LAMP架构 (Ⅲ )
十五 、配置防盗链
防盗链,通俗讲就是不让别人盗用你网站上的资源,这个资源指的是图片、视频、歌曲、文档等,在这之前需要理解一下referer的概念,如果你通过A网站的一个页面http://a.com/a.html里面的链接去访问B网站的一个页面http://b.com/b.html,那么这个B网站页面的referer就是http://a.com/a.html。也就是说,一个referer就是一个网址。
打开虚拟主机配置文件,按以下内容配置虚拟主机;
[root@ying01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf //编辑虚拟主机配置文件
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref // 定义允许访问链接的referer
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref //把空referer设为白名单,即直接访问的地址
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
Order Allow,Deny //白名单地址allow,其他deny
Allow from env=local_ref // 白名单为local_ref对应的地址
</FilesMatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
改完配置,还是需要检测语法,以及重启httpd
[root@ying01 ~]# /usr/local/apache2.4/bin/apachectl -t //更改配置后,需要检查配置语法
Syntax OK
[root@ying01 ~]# /usr/local/apache2.4/bin/apachectl graceful //重启httpd
现在用111.com/1.jpg 测试这个配置内容;
[root@ying01 ~]# ls /data/wwwroot/111.com/
123.php 1.jpg index.php
[root@ying01 111.com]# curl -x192.168.112.136:80 -I 111.com/1.jpg //直接访问,状态200,相当于空refer
HTTP/1.1 200 OK
Date: Sat, 30 Jun 2018 10:18:47 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Last-Modified: Tue, 26 Jun 2018 08:19:48 GMT
ETag: "8967-56f8729511100"
Accept-Ranges: bytes
Content-Length: 35175
Content-Type: image/jpeg
[root@ying01 111.com]# curl -e "http://www.qq.com/1.jpg" -x192.168.112.136:80 -I 111.com/1.jpg
HTTP/1.1 403 Forbidden //定义refer为qq,此为禁止refer
Date: Sat, 30 Jun 2018 10:19:22 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@ying01 111.com]# curl -e "http://111.com/1.jpg" -x192.168.112.136:80 -I 111.com/1.jpg
HTTP/1.1 200 OK //定义refer为111.com,可以访问
Date: Sat, 30 Jun 2018 10:19:59 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Last-Modified: Tue, 26 Jun 2018 08:19:48 GMT
ETag: "8967-56f8729511100"
Accept-Ranges: bytes
Content-Length: 35175
Content-Type: image/jpeg
[root@ying01 111.com]# curl -e "http://ask.apelearn.com/lkkh.gif" -x192.168.112.136:80 -I 111.com/1.jpg
HTTP/1.1 200 OK //定义refer为ask.apelearn.com,可以访问
Date: Sun, 01 Jul 2018 01:04:12 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Last-Modified: Tue, 26 Jun 2018 08:19:48 GMT
ETag: "8967-56f8729511100"
Accept-Ranges: bytes
Content-Length: 35175
Content-Type: image/jpeg
总结:
- 当需要访问111.com/1.jpg这个图片的时候:
- 直接访问访问图片;
因为已经定义为空refer: **SetEnvIfNoCase Referer "^$" local_ref **
- 通过制定的refer来访问;
已经定义111.com引用者: SetEnvIfNoCase Referer "http://111.com" local_ref
已经定义ask.apelearn.com引用者: SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
- 但是这个只是针对以下几种格式的内容:
FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
比如:我们来访问111.com/index.php,那么可以任意被引用;
[root@ying01 111.com]# curl -e "http://www.baidu.com" -x192.168.112.136:80 -I 111.com/index.php HTTP/1.1 200 OK //用百度,也可以访问index.php Date: Sun, 01 Jul 2018 01:14:23 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8 [root@ying01 111.com]# curl -e "http://www.126.com" -x192.168.112.136:80 -I 111.com/index.php HTTP/1.1 200 OK //用126,也可以访问index.php,所以这个refer,可以任意指定 Date: Sun, 01 Jul 2018 01:16:12 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Content-Type: text/html; charset=UTF-8
十六 、访问控制
对于一些比较重要的网站内容,除了可以使用用户认证限制访问之外,还可以通过其他一些方法做到限制,比如限制IP,也可以限制user_agent。限制IP指的是限制访问网址的来源IP,而限制user_agent,通常用来限制恶意或者不正常的请求.
