复习LAMP

虚拟主机

[root@axiang-03 apache2.4]# vim conf/httpd.conf

[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf

    
         DocumentRoot "/data/wwwroot/aaa.com"    ServerName aaa.com
    
    
         DocumentRoot "/data/wwwroot/bbb.com"    ServerName bbb.com    ServerAlias www.bbb.com www.222.com 222.com    ErrorLog "logs/bbb.com-error_log"    CustomLog "logs/bbb.com-access_log" common
    

改一下win7 hosts 浏览器就可以访问了

Apache用户认证

全目录用户认证

[root@axiang-03 ~]# cd /usr/local/apache2.4/[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
    
     DocumentRoot "/data/wwwroot/ccc.com"ServerName ccc.com
     
      	AllowOverride AuthConfig	AuthName "ccc.com user auth"	AuthType Basic	AuthUserFile /data/.htpasswd	require valid-user
     
    [root@axiang-03 apache2.4]# bin/htpasswd -cm /data/.htpasswd axiangNew password: Re-type new password: Adding password for user axiang[root@axiang-03 apache2.4]# bin/htpasswd -m /data/.htpasswd adminNew password: Re-type new password: Adding password for user admin[root@axiang-03 apache2.4]# bin/apachectl -tAH00112: Warning: DocumentRoot [/data/wwwroot/ccc.com] does not existSyntax OK[root@axiang-03 apache2.4]# mkdir /data/wwwroot/ccc.com[root@axiang-03 apache2.4]# vim !$/index.phpvim /data/wwwroot/ccc.com/index.php[root@axiang-03 apache2.4]# bin/apachectl -tSyntax OK[root@axiang-03 apache2.4]# bin/apachectl graceful

单页面用户认证

[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf 
    
     DocumentRoot "/data/wwwroot/ccc.com"ServerName ccc.com#
     
      
           AllowOverride AuthConfig    AuthName "ccc.com user auth"    AuthType Basic    AuthUserFile /data/.htpasswd    require valid-user
      #
     
    [root@axiang-03 apache2.4]# bin/apachectl -tSyntax OK[root@axiang-03 apache2.4]# bin/apachectl graceful[root@axiang-03 apache2.4]# vim /data/wwwroot/ccc.com/admin.php

域名跳转

[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf 
    
     DocumentRoot "/data/wwwroot/bbb.com"ServerName bbb.comServerAlias www.bbb.com www.222.com 222.com
     
          RewriteEngine on    RewriteCond %{HTTP_HOST} !^bbb.com$    RewriteRule ^/(.*)$ http://bbb.com/$1 [R=301,L]
     ErrorLog "logs/bbb.com-error_log"CustomLog "logs/bbb.com-access_log" common
    [root@axiang-03 apache2.4]# vim conf/httpd.conf

[root@axiang-03 apache2.4]# bin/apachectl -tSyntax OK[root@axiang-03 apache2.4]# bin/apachectl graceful[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 -I 222.comHTTP/1.1 301 Moved Permanently

Apache访问日志

[root@axiang-03 apache2.4]# vim conf/httpd.conf

[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf

[root@axiang-03 apache2.4]# bin/apachectl -tSyntax OK[root@axiang-03 apache2.4]# bin/apachectl graceful[root@axiang-03 apache2.4]# curl -x127.0.0.1:80 -I bbb.comHTTP/1.1 200 OKDate: Tue, 08 Aug 2017 13:57:20 GMTServer: Apache/2.4.27 (Unix) PHP/5.6.30X-Powered-By: PHP/5.6.30Content-Type: text/html; charset=UTF-8[root@axiang-03 apache2.4]# tail -2 logs/bbb.com-access_log 192.168.83.139 - - [08/Aug/2017:21:46:16 +0800] "HEAD HTTP://222.com/ HTTP/1.1" 301 -127.0.0.1 - - [08/Aug/2017:21:57:20 +0800] "HEAD HTTP://bbb.com/ HTTP/1.1" 200 - "-" "curl/7.29.0"

访问日志不记录静态文件

    
     DocumentRoot "/data/wwwroot/ddd.com"ServerName ddd.comSetEnvIf Request_URI ".*\.gif$" imgSetEnvIf Request_URI ".*\.jpg$" imgSetEnvIf Request_URI ".*\.png$" imgSetEnvIf Request_URI ".*\.bmp$" imgSetEnvIf Request_URI ".*\.swf$" imgSetEnvIf Request_URI ".*\.js$" imgSetEnvIf Request_URI ".*\.css$" imgCustomLog "logs/ddd.com-access_log" combined env=!img
    

访问日志切割

CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/ddd.com-access_%Y%m%d.log 86400" combined env=!img

静态元素过期时间

[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf 
    
     ExpiresActive on ExpiresByType image/gif  "access plus 1 days"ExpiresByType image/jpeg "access plus 24 hours"ExpiresByType image/png "access plus 24 hours"ExpiresByType text/css "now plus 2 hour"ExpiresByType application/x-javascript "now plus 2 hours"ExpiresByType application/javascript "now plus 2 hours"ExpiresByType application/x-shockwave-flash "now plus 2 hours"ExpiresDefault "now plus 0 min"
    [root@axiang-03 apache2.4]# vim conf/httpd.conf

[root@axiang-03 apache2.4]# vim conf/httpd.conf[root@axiang-03 apache2.4]# bin/apachectl -t[root@axiang-03 apache2.4]# cd /data/wwwroot/ddd.com/[root@axiang-03 ddd.com]# rz[root@axiang-03 ddd.com]# curl -x127.0.0.1:80 ddd.com/baidu.png -I

