Lamp Environment-limited PHP parsing, useragent, PHP-related configuration, Apache-related configuration

11.28 limit a directory to prevent PHP parsing

This section should be used to optimize settings for static file directories or writable directories, and to prevent malicious attacks by restricting resolution/access to improve security.

To edit a virtual host configuration file:

[Email protected] 111.com]# vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<Directory/data/wwwroot/111.com/upload>
Php_admin_flag engine off
</Directory>
Create the appropriate directory:

[Email protected] 111.com]# mkdir upload
......
[[email protected] 111.com]# ls upload/
123.php abc.jpg Baidu.png
Test:

[Email protected] 111.com]# curl-x192.168.8.131:80 ' http://111.com/upload/123.php '
<?php
echo "welcom to 123file";
?>

[Email protected] 111.com]# curl-x192.168.8.131:80 ' http://111.com/upload/baidu.png '-I
http/1.1 OK
Date:thu, 04:47:16 GMT
server:apache/2.4.27 (Unix) php/5.6.30
Last-modified:thu, 04:25:26 GMT
ETag: "e7a-555d1c5172a6c"
Accept-ranges:bytes
content-length:3706
Content-type:image/png

Description: The source code is displayed directly when accessing the 123.php file, that is, PHP parsing is not possible, and accessing other types of files is not a problem.

Add PHP Access Restrictions

Add parameter "< FilesMatch (.) \. php (. ) > ":

[Email protected] 111.com]# vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<Directory /data/wwwroot/111.com/upload>    php_admin_flag engine off    <FilesMatch (.*)\.php(.*)>    Order Allow,Deny    Deny from all    

Note: If only set prohibit PHP parsing, user access to PHP files will show the source code, add this parameter can prevent users to see the server PHP source, further improve security.

Test:

[Email protected] 111.com]# curl-x127.0.0.1:80 111.com/upload/123.php-i
http/1.1 403 Forbidden
Date:thu, 04:28:49 GMT
server:apache/2.4.27 (Unix) php/5.6.30
content-type:text/html; Charset=iso-8859-1

[Email protected] 111.com]# curl-x127.0.0.1:80 111.com/upload/baidu.png-i
http/1.1 OK
Date:thu, 04:29:25 GMT
server:apache/2.4.27 (Unix) php/5.6.30
Last-modified:thu, 04:25:26 GMT
ETag: "e7a-555d1c5172a6c"
Accept-ranges:bytes
content-length:3706
Content-type:image/png
Description: The status code of Access 123.php at this time is 403, that is, inaccessible!

11.29 Limit User_agent

User_agent (user agent): refers to the browser (search engine) information including hardware platform, system software, application software and user preferences.

Requirements background:
Sometimes the website is attacked by CC, the principle is: The attacker uses the proxy server (meat machine) to generate a legitimate request to the victim host to achieve DDoS and camouflage. One feature of CC attacks is that their useragent are consistent, so they can be blocked by limiting the attacker's useragent approach.

To edit a virtual host configuration file:

[Email protected] 111.com]# vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
......
<ifmodule mod_rewrite.c>
Rewriteengine on
Rewritecond%{http_user_agent}. Curl. [Nc,or]
Rewritecond%{http_user_agent}. baidu.com. [NC]
Rewriterule. *-[F]
</IfModule>
......
Description: NC means ignore case, or option indicates or (without any option table and) joins next condition, F=forbidden forbidden.

Detection:

[Email protected] 111.com]# curl-x192.168.8.131:80 ' http://111.com/123.php '-I
http/1.1 403 Forbidden
Date:thu, 06:59:14 GMT
server:apache/2.4.27 (Unix) php/5.6.30
content-type:text/html; Charset=iso-8859-1

[Email protected] 111.com]# curl-a "Aminglinux aminglinux"-x192.168.8.131:80 ' http://111.com/123.php '-I
http/1.1 OK
Date:thu, 07:01:01 GMT
server:apache/2.4.27 (Unix) php/5.6.30
x-powered-by:php/5.6.30
content-type:text/html; Charset=utf-8
[Email protected] 111.com]# curl-a "Aminglinux aminglinux"-x192.168.8.131:80 ' http://111.com/123.php '
Welcom to 123file
Description: curl-a specifies useragent.