16.1 访问控制Directory
在虚拟主机配置文件里面,按下面内容配置;
[root@ying01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
以下为配置内容:
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com/admin> //增加admin目录
Order deny,allow //按先拒绝,再允许执行
Deny from all //拒绝所有
Allow from 127.0.0.1 //允许ip
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
测试前的准备工作
[root@ying01 111.com]# ls
123.php 1.jpg 1.txt ceshi.png index.php
[root@ying01 111.com]# mkdir admin //在111.com下创建admin目录
[root@ying01 111.com]# touch admin/index.php //在admin下创建index.php文件
[root@ying01 111.com]# echo "qeqe2222" >> admin/index.php
[root@ying01 111.com]# cat !$
cat admin/index.php
qeqe2222
[root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl graceful //httpd重启
在允许IP 127.0.0.1下,访问admin目录
[root@ying01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php -I //可以正常访问
HTTP/1.1 200 OK
Date: Sun, 01 Jul 2018 01:56:52 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
[root@ying01 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php //能够输出
qeqe2222
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/admin/asdsf -I
HTTP/1.1 404 Not Found //404代表允许访问,此页面没有
Date: Sun, 01 Jul 2018 02:05:08 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
用ifconfig,查看本机有3个IP;
[root@ying01 111.com]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.112.136 netmask 255.255.255.0 broadcast 192.168.112.255
inet6 fe80::16dc:89c:b761:e115 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:87:3f:91 txqueuelen 1000 (Ethernet)
RX packets 8986 bytes 758369 (740.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4496 bytes 555923 (542.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.112.158 netmask 255.255.255.0 broadcast 192.168.112.255
ether 00:0c:29:87:3f:91 txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0 //已经定义allow
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 516 bytes 44492 (43.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 516 bytes 44492 (43.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
那么使用除127.0.0.1这个IP外,其他IP测试情况;
[root@ying01 111.com]# curl -x192.168.112.158:80 111.com/admin/index -I
HTTP/1.1 403 Forbidden //此IP下禁止访问
Date: Sun, 01 Jul 2018 03:10:05 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@ying01 111.com]# curl -x192.168.112.136:80 111.com/admin/index -I
HTTP/1.1 403 Forbidden //此IP下禁止访问
Date: Sun, 01 Jul 2018 03:10:19 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
16.2 访问控制FilesMatch
编辑虚拟主机配置文件,进行FilesMatch配置;既要匹配文件,又要限制IP;
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com> //在111.com目录下
<Filesmatch admin.php(.*)> //文件匹配admin.php后面跟任意的字符
Order deny,allow
Deny from all
Allow from 127.0.0.1 //只允许127.0.0.1访问
</Filesmatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
在满足admin.php 下,不同IP下,进行访问测试;
[root@ying01 111.com]# curl -x192.168.112.136:80 http://111.com/admin.phpsaaaaaaaaaaaa -I //满足admin.php
HTTP/1.1 403 Forbidden //因为只允许IP:127.0.0.1访问
