本文详细介绍了Apache服务器的各种实用配置技巧,包括虚拟主机设置、用户认证、域名跳转、访问日志管理、防盗链、访问控制等,并展示了如何进行PHP配置以增强安全性。
复习LAMP
虚拟主机
[root@axiang-03 apache2.4]# vim conf/httpd.conf
[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/aaa.com"
ServerName aaa.com
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/bbb.com"
ServerName bbb.com
ServerAlias www.bbb.com www.222.com 222.com
ErrorLog "logs/bbb.com-error_log"
CustomLog "logs/bbb.com-access_log" common
</VirtualHost>
改一下win7 hosts 浏览器就可以访问了
Apache用户认证
全目录用户认证
[root@axiang-03 ~]# cd /usr/local/apache2.4/
[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/ccc.com"
ServerName ccc.com
<Directory /data/wwwroot/ccc.com>
AllowOverride AuthConfig
AuthName "ccc.com user auth"
AuthType Basic
AuthUserFile /data/.htpasswd
require valid-user
</Directory>
</VirtualHost>
[root@axiang-03 apache2.4]# bin/htpasswd -cm /data/.htpasswd axiang
New password:
Re-type new password:
Adding password for user axiang
[root@axiang-03 apache2.4]# bin/htpasswd -m /data/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
[root@axiang-03 apache2.4]# bin/apachectl -t
AH00112: Warning: DocumentRoot [/data/wwwroot/ccc.com] does not exist
Syntax OK
[root@axiang-03 apache2.4]# mkdir /data/wwwroot/ccc.com
[root@axiang-03 apache2.4]# vim !$/index.php
vim /data/wwwroot/ccc.com/index.php
[root@axiang-03 apache2.4]# bin/apachectl -t
Syntax OK
[root@axiang-03 apache2.4]# bin/apachectl graceful
单页面用户认证
[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/ccc.com"
ServerName ccc.com
#<Directory /data/wwwroot/ccc.com>
<FilesMatch admin.php>
AllowOverride AuthConfig
AuthName "ccc.com user auth"
AuthType Basic
AuthUserFile /data/.htpasswd
require valid-user
</FilesMatch>
#</Directory>
</VirtualHost>
[root@axiang-03 apache2.4]# bin/apachectl -t
Syntax OK
[root@axiang-03 apache2.4]# bin/apachectl graceful
[root@axiang-03 apache2.4]# vim /data/wwwroot/ccc.com/admin.php
域名跳转
[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/bbb.com"
ServerName bbb.com
ServerAlias www.bbb.com www.222.com 222.com
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} !^bbb.com$
RewriteRule ^/(.*)$ http://bbb.com/$1 [R=301,L]
</IfModule>
ErrorLog "logs/bbb.com-error_log"
CustomLog "logs/bbb.com-access_log" common
</VirtualHost>
[root@axiang-03 apache2.4]# vim conf/httpd.conf
[root@axiang-03 apache2.4]# bin/apachectl -t
Syntax OK
[root@axiang-03 apache2.4]# bin/apachectl graceful
[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 -I 222.com
HTTP/1.1 301 Moved Permanently
Apache访问日志
[root@axiang-03 apache2.4]# vim conf/httpd.conf
[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
[root@axiang-03 apache2.4]# bin/apachectl -t
Syntax OK
[root@axiang-03 apache2.4]# bin/apachectl graceful
[root@axiang-03 apache2.4]# curl -x127.0.0.1:80 -I bbb.com
HTTP/1.1 200 OK
Date: Tue, 08 Aug 2017 13:57:20 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
[root@axiang-03 apache2.4]# tail -2 logs/bbb.com-access_log
192.168.83.139 - - [08/Aug/2017:21:46:16 +0800] "HEAD HTTP://222.com/ HTTP/1.1" 301 -
127.0.0.1 - - [08/Aug/2017:21:57:20 +0800] "HEAD HTTP://bbb.com/ HTTP/1.1" 200 - "-" "curl/7.29.0"
访问日志不记录静态文件
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/ddd.com"
ServerName ddd.com
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "logs/ddd.com-access_log" combined env=!img
</VirtualHost>
访问日志切割
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/ddd.com-access_%Y%m%d.log 86400" combined env=!img
静态元素过期时间
[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType image/gif "access plus 1 days"
ExpiresByType image/jpeg "access plus 24 hours"
ExpiresByType image/png "access plus 24 hours"
ExpiresByType text/css "now plus 2 hour"
ExpiresByType application/x-javascript "now plus 2 hours"
ExpiresByType application/javascript "now plus 2 hours"
ExpiresByType application/x-shockwave-flash "now plus 2 hours"
ExpiresDefault "now plus 0 min"
</IfModule>
[root@axiang-03 apache2.4]# vim conf/httpd.conf
[root@axiang-03 apache2.4]# vim conf/httpd.conf
[root@axiang-03 apache2.4]# bin/apachectl -t
[root@axiang-03 apache2.4]# cd /data/wwwroot/ddd.com/
[root@axiang-03 ddd.com]# rz
[root@axiang-03 ddd.com]# curl -x127.0.0.1:80 ddd.com/baidu.png -I
配置防盗链
<Directory /data/wwwroot/ddd.com>
SetEnvIfNoCase Referer "http://ddd.com" local_ref
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
Order Allow,Deny //允许定义,其他来源禁止
Allow from env=local_ref
