Apache restricts a directory from parsing PHP, Apache prohibits specifying user_agent, PHP-related configuration

One: Apache restricts a directory against parsing PHP

A directory is forbidden to parse PHP, this is very useful, we do the site security, this use a lot of, such as
Some directories can upload files, in order to avoid uploading files have xxx, so we prohibit this directory under the Access solution
Analysis of PHP.
<Directory/data/www/data>
Php_admin_flag engine off
<filesmatch "(. *) PHP" >
Order Deny,allow
Deny from all
</filesmatch>
</Directory>
Description: Php_admin_flag engine off this statement is to prohibit parsing of PHP control statements, but only to match the
Not enough, because this configuration after the user can still access the PHP file, but not resolved, but can download, with
It is not appropriate to download PHP files, so it is necessary to prohibit it.

II: Apache prohibits designation of User_agent

The configuration is as follows:
<ifmodule mod_rewrite.c>
Rewriteengine on
Rewritecond%{http_user_agent} ^firefox/4.0 [Nc,or]
Rewritecond%{http_user_agent} ^Tomato bot/1.0 [NC]
Rewriterule. -[F]
</IfModule>
Also use the rewrite module to implement the restriction specified user_agent, in this case, Rewriterule. -[F] can be
To directly prohibit access, Rewritecond with User_agent to match,Firefox/4.0 said, as long as User_agent
Contains firefox/4.0 that are eligible, which represents any character, NC means case-insensitive, or indicates either,
Connect to the next condition. If I want to limit Baidu's search engine now, can add one such rule:
Rewritecond%{http_user_agent} ^baiduspider/2.0 [NC]
Rewriterule. -[F]
Now that there is or or, is there and what? You just don't write or you mean it.

1. When the last rule is added to or, it should be the result of all the conditions, for example, it thinks all user_agent are eligible, so all accesses are 403.
2. If you do not add or, then all rules are "and", in this case user_agent contains chrome and contains 360 to calculate the match.

Three: PHP related configuration

In front, we have copied a php.ini file to the/usr/local/php/etc/directory below, which is what we have
Know where the php.ini path is, but sometimes we don't know where the php.ini is, and we need to pass
Order to find out where.
#/usr/local/php/bin/php-i |head
Look at that line loaded Configuration File--/usr/local/php/etc/php.ini. If this is none, then
The description is not loaded into the specific php.ini. After finding the php.ini, open it with vim, and find a lot of lines to begin with;
, this symbol is used as an annotation symbol in php.ini, meaning that lines that begin with are not functional. and
The configurations commonly used in php.ini are as follows:

(1) Configuration disable_function
Disable_functions =
Eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chg
Rp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsock
Open,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,p
Roc_close
Description, there are a lot of functions in PHP, some of these functions are not xxx full, so it is necessary to put it
We ban v 0 off. Like Exec,shell_exec, the Linux shell command is executed in PHP code, which is dangerous to be banned.

(2) Configure Error_log
If you are a PHP developer, I believe you will often encounter debugging code situation, as an operator I
should learn simple PHP error troubleshooting skills, in fact, PHP errors and other services under Linux are the same, encounter
to view the error log after the error, according to the error message to determine the cause of the errors. How do you see the error message in PHP? When the
encounters an error, our visit to the website usually shows a white page, nothing, and a status code of 500. In the first case,
to directly display the error message in the browser, configure the method is to find Display_error=on in php.ini, restart
Apache service, refresh the Web page, found no longer white page, but a specific error. This allows us to
debug the PHP code according to the error. This situation is suitable for temporary debugging, but this situation is not suitable for long-term configuration, because all errors
will be displayed in the browser, if the PHP programmer accidentally write a wrong piece of code, and no test directly uploaded to the service
, then our users will directly see these errors, this is not appropriate. So in the second case,
output the error message to a log file, configured as follows:
#vim/usr/local/php/etc/php.ini Add or change the
Display_error=off
Log_ Errors=on
Error_log=/usr/local/php/logs/error.log
Description: The file does not exist at the beginning, in order to avoid permission problems can not automatically generate the file, we can first
create the file, and modify the permissions for 777
Error_reporting = E_all | E_strict
Description: First of all, the error will not be displayed in the browser, the second open the error log switch, and then specify the error log
path, and finally the level of the definition error log. After the configuration is complete, remember to restart the Apache service before it takes effect.

PHP error log level error_report
; E_all all errors and warnings (except e_strict)
; E_error a fatal error. Execution of the script is paused.
; E_recoverable_error most of the fatal errors.
; E_warning a non-fatal run-time error, just a warning, the execution of the script does not stop.
; E_parse compile-time parsing errors, parsing errors should only be generated by the parser.
; E_notice the reminders that are generated when the script runs (often some bugs in the script we write, such as a variable that is not defined), will not cause the task to break.
; The reminder message generated when the E_strict script runs contains some suggestions that PHP throws to let us modify.
; E_core_error fatal error
occurred after PHP startup; E_core_warning a non-fatal error that occurs after PHP is started, which is the warning message
; E_compile_error PHP Compile-time fatal error
; E_compile_warning the warning message generated when PHP was compiled
; E_user_error user-generated error
; E_user_warning user-generated warning
; E_user_notice user-generated reminders

(3) Configuration Open_basedir
There is this open_basedir concept in PHP, which means that the user who executes PHP is limited to the specified
Path, so that security is achieved by narrowing down the permissions. As a website, in fact we just need to let PHP
User access to the site's code, there is no need for it to access other directories. So how do you configure it?
#vim/usr/local/php/etc/php.ini Join or change
Open_basedir =/dir1/:/dir2
Description:/dir1 and/DIR2 for the two directories that we allow PHP to access, as well as multiple, directories
Inter-use: delimited. Once restricted, if PHP tries to access files in directories other than/dir1 and/DIR2, it will report
Wrong. Error similar to, warning:file_exists () [function.file-exists]: Open_basedir restriction in effect.
File (.. /123.php) is not within the allowed path (s):

In addition to defining Open_basedir in php.ini, we can actually define it in Apache's configuration file,
Because there may be more than one Apache under the site, we want to target different sites to limit the different open_basedir, configure
As follows.
#vim httpd.conf or virtual host configuration file, join
Php_admin_value Open_basedir "/dir1/:/dir2/"

PHP.ini detailed http://legolas.blog.51cto.com/2682485/493917

Apache restricts a directory from parsing PHP, Apache prohibits specifying user_agent, PHP-related configuration