Date: Sun, 01 Jul 2018 14:55:48 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@ying01 111.com]# curl -x192.168.112.136:80 'http://111.com/admin.php#aaaaaaaaaaaa' -I //满足admin.php
HTTP/1.1 403 Forbidden //因为只允许IP:127.0.0.1访问
Date: Sun, 01 Jul 2018 15:00:45 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@ying01 111.com]# curl -x127.0.0.1:80 'http://111.com/admin.php#aaaaaaaaaaaa' -I //加上单引号,是因为有特殊符号#
HTTP/1.1 404 Not Found //能够连接,但是无此页面
Date: Sun, 01 Jul 2018 15:01:10 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/admin.phpsaaaaaaaaaaaa -I
HTTP/1.1 404 Not Found //能够连接,但是无此页面
Date: Sun, 01 Jul 2018 15:02:51 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
试验结果:只有127.0.0.1能够访问 admin.php(.*)的网页。其余IP,无此权限;
16.3 限定某个目录禁止解析php
有这样一种情况,有些站点和论坛是允许上传图片到服务器,他们上传一些php或者js到服务器,然后被我们执行加载,从而对数据造成威胁。 为了避免这种事情的发生,我们需要限制上传类型。
编辑虚拟主机配置文件,进行以下配置;
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com/upload> //在111.com定义upload目录
php_admin_flag engine off //禁止php解析,所有访问都报403错误
<FilesMatch (.*)\.php(.*)> // .php 前后匹配任意字符
Order deny,allow //按禁止,允许执行
Deny from all //禁止全部
</Filesmatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
创建目录,并把123.php复制到upload,并重启配置;做好测试准备工作;
[root@ying01 111.com]# mkdir upload
[root@ying01 111.com]# ls
123.php 1.jpg 1.txt admin ceshi.png index.php upload
[root@ying01 111.com]# cp 123.php upload/
[root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
进行测试,发现禁止解析php,也不能输出源代码;
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/upload/123.php -I
HTTP/1.1 403 Forbidden
Date: Sun, 01 Jul 2018 15:45:24 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/upload/123.php //禁止访问,也不能输出源代码
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/123.php
on this server.<br />
</p>
</body></html>
再进行配置,把FilesMatch部分不执行,加上#号
[root@ying01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<Directory /data/wwwroot/111.com/upload> //在111.com定义upload目录
php_admin_flag engine off //禁止php解析,所有访问都报403错误
#<FilesMatch (.*)\.php(.*)> // .php 前后匹配任意字符
# Order deny,allow //按禁止,允许执行
# Deny from all //禁止全部
#</Filesmatch>
</Directory>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
此时重启配置后,进行测试;结果不能解析php,只能输出源代码;
[root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@ying01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/upload/123.php //不能够解析PHP,只是输出源代码
<?php
echo "123.php";
总结:因此为了安全,我们必须让其根本不能访问php(匹配.php),不给其解析机会;
16.4 限制user_agent
User Agent中文名为用户代理,简称 UA,它是一个特殊字符串头,使得服务器能够识别客户使用的操作系统及版本、CPU 类型、浏览器及版本、浏览器渲染引擎、浏览器语言、浏览器插件等。
当用crul访问的时候,user_agent的值为“curl/7.29.0”;因此我们可以用其,来做实验;
第一步:把下面内容定义为虚拟主机的的配置文件
[root@ying01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.example.com 2111.com.cn
<IfModule mod_rewrite.c>
RewriteEngine on //
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //匹配curl,不区分大小写,或者
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
ErrorLog "logs/111.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/111.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
第二步:直接用curl访问111.com目录下的123.php