</FilesMatch>
</Directory>
[root@axiang-03 apache2.4]# curl -x127.0.0.1:80 ddd.com/baidu.png -I
HTTP/1.1 200 OK
[root@axiang-03 apache2.4]# curl -e "http://www.qq.com" -x127.0.0.1:80 ddd.com/baidu.png -I
HTTP/1.1 403 Forbidden
访问控制Directory
[root@axiang-03 apache2.4]# cd -
/data/wwwroot/ddd.com
[root@axiang-03 ddd.com]# mkdir admin
[root@axiang-03 ddd.com]# vim admin/info.php
[root@axiang-03 ddd.com]# cd -
/usr/local/apache2.4
[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
<Directory /data/wwwroot/ddd.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
[root@axiang-03 apache2.4]# bin/apachectl -t
Syntax OK
[root@axiang-03 apache2.4]# bin/apachectl graceful
[root@axiang-03 apache2.4]# curl -x127.0.0.1:80 ddd.com/admin/info.php -I
HTTP/1.1 200 OK
[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 ddd.com/admin/info.php -I
HTTP/1.1 403 Forbidden
访问控制FilesMatch
[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/ddd.com"
ServerName ddd.com
<Directory /data/wwwroot/ddd.com/admin/>
<FilesMatch (.*)files.php(.*)>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
</VirtualHost>
[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 ddd.com/admin/info.php -I
HTTP/1.1 200 OK
[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 ddd.com/admin/files.php -I
HTTP/1.1 403 Forbidden
[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 ddd.com/admin/aefiles.phpeon -I
HTTP/1.1 403 Forbidden
限定某个目录禁止解析php
[root@axiang-03 apache2.4]# vim conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/aaa.com"
ServerName aaa.com
<Directory /data/wwwroot/aaa.com/uplode/>
php_admin_flag engine off
</Directory>
</VirtualHost>
[1]+ 已停止 vim conf/extra/httpd-vhosts.conf
[root@axiang-03 apache2.4]# mkdir /data/wwwroot/aaa.com/uplode/
[root@axiang-03 apache2.4]# vim !$1.php
vim /data/wwwroot/aaa.com/uplode/1.php
[root@axiang-03 apache2.4]# bin/apachectl -t
Syntax OK
[root@axiang-03 apache2.4]# bin/apachectl graceful
[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 aaa.com/uplode/1.php
<? echo "this is uploda php"; ?>
- 核心配置
php_admin_flag engine off - 有的浏览器会直接下载
限制user_agent
[root@axiang-03 apache2.4]# fg
vim conf/extra/httpd-vhosts.conf
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
[1]+ 已停止 vim conf/extra/httpd-vhosts.conf
[root@axiang-03 apache2.4]# bin/apachectl -t
Syntax OK
[root@axiang-03 apache2.4]# bin/apachectl graceful
[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 aaa.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>
[root@axiang-03 apache2.4]# curl -x192.168.83.139:80 aaa.com -I
HTTP/1.1 403 Forbidden
Date: Wed, 09 Aug 2017 01:44:45 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
[root@axiang-03 apache2.4]# curl -A "123" -x192.168.83.139:80 aaa.com -I
HTTP/1.1 200 OK
php相关配置
[root@axiang-03 apache2.4]# tree /data/wwwroot/
/data/wwwroot/
├── aaa.com
│ ├── index.html
│ └── uplode
│ └── 1.php
├── bbb.com
│ └── index.php
├── ccc.com
│ ├── admin.php
│ └── index.php
└── ddd.com
├── 1.jpg
├── admin
│ ├── files.php
│ └── info.php
├── baidu.png
└── index.php
[root@axiang-03 apache2.4]# /usr/local/php/bin/php -i | grep -i "loaded config"
Loaded Configuration File => /usr/local/php/etc/php.ini
PHP Warning: Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting...
[root@axiang-03 apache2.4]# cd /usr/local/php/
[root@axiang-03 php]# vim etc/php.ini
关掉告警
禁用不安全参数
disable_functions =eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
调整日志参数
log_errors = On
错误日志开启
error_log = /tmp/php_errors.log
定义日志路径
display_errors = Off
不把错误输出到浏览器里
error_reporting = E_ALL //这是全纪录
定义错误级别,Notic一般不用记录,上面有修改格式
[root@axiang-03 php]# cd -
/usr/local/apache2.4
[root@axiang-03 apache2.4]# vim /data/wwwroot/ccc.com/index.php
[root@axiang-03 apache2.4]# bin/apachectl -t
Syntax OK
[root@axiang-03 apache2.4]# bin/apachectl graceful
[root@axiang-03 apache2.4]# cat /tmp/php_errors.log
[09-Aug-2017 10:30:58 Asia/Chongqing] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/ddd.com/admin/info.php on line 1
[09-Aug-2017 10:42:40 Asia/Chongqing] PHP Parse error: syntax error, unexpected 'aefa' (T_STRING) in /data/wwwroot/ccc.com/index.php on line 3
- 这里的禁用phpinfo参数curl访问依然是200,error_reporting如果不记录Notic也不会提示
- apache禁用php解析,php不会报错
设置基础目录隔离不同网站
php_admin_value open_basedir "/data/wwwroot/xxx.com:/tmp/"
- 在php.ini里设置open_basedir会让其他虚拟主机无法访问(访问代码500)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