配置防盗链

    
     SetEnvIfNoCase Referer "http://ddd.com" local_refSetEnvIfNoCase Referer "http://ask.apelearn.com" local_refSetEnvIfNoCase Referer "^$" local_ref  
     
      	Order Allow,Deny  //允许定义，其他来源禁止	Allow from env=local_ref
     
    [root@axiang-03 apache2.4]# curl -x127.0.0.1:80 ddd.com/baidu.png -IHTTP/1.1 200 OK[root@axiang-03 apache2.4]# curl -e "http://www.qq.com" -x127.0.0.1:80 ddd.com/baidu.png -IHTTP/1.1 403 Forbidden

访问控制Directory

[root@axiang-03 apache2.4]# cd -/data/wwwroot/ddd.com[root@axiang-03 ddd.com]# mkdir admin[root@axiang-03 ddd.com]# vim admin/info.php[root@axiang-03 ddd.com]# cd -/usr/local/apache2.4[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf 
     	Order deny,allow	Deny from all	Allow from 127.0.0.1[root@axiang-03 apache2.4]# bin/apachectl -tSyntax OK[root@axiang-03 apache2.4]# bin/apachectl graceful[root@axiang-03 apache2.4]# curl -x127.0.0.1:80 ddd.com/admin/info.php -IHTTP/1.1 200 OK[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 ddd.com/admin/info.php -IHTTP/1.1 403 Forbidden

访问控制FilesMatch

[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
    
     DocumentRoot "/data/wwwroot/ddd.com"ServerName ddd.com
         
     
          Order deny,allow    Deny from all    Allow from 127.0.0.1    
     
    [root@axiang-03 apache2.4]# curl -x192.168.83.139:80 ddd.com/admin/info.php -IHTTP/1.1 200 OK[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 ddd.com/admin/files.php -IHTTP/1.1 403 Forbidden[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 ddd.com/admin/aefiles.phpeon -IHTTP/1.1 403 Forbidden

限定某个目录禁止解析php

[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf 
    
     DocumentRoot "/data/wwwroot/aaa.com"ServerName aaa.com
     php_admin_flag engine off
    [1]+  已停止   vim conf/extra/httpd-vhosts.conf[root@axiang-03 apache2.4]# mkdir /data/wwwroot/aaa.com/uplode/[root@axiang-03 apache2.4]# vim !$1.phpvim /data/wwwroot/aaa.com/uplode/1.php[root@axiang-03 apache2.4]# bin/apachectl -tSyntax OK[root@axiang-03 apache2.4]# bin/apachectl graceful[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 aaa.com/uplode/1.php
    

• 核心配置 php_admin_flag engine off
• 有的浏览器会直接下载

限制user_agent

[root@axiang-03 apache2.4]# fgvim conf/extra/httpd-vhosts.conf
    
     RewriteEngine onRewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]RewriteRule  .*  -  [F]
    [1]+  已停止   vim conf/extra/httpd-vhosts.conf[root@axiang-03 apache2.4]# bin/apachectl -tSyntax OK[root@axiang-03 apache2.4]# bin/apachectl graceful[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 aaa.com
Forbidden
You don't have permission to access /on this server.
[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 aaa.com -IHTTP/1.1 403 ForbiddenDate: Wed, 09 Aug 2017 01:44:45 GMTServer: Apache/2.4.27 (Unix) PHP/5.6.30Content-Type: text/html; charset=iso-8859-1[root@axiang-03 apache2.4]# curl -A "123" -x192.168.83.139:80 aaa.com -IHTTP/1.1 200 OK

php相关配置

[root@axiang-03 apache2.4]# tree /data/wwwroot//data/wwwroot/├── aaa.com│   ├── index.html│   └── uplode│       └── 1.php├── bbb.com│   └── index.php├── ccc.com│   ├── admin.php│   └── index.php└── ddd.com    ├── 1.jpg    ├── admin    │   ├── files.php    │   └── info.php    ├── baidu.png    └── index.php

[root@axiang-03 apache2.4]# /usr/local/php/bin/php -i | grep -i "loaded config"Loaded Configuration File => /usr/local/php/etc/php.iniPHP Warning:  Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting...[root@axiang-03 apache2.4]# cd /usr/local/php/[root@axiang-03 php]# vim etc/php.ini

关掉告警

禁用不安全参数

disable_functions =eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo

调整日志参数

log_errors = On    错误日志开启error_log = /tmp/php_errors.log    定义日志路径display_errors = Off    不把错误输出到浏览器里error_reporting = E_ALL //这是全纪录    定义错误级别，Notic一般不用记录，上面有修改格式

[root@axiang-03 php]# cd -/usr/local/apache2.4[root@axiang-03 apache2.4]# vim /data/wwwroot/ccc.com/index.php [root@axiang-03 apache2.4]# bin/apachectl -tSyntax OK[root@axiang-03 apache2.4]# bin/apachectl graceful[root@axiang-03 apache2.4]# cat /tmp/php_errors.log [09-Aug-2017 10:30:58 Asia/Chongqing] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/ddd.com/admin/info.php on line 1[09-Aug-2017 10:42:40 Asia/Chongqing] PHP Parse error:  syntax error, unexpected 'aefa' (T_STRING) in /data/wwwroot/ccc.com/index.php on line 3

• 这里的禁用phpinfo参数curl访问依然是200，error_reporting如果不记录Notic也不会提示
• apache禁用php解析，php不会报错

设置基础目录隔离不同网站

php_admin_value open_basedir "/data/wwwroot/xxx.com:/tmp/"

• 在php.ini里设置open_basedir会让其他虚拟主机无法访问（访问代码500）