您的位置 首页 php

php配置 限定某个目录禁止解析php 限制user_agent

1,限定某个目录禁止解析php。

对于使用PHP语言编写的网站,有一些目录是由需求上传文件的,如果被黑客上传了用php代码写的木马,由于网站可以执行php程序,最终会让黑客拿到服务器权限。为了避免这种情况发生,我们需要把能上传文件的目录直接禁止解析php代码。编辑配置文件:

php_admin_flag engine off

//Filesmatch的作用是不允许解析源代码

Order allow,deny

Deny from all

重新加载配置文件后验证:

# mkdir upload //在www.123.com目录下创建upload文件夹

# ls

123.jpg 123.php 123.txt admin index.html upload

# cp 123.php upload/ //把123.php拷贝到upload文件夹

# curl -x127.0.0.1:80 www.123.com/upload/123.php -I //解析123.php时报403

HTTP/1.1 403 Forbidden

Date: Sat, 02 Jun 2018 22:21:09 GMT

Server: Apache /2.4.33 (Unix) PHP/5.6.32

Content-Type: text/html; charset=iso-8859-1

编辑配置文件去掉filesmatch后重新验证得到如下结果:

# curl -x127.0.0.1:80 www.123.com/upload/123.php

echo 123.php;

>

curl直接返回源代码,说明123.php不能正常解析。

2,限制user_agent。

user_agent可以理解成浏览器标识。当用curl访问时,user_agent为curl/7.29.0,当用firefox浏览器访问时,user_agent为Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0。

编辑配置文件:

RewriteEngine on

RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]

RewriteRule .* – [F]

这里用到了rewrite模块,%{HTTP_USR_AGENT} 为user_agent的内置变量,上例上匹配到curl或者baidu.com时,都会触发下面的规则。方括号中的OR表示或者,NC表示“不区分大小写”,F相当于Forbidden。

验证:curl -x127.0.0.1:80 www.123.com/123.php -I

HTTP/1.1 403 Forbidden

Date: Sun, 03 Jun 2018 06:57:41 GMT

Server: Apache/2.4.33 (Unix) PHP/5.6.32

Content-Type: text/html; charset=iso-8859-1

curl -A “123123” -x127.0.0.1:80 www.123.com/123.php -I

HTTP/1.1 200 OK

Date: Sun, 03 Jun 2018 06:57:51 GMT

Server: Apache/2.4.33 (Unix) PHP/5.6.32

X-Powered-By: PHP/5.6.32

Cache-Control: max-age=0

Expires: Sun, 03 Jun 2018 06:57:51 GMT

Content-Type: text/html; charset=UTF-8

此处用curl -A 指定user_agent,第一个请求的user_agent为curl默认的curl/7.29.0,所以状态码是403,第二个请求的user_agent为自定义的“123123”,没有任何匹配条件,此时状态码应为200。

3,php配置。

虽然php是以httpd一个模板的形式存在的,但是php本身也有自己的配置文件。使用下面的命令查看php的配置文件:

# /usr/local/php/ bin /php -i |grep -i “loaded configuration file”

PHP Warning: Unknown: It is not safe to rely on the system’s timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone ‘UTC’ for now, but please set date.timezone to select your timezone. in Unknown on line

Loaded Configuration File => /usr/local/php/etc/php. ini

(1) php.ini就是PHP的配置文件,第一行的警告是告诉我们系统的时区设置有问题,编辑配置文件找到date.timezone设置为Asia/shanghai则不会再提示错误。

# /usr/local/php/bin/php -i |grep -i “loaded configuration file”

Loaded Configuration File => /usr/local/php/etc/php.ini

(2)php的disable_functions。php有很多内置的函数,有一些函数比如 exec 会直接调取linux系统命令,如果开放会非常危险。因此处于安全考虑应该把一些存在安全危险的函数禁止掉:vim /usr/local/php/etc/php.ini 搜索disable_functions然后添加如下内容:

disable_functions=eval,assert,popen.passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close

禁用如上函数后需要重启httpd服务后才能生效。

(3)配置而error_log。php的日志很重要,它是排查问题的重要手段。编辑php的错误日志,改动如下几项:

log_errors = On error_log =/ var /log/php/php_errors.log error_reporting = E_ALL &~E_NOTICE display_errors = Off

log_errors 可以设置为on 或者off,on表示php会记录错误日志。error_log设定错误日志路径,error_reporting 设定错误日志级别,E_ALL为所有类型的日志,不管是提醒还是警告的都会记录。&表示并且~表示排除,所以E_ALL &~E_NOTICE表示的是除了notice之外的所有日志。display_errors如果设置为on则会把错误日志直接显示在浏览器里,这样对于用户访问来说体验不好,而且还会暴露网站的一些文件路径等重要信息,所以要设置为off。设置完php.inf还需要做如下操作:

# mkdir /var/log/php

# chmod 777 /var/log/php/ //需要保证php错误日志所在的目录存在,并且权限为可写

# /usr/local/apache2/bin/apachectl graceful

# cat /var/log/php/php_errors.log

[03-Jun-2018 14:44:02 Asia/shanghai] PHP Parse error: syntax error, unexpected ‘php’ (T_STRING), expecting ‘,’ or ‘;’ in /data/wwwroot/www.123.com/123.php on line 2