[root@ying01 111.com]# curl -x127.0.0.1:80 http://111.com/123.php -I
HTTP/1.1 403 Forbidden //禁止访问
Date: Sun, 01 Jul 2018 16:42:05 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
第三步:用curl -A指定user_agent的值
[root@ying01 111.com]# curl -A "123456" -x127.0.0.1:80 http://111.com/123.php -I //指定user_agent为123456
HTTP/1.1 200 OK //可以访问
Date: Sun, 01 Jul 2018 16:44:13 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
[root@ying01 111.com]# curl -A "ying ying" -x127.0.0.1:80 http://111.com/123.php -I //指定user_agent为ying ying
HTTP/1.1 200 OK //可以访问
Date: Sun, 01 Jul 2018 16:45:19 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
第四步:调用访问日志;可以看出user_agent为"curl/7.29.0" ,也有"123456"和"ying ying"
[root@ying01 111.com]# tail -3 /usr/local/apache2.4/logs/111.com-access_20180702.log
127.0.0.1 - - [02/Jul/2018:00:42:05 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [02/Jul/2018:00:44:13 +0800] "HEAD http://111.com/123.php HTTP/1.1" 200 - "-" "123456"
127.0.0.1 - - [02/Jul/2018:00:45:19 +0800] "HEAD http://111.com/123.php HTTP/1.1" 200 - "-" "ying ying"
总结:user_agent为"curl/7.29.0" 匹配配置文件,因此禁止访问;而用curl -A指定user_agent的值,则状态码为200;
十七、PHP配置
17.1 php的配置文件
试验准备工作;在111.com下,编辑index.php内容
[root@ying01 ~]# cd /data/wwwroot/111.com
[root@ying01 111.com]# ls
123.php 1.jpg 1.txt admin ceshi.png index.php upload
[root@ying01 111.com]# vim index.php
<?php
phpinfo();
此时我们在浏览器上访问index.php, 发现** Loaded Configuration File**没有加载
此时把php.ini-development文件,复制到/usr/local/php7/etc/php.ini
[root@ying01 111.com]# /usr/local/php7/bin/php -i | grep -i 'loaded configuration file'
Loaded Configuration File =>
[root@ying01 111.com]# cd /usr/local/src/php-7.1.6/
[root@ying01 php-7.1.6]# cp php.ini-development /usr/local/php7/etc/php.ini
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
重新加载后,再用浏览器上访问index.php,此时** Loaded Configuration File**已经加载
17.2 危险函数的禁用
编辑/usr/local/php7/etc/php.ini配置文件
[root@ying01 php-7.1.6]# vim /usr/local/php7/etc/php.ini
以下为php.ini文件内容,搜索 disable_functions
disable_functions =eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,
system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,
proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,
readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
这些函数都是比较危险的,为了安全,一般要把他们禁用;
eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
此时我已经把phpinfo,也禁用了;此时无法打开;
虽然不能访问了,但是它却在页面上显示错误信息; 为了不让其显示
[root@ying01 php-7.1.6]# vim /usr/local/php7/etc/php.ini
display_errors = off //把on改为off
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
此时再次在浏览器,刷新,结果成为一个空页面;
17.3 设置php的错误日志
虽然免除了危险,但是对于我们管理员来说,这个页面,不友好,无法判断此页面;此时需要设置错误日志;
再次打开php.ini配置文件
[root@ying01 php-7.1.6]# vim /usr/local/php7/etc/php.ini
log_errors = On //需要执行,且为on
error_log = /tmp/php_errors.log //定义错误日志目录
- 设置error_reporting 错误级别
; Common Values:
; E_ALL (Show all errors, warnings and notices including coding standards.)
; E_ALL & ~E_NOTICE (Show all errors, except for notices)
; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.)
; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
; Development Value: E_ALL
; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
; http://php.net/error-reporting
error_reporting = E_ALL //默认为E_ALL,选择
选择生产环境的级别
error_reporting = E_ALL & ~E_NOTICE //在生产环境中,最常用的就是这个!有时候出现notice并不是出错
加载,重启配置
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/index.php //继续访问,肯定没有输出
[root@ying01 php-7.1.6]# ls /tmp/php_errors.log //但是此时有我们设置的错误日志出现
/tmp/php_errors.log
查看看这个错误日志的权限,发现为daemon;说明跟httpd配置文件相关
[root@ying01 php-7.1.6]# ls -l /tmp/php_errors.log
-rw-r--r-- 1 daemon daemon 1350 7月 2 11:02 /tmp/php_errors.log
[root@ying01 php-7.1.6]# ps aux |grep httpd
root 1471 0.0 0.7 258948 13608 ? Ss 09:40 0:00 /usr/local/apache2.4/bin/httpd -k start
daemon 2602 0.0 0.6 545776 12344 ? Sl 10:56 0:00 /usr/local/apache2.4/bin/httpd -k start
daemon 2603 0.0 1.9 1220144 36752 ? Sl 10:56 0:00 /usr/local/apache2.4/bin/httpd -k start
daemon 2604 0.0 0.8 744496 16400 ? Sl 10:56 0:00 /usr/local/apache2.4/bin/httpd -k start
daemon 2707 0.0 0.8 613424 16748 ? Sl 10:57 0:00 /usr/local/apache2.4/bin/httpd -k start
root 2817 0.0 0.0 112724 984 pts/0 S+ 11:06 0:00 grep --color=auto httpd
[root@ying01 php-7.1.6]#
查看php错误日志
[root@ying01 php-7.1.6]# cat /tmp/php_errors.log
[02-Jul-2018 03:02:12 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2
[root@ying01 php-7.1.6]#
[root@ying01 php-7.1.6]# vim /data/wwwroot/111.com/2.php //新建2.php
[root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php //空页面
[root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I //出现500状态码
HTTP/1.0 500 Internal Server Error
Date: Mon, 02 Jul 2018 03:12:56 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
[root@ying01 php-7.1.6]# cat /tmp/php_errors.log //查看错误日志
[02-Jul-2018 02:57:11 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2
[02-Jul-2018 03:02:12 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2
[02-Jul-2018 03:12:42 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
[02-Jul-2018 03:12:56 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
17.4 open_basedir配置
如果有一台服务器跑了很多个站点,其中就有一个站的程序写的很烂,漏洞百出,被***所劫持,只要一台被劫持,其它的服务器也就很快被搞定。为了防止这样的事情发生,如何搞定呢?
- 在php配置文件中设置open_basedi
在php配置文件中,把111.com故意写成1111.com
[root@ying01 php-7.1.6]# vim /usr/local/php/etc/php.ini
open_basedir = /data/wwwroot/1111.com:/tmp
重启配置,测试
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I
HTTP/1.0 500 Internal Server Error //出现500状态码
Date: Mon, 02 Jul 2018 03:33:14 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
查看错误日志:php_errors.log
[root@ying01 php-7.1.6]# tail -3 /tmp/php_errors.log
[02-Jul-2018 03:12:42 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
[02-Jul-2018 03:12:56 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
[02-Jul-2018 03:33:14 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
在php配置文件中,把错误的目录1111.com改为111.com
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Mon, 02 Jul 2018 03:35:22 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
- 针对不同的虚拟主机限定不同的open_basedir
按下图设置vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
重启配置后,可以访问成功;
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@ying01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php -I
HTTP/1.1 200 OK
Date: Mon, 02 Jul 2018 04:06:09 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
[root@ying01 php-7.1.6]# curl -A "Q" -x127.0.0.1:80 http://111.com/2.php
123[root@ying01 php-7.1.6]#
十八、 PHP扩展模块安装
18.1 下载模块包安装
下载源码包
[root@ying01 ~]# cd /usr/local/src/
[root@ying01 src]# wget https://codeload.github.com/phpredis/phpredis/zip/develop
改名,解压包
[root@ying01 src]# mv develop phpredis-develop.zip //更改名称
[root@ying01 src]# unzip phpredis-develop.zip //解压
使其生成configure 文件
[root@ying01 src]# cd phpredis-develop/
[root@ying01 phpredis-develop]#
[root@ying01 phpredis-develop]# /usr/local/php7/bin/phpize
Configuring for:
PHP Api Version: 20160303
Zend Module Api No: 20160303
Zend Extension Api No: 320160303
Cannot find autoconf. Please check your autoconf installation and the
$PHP_AUTOCONF environment variable. Then, rerun this script.
