|
增加用户账号的验证 touch /data/.htpasswd [iyunv@user10data]# htpasswd -c /data/.htpasswd user1 #新增第一个账号 [iyunv@user10data]# htpasswd /data/.htpasswd user2 #新增第二个账号
编辑/usr/local/apache2/conf/extra/httpd-vhosts.conf <VirtualHost *:80> # <VirtualHost*:80> DocumentRoot"/tmp/111/" #默认虚拟主机,添加多一个不存在的服务器定义的域名来创建一个空目录/文件,限制不是服务器自定义域名的访问 </VirtualHost>
php_admin_valueopen_basedir "/usr/local/apache2/htdocs/:/tmp/" #(apapche和php二选一)配置php的网站程序的目录 <VirtualHost *:80> DocumentRoot"/usr/local/apache2/htdocs/"
<Directory /usr/local/apache2/htdocs/> # Options FollowSymLinks #禁止查看目录,+FollowSymLinks允许查看目录 AllowOverride None #apache访问控制,在主配置文件里复制过来的(控制语句) Order allow,deny #看规则的先后 Allow from all #限制某个IP的访问 Deny from ip </Directory>
<filesmatch"(.*)admin(.*)"> Order deny,allow #除了指定的ip能访问admin.php,其他无法访问 deny from all allow from ip1 ip2 AllowOverrideAuthConfig AuthName"abc" #双重验证 AuthType Basic AuthUserFile /data/.htpasswd1 #apache用户认证 require valid-user </filesmatch>
SetEnvIf Request_URI"."\.gif$" image-request SetEnvIf Request_URI"."\.jpg$" image-request SetEnvIf Request_URI"."\.png$" image-request SetEnvIf Request_URI"."\.bmp$" image-request #apache不记录指定文件类型日志 SetEnvIf Request_URI"."\.swp$" image-request SetEnvIf Request_URI "."\.js$"image-request SetEnvIf Request_URI"."\.css$" image-request ErrorLog "logs/user10.com-error_log" CustomLog "|/usr/local/apache2/bin/rotatelogs-l /usr/local/apache2/logs/user10.com-access_%Y%m%d_log 86400" combined env=!image-request #apache日志切割 #env=!image-request #不去记录image-request指定的文件类型#apache不记录指定文件类型日志 <IfModulemod_expires.c> ExpiresActive on ExpiresByTypeimage/gif "access plus 1 days" ExpiresByType image/jpeg "access plus 24 hours" ExpiresByTypeimage/png "access plus 24hours" #配置静态缓存 ExpiresByTypetext/css "now plus 2 hourss" ExpiresByTypeapplicantion/x-javascript "now plus2 hours" ExpiresByTypeapplicantion/x-shockware-flash "nowplus 2 hours" ExpiresDefault "now plus 0 min" </IfModule>
SetEnvIfNoCase Referer "^http://.*\.user10\.com local_ref #将本机的域名放在白名单 SetEnvIfNoCase Referer ".*\.user11\.com" local_ref #将这个网址加入白名单 <filesmatch "\.(doc|mp3|zip|rar|jpg|gif|png|js|css|jpeg)"> #限制显示 Order Allow,Deny #配置apache防盗链 Allow from env=local_ref #允许定义local_ref,其他拒绝 Deny from all </filesmatch>
<Directory /usr/local/apache2/htdocs/data/> php_admin_flag engine off #虚拟主机中限定某个目录不解析php,关闭php解释引擎 <filesmatch "(.*)php"> Order deny,allow #配置apache禁止解释php Deny from all #使其不能下载php文件 #allow from ip #去掉注释允许某个ip下载 </filesmatch> </Directory>
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ^.*curl.* [NC,OR] #匹配,NC:不区分大小写 RewriteCond %{HTTP_USER_AGENT} ^.*chrome* [NC,OR] #加上注释#,不认为禁掉 RewriteCond %{HTTP_USER_AGENT} ^.*aeg* [NC] #禁用USER_AGENT,随意指定的必须,这样就可以使IE浏览器和第三方浏览器同时使用 RewriteRule .* - [F] #直接禁掉,[F]代表Forbidden RewriteCond %{REQUEST_URI} ^.*/tmp/.* [NC] #通过rewrite来限制某个目录,禁止访问/tmp/下的文件 RewriteRule .* - [F] </IfModule>
<Directory/usr/local/apache2/htdocs/abc/> #针对某个目录做认证登录 AllowOverride AuthConfig AuthName "abc" AuthType Basic AuthUserFile /data/.htpasswd1 #apache用户认证 require valid-user </Directory>
<Directory/usr/local/apache2/htdocs/bcd/> #针对某个目录做认证登录 AllowOverride AuthConfig AuthName "abc" AuthType Basic AuthUserFile /data/.htpasswd #apache用户认证 require valid-user </Directory> </VirtualHost>
检测配置是否正确 HTTP/1.1 301 MovedPermanently Date: Tue, 05 Jan 201615:51:43 GMT Server: Apache/2.2.24 (Unix)mod_ssl/2.2.24 OpenSSL/0.9.8b DAV/2 PHP/5.5.30 Content-Type: text/html;charset=iso-8859-1
HTTP/1.1 301 MovedPermanently Date: Tue, 05 Jan 201615:51:43 GMT Server: Apache/2.2.24 (Unix)mod_ssl/2.2.24 OpenSSL/0.9.8b DAV/2 PHP/5.5.30 Content-Type: text/html;charset=iso-8859-1