去掉123.php结尾的;号查看错误日记就可以判断出错误了。

(4)配置open_basedir。open_basedir的作用是将网站限定在指定目录里,就算该站点被黑了,黑客也只能在该目录下面有所作为,而不能左右其它目录。如果服务器上只有一个站点,那可以直接再php.ini中设置open_basedir参数,如果服务器上有多个站点那在php.ini中设置就不合适了。

打开配置文件vim /usr/local/php/etc/php.ini设置open_basedir:open_basedir =/tmp:/data/wwwroot/www.123.com

open_basedir可以是多个目录,可以用:冒号隔开。现在已经限制了php只能在/tmp:和/data/wwwroot/www.123.com两个目录下活动。

单个虚拟主机设置open_basedir:

vim /usr/local/apache2/conf/extra/httpd-vhosts.conf

php_admin_value open_basedir “/data/wwwroot/www.123.com/:/tmp/”

起作用的是php_admin_value ,它可以定义php.ini里面的参数,除此之外还可以定义error_log之类的。

文章来源:智云一二三科技

文章标题:php配置 限定某个目录禁止解析php 限制user_agent

文章地址:https://www.zhihuclub.com/76946.shtml

关于作者: 智云科技

热门文章

评论已关闭

35条评论

  1. BrdU cells red staining in the nuclei, indicating proliferating cells and ОІ catenin nuclear staining are increased in the basal layer of the SKO epidermis, which could contribute to the hyperplasia of the epidermis

  2. We also note that monthly zoledronic acid for 4 years produced sclerosis of vertebral body metastasis 2010; 22 10 15 19

  3. With the Internet, the research results on treatments are available to everyone see, for example, www

  4. Hot flashes have become known as the hallmark of menopause, although they are far from universal

  5. AACR 2020 I SPY2 Trial Durvalumab Olaparib Paclitaxel Graduates in HER2 Negative Breast Cancer Hydroxymethylbilane synthase HMBS was used as housekeeping gene Table 1

  6. The metabolism of arachidonic acid by the lipoxygenase LOX pathway generates eicosanoids and these factors show a critical role in the pathogenesis of different human diseases including cancer 120

  7. Nous avons conclu que les nanoparticules de PAMAM Г©taient capables de transporter la doxorubicine et le tamoxifГЁne in vitro 8 12 ring members or 9 10 ring members of which up to 5 ring members are heteroatoms selected from oxygen, nitrogen and sulphur; and

  8. This mechanism may also be at the root of the intriguing progressive loss of ER expression seen in some breast tumors

  9. Issue Date 28 February 2013 beconase prozac effetti collaterali In another example of negligence at the facility, staff mistakenly barred the same girl from visiting her mother because administrators confused her with another inmate whose mother had brought cash into the facility during visiting hours a major violation of contraband policy

  10. hand dipped, with real milk is the only way to make a milkshake Tommy RIwxPpfmoRDqhe 5 20 2022

  11. adalat sildenafil magnus 50 mg precio Lessons have been learned from Zaatari and the new site has already been divided into five villages containing 1, 000 family compounds El Mowafy AM, Alkhalaf M, Nassar NN

  12. CD 8 for me today, finished letrozole last night thank god, my side effects were wild this round

  13. ERG findings and fundus examination was normal Under Physician s strange gaze, Androni s heart came to the woman first line hypertension medication with the gray robe, black hair, and silver eyes again

  14. Reducing mTOR activity in skeletal muscle has also been shown to stimulate oxidative metabolism in mice and enhance life span in Drosophila 62, 63

  15. It actually never occurred to me before reading threads on this forum that some women get 2 IUIs back to back

  16. There have been no randomized clinical trials testing the effect of weight loss on recurrence or survival in overweight or obese cancer patients, however

  17. She married at the age of 34, but did not conceive due to sexual dysfunction of her husband

  18. Here s what to know about the condition, how it s diagnosed and whether there s a cure

  19. Exemplar voltage gated sodium currents I Na recorded in control conditions and in the presence of increasing concentrations of extracellular tamoxifen derivatives

  20. Immunosuppressive networks in the tumour environment and their therapeutic relevance Results please see this article, the pictures would not copy

  21. Modulating the expression of chemoresistance related lncRNAs is a feasible strategy for the reversal of resistance

  22. National Research Council 2003 2006 Fluoride in Drinking Water A Scientific Review of EPA s Standards RNA In Situ Hybridization Localizes modSMCs Within Diseased Tunica Media Layer

  23. We can certainly cover more advanced topics in laterarticles, but my goal right now is to make sure that we re all on the samepage, or at least in the same book

  24. One of the major factors involved in the pathogenesis of obesity associated kidney disease is glomerular hyperfiltration Unintended Acceleration Marketing, Sales Practices andProducts Liability Litigation, 8 10 ml 02151, U

网站地图