸多內建的函式,有一些函式開放將會非常危險。因此,基於安全考慮應該把一些存在安全風險的函式禁掉(例如:phpinfo會顯示伺服器相關資訊)
# vim /usr/local/php/etc/php.ini // 搜尋disable_functions,編輯成如下
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp ,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsocko pen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_ close
  • 配置error_log
# 從/usr/local/php/etc/php.ini中搜索log_errors,改成如下
log_errors = On
# 再搜尋error_log,改為
error_log = /var/log/php/php_errors.log 
# 再搜尋error_reporting,改為 
error_reporting = E_ALL & ~E_NOTICE
# 再搜尋display_errors,改為 
display_errors = Off
log_errors可以設定為on或者off,如果想讓PHP記錄錯誤日誌,需要設定為on;
error_log設定錯誤日誌路徑;
error_reporting設定錯誤日誌的級別,E_ALL為所有型別的日誌,不管是提醒還是警告 都會記錄。在開發環境下面設定為E_ALL,可以方便排查問題,但也會造成日誌記錄很多無意義的內容。&符號表示並且,~表示排除,所以兩個組合在一起就是在E_ALL的基礎上排除掉notice相關的日誌。display_errors設定為on,則會把錯誤日誌直接顯示在瀏覽器裡,這樣對於使用者訪問來說體驗不好,而且還會暴露網站的一些檔案路徑等重要資訊,所以要設定為off。
  • 配置open_basedir,將網站限定在指定目錄裡
    預設站點在/usr/local/php/etc/php.ini配置 open_basedir = /tmp:/usr/local/apache2.4/test-webroot
    虛擬站點配置是在對應站點目錄配置中配置: php_admin_value open_basedir "/data/wwwroot/www.123.com/:/tmp/"

注意,/tmp的主要作用是網站的一些臨時檔案需要訪問該目錄,比如上傳檔案時。