在主配置文件/usr/local/apache2/conf/httpd.conf找到includeconf/extra/httpd-vhosts.conf这一行的注释去除掉,不然用户验证不成功
vim/etc/profile.d/path.sh #!/bin/bash exportPATH=$PATH:/usr/local/mysql/bin:/usr/local/apache2/bin
apachectl -M #查看apache安装了什么支持的模块 [iyunv@user10~]# apachectl -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) authn_file_module (shared) authn_dbm_module (shared) authn_anon_module (shared) authn_dbd_module (shared) authn_default_module (shared) authz_host_module (shared) authz_groupfile_module (shared) authz_user_module (shared) authz_dbm_module (shared) authz_owner_module (shared) authz_default_module (shared) auth_basic_module (shared) auth_digest_module (shared) dbd_module (shared) dumpio_module (shared) reqtimeout_module (shared) ext_filter_module (shared) include_module (shared) filter_module (shared) substitute_module (shared) deflate_module (shared) log_config_module (shared) logio_module (shared) env_module (shared) expires_module (shared) headers_module (shared) ident_module (shared) setenvif_module (shared) version_module (shared) ssl_module (shared) mime_module (shared) dav_module (shared) status_module (shared) autoindex_module (shared) asis_module (shared) info_module (shared) cgi_module (shared) dav_fs_module (shared) vhost_alias_module (shared) negotiation_module (shared) dir_module (shared) imagemap_module (shared) actions_module (shared) speling_module (shared) userdir_module (shared) alias_module (shared) rewrite_module (shared) php5_module (shared) Syntax OK apachectl -l #查看apache已安装的模块,不指定模式是默认prefork [iyunv@user10 ~]# apachectl -l Compiled in modules: core.c prefork.c http_core.c mod_so.c
OR #或者,如果不设置,会被认为两个条件同时存在 (.*) #代表不包含HOST / # 代表将域名省掉 301 #永久重定向 302 #临时重定向 L #代表最后,结束 401 #请求未经授权,需要身份验证返回状态码 403 404 500 #php的错误
概念: Apache防盗链:防止网站的东西被盗用 点击下一个网址的连接前,当前浏览器的网址就是referer
访问控制: 发现攻击,可以封IP,从主配置里配置的一个模板复制到虚拟主机的配置里
静态缓存:设置一些图片,css文件的缓存保存时间,当时间一过(即过期以后)那浏览器就会将这些缓存文件进行删除。当再重新打开此网页时,那些文件又会再被重新缓存。 可缓存几个小时或者几天时间,时间过后可重新请求,但不会在服务端请求,从而节省带宽。 [iyunv@user10 ~]#curl -x192.168.0.168:80'http://www.user10.com/static/image/common/logo_88_31.gif' -I HTTP/1.1 200 OK Date: Thu, 07Jan 2016 02:49:38 GMT Server:Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8b DAV/2 PHP/5.5.30 Last-Modified:Mon, 04 Jan 2016 14:51:47 GMT ETag:"d9087-9e0-52883429d86c0" Accept-Ranges:bytes Content-Length:2528 Cache-Control:max-age=86400 Expires: Fri,08 Jan 2016 02:49:38 GMT Content-Type:image/gif
User_agent的概念:浏览器的版本,搜索引擎的爬虫 apache运行的用户就是daemon apache防盗链的概念:只要不是服务器上白名单定义的域名,其他网站都是插入该网站的资源就拒绝访问 apache日志切割概念: CustomLog"|/usr/local/apache2/bin/rotatelogs -l /usr/local/apache2/logs/user10.com-access_%Y%m%d_logi86400/5M" combined | #管道,把日志交给后面的rotatelogs工具处理 86400/5M #单位秒,一天一个日志/一个日志为5M
/usr/local/apache2/conf/httpd.conf <IfModulelog_config_module> # The following directives define someformat nicknames for use with # a CustomLog directive (see below). # LogFormat "%h %l %u %t\"%r\" %>s %b \"%{Referer}i\"\"%{User-Agent}i\"" combined LogFormat "%h %l %u %t\"%r\" %>s %b" common
<IfModule logio_module> # You need to enable mod_logio.c to use%I and %O,自定义 LogFormat "%h %l %u %t\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"%I %O" combinedio </IfModule> %h #来源IP -- #空的,所以这样表示 %u #user,用户 %t #当前时间 %r #动作 %{Referer} #网址 %{User-Agent} #使用浏览器的相关信息 可限制来源ip使用的user-agent类 curl -A "ggaweagew" -xip:80 网址 –I #-A:模仿user_agent apachectl graceful #重新加载配置 apachectl -S #查询虚拟机的域名配置所在的行数 apache调用了php的libphp5.so文件
加入启动: vi /etc/profile.d/path.sh #!/bin/bash exportPATH=$PATH:/usr/local/mysql/bin:/usr/local/apache2/bin chmod 755 /etc/profile.d/path.sh
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2016-3-14 08:45:08
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