提示缺少autoconf包
[root@ying01 phpredis-develop]# yum install -y autoconf
将继续执行生成configure文件
[root@ying01 phpredis-develop]# /usr/local/php7/bin/phpize
Configuring for:
PHP Api Version: 20160303
Zend Module Api No: 20160303
Zend Extension Api No: 320160303
[root@ying01 phpredis-develop]# ls configure
configure
配置、编译,安装
[root@ying01 phpredis-develop]# ./configure --with-php-config=/usr/local/php7/bin/php-config
[root@ying01 phpredis-develop]# make
[root@ying01 phpredis-develop]# make install
查看扩展模块存放目录
[root@ying01 phpredis-develop]# /usr/local/php7/bin/php -i |grep extension_dir
extension_dir => /usr/local/php7/lib/php/extensions/no-debug-zts-20160303 => /usr/local/ph
sqlite3.extension_dir => no value => no value
目录为空,此时在php.ini加载一条扩展语句
[root@ying01 phpredis-develop]# vim /usr/local/php7/etc/php.ini
此时查看存放扩展模块的目录,发现有刚才配置的 redis.so模块
[root@ying01 phpredis-develop]# /usr/local/php7/bin/php -m |grep redis
redis
[root@ying01 zip]# ls /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/
opcache.so redis.so
18.2 编译自带的PHP源码包
php7的源码包中,有很多自带的源码包。我们不需要再次下载,直接编译即可!
在php-7.1.6/etc目录下有很多目录;
root@ying01 phpredis-develop]# cd /usr/local/src/php-7.1.6/
[root@ying01 php-7.1.6]# cd ext/
[root@ying01 ext]# ls
bcmath ext_skel interbase opcache pdo_sqlite skeleton tokenizer
bz2 ext_skel_win32.php intl openssl pgsql snmp wddx
calendar fileinfo json pcntl phar soap xml
com_dotnet filter ldap pcre posix sockets xmlreader
ctype ftp libxml pdo pspell spl xmlrpc
curl gd mbstring pdo_dblib readline sqlite3 xmlwriter
date gettext mcrypt pdo_firebird recode standard xsl
dba gmp mysqli pdo_mysql reflection sysvmsg zip
dom hash mysqlnd pdo_oci session sysvsem zlib
enchant iconv oci8 pdo_odbc shmop sysvshm
exif imap odbc pdo_pgsql simp
现在编译一个模块 zip
[root@ying01 phpredis-develop]# cd /usr/local/src/php-7.1.6/
[root@ying01 php-7.1.6]# cd ext/ //里面有zip模块
[root@ying01 ext]# ls
bcmath ext_skel interbase opcache pdo_sqlite skeleton tokenizer
bz2 ext_skel_win32.php intl openssl pgsql snmp wddx
calendar fileinfo json pcntl phar soap xml
com_dotnet filter ldap pcre posix sockets xmlreader
ctype ftp libxml pdo pspell spl xmlrpc
curl gd mbstring pdo_dblib readline sqlite3 xmlwriter
date gettext mcrypt pdo_firebird recode standard xsl
dba gmp mysqli pdo_mysql reflection sysvmsg zip
dom hash mysqlnd pdo_oci session sysvsem zlib
enchant iconv oci8 pdo_odbc shmop sysvshm
exif imap odbc pdo_pgsql simplexml tidy
[root@ying01 ext]# /usr/local/php7/bin/php -m |grep zip //在php加载模块中,查找zip
[root@ying01 ext]# cd zip/
[root@ying01 zip]# ls
config.m4 CREDITS lib php_zip.c tests zip_stream.c
config.w32 examples LICENSE_libzip php_zip.h TODO
[root@ying01 zip]# /usr/local/php7/bin/phpize
Configuring for:
PHP Api Version: 20160303
Zend Module Api No: 20160303
Zend Extension Api No: 320160303
配置、编译,安装
[root@ying01 zip]# ./configure --with-php-config=/usr/local/php7/bin/php-config
[root@ying01 zip]# make
[root@ying01 zip]# make install
查看目录,此时发现zip.so模块
Installing shared extensions: /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/
[root@ying01 zip]# ls /usr/local/php7/lib/php/extensions/no-debug-zts-20160303/
opcache.so redis.so zip.so
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