11.30 PHP Related Configuration

To view the PHP configuration file:

/usr/local/php/bin/php-i|grep-i "Loaded configuration file"
PHP parameters

Set time zone
Date.timezone
Some feature options:
"Eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown, Escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog, Readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo "
The above feature options can be limited by "disable_function" to improve the security of the site:

disable_function=
Log related
Display_errors=on/off: Set whether the cause of the error is displayed, it is important to note that the error log must be set, the save path, and the error log level to be set to OFF (to prevent users from seeing), or the cause of the error cannot be found.

Log_errors=on/off Open/Close error log

"error_log=/tmp/" sets the save path for the error log. If the log cannot be produced after the path is defined, you need to check the directory where the log file is located for write (w) permissions

"Errorreporting =" Sets the error log level with the following levels: E all, ~e NOTICE, ~e STRICT, ~eDEPRECATED (can be freely combined). Production environment use: E all & ~e_ notice is available.

Official Note:

E_all (Show all errors, warnings and notices including coding standards.)
E_all & ~e_notice (Show all errors, except for notices)
E_all & ~e_notice & ~e_strict (Show all errors, except for notices and coding standards warnings.)
e_compile_error| e_recoverable_error| e_error| E_core_error (Show only errors)
Safety parameter "Open_basedir"
Open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes more sense if used in a per-directory
; or per-virtualhost Web server configuration file.
If the Open_basedir option is set, all operations on the file will be restricted to the specified directory and its subdirectories.
It is important to set this directive in each directory or virtual host Web server configuration file.
Description: The contents of the php.ini file are configured for all virtual hosts.

Problem: One server runs more than one virtual host, so setting this option under this file is not appropriate. So, how do you set this configuration?

Method: The configuration file for each virtual host is set up separately.

[Email protected] 111.com]# vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
Php_admin_value Open_basedir "/data/wwwroot/111.com:/tmp/"
Description: "Php_admin_value" can define parameters in the php.ini. Use this method in each virtual host to set the relevant "Open_basedir" Can!
The "/tmp/" directory is opened here to allow temporary files to be written correctly.

Extended:

Apache Open Compression function

Compression here is not the image of the site compression, but for ordinary static files, such as HTML, JS, CSS and other elements of compression, through compression to save bandwidth resources.

Configuration

Check if local Apache supports the compression feature
/usr/local/apache2/bin/apachectl-l
See if there is a "mod_deflate" module here, and if not, continue to view:

ls/usr/local/apache2/modules/
Here to see there is no "mod_deflate.so" This file, if there is no, that means your Apache does not support compression, need to recompile, or expand the form of installation, or recompile Apache, need to compile, add "-- Enable-deflate=shared ".
After adding complete deflate This module begins to configure:

To edit the Apache configuration file httpd.conf:

LoadModule Deflate_module modules/mod_deflate.so

Deflatecompressionlevel 5
Addoutputfilterbytype DEFLATE text/html Text/plain text/xml
Addoutputfilter DEFLATE js CSS
Where Deflatecompressionlevel refers to the level of compression, from 1 to 9, 9 is the highest level.

apache2.2 to 2.4 configuration file changes

Access control
Apache2.2 configuration:

Order Deny,allow
Deny from all
Apache2.4 configuration:

Require all denied
Common configurations are:

Require all denied
Require all granted
Require Host xxx.com
Require IP 192.168.1 192.168.2
Require Local
Setting log record mode changes
Rewriteloglevel instruction changed to LogLevel.
eg

LogLevel warn Rewrite:warn
Namevirtualhost is removed

Module Group:

Website compression, in addition to using the Mod_ deflate,apache2.4 modfilter.
With SSL credentials, you need Mod_socache _SHMCB in addition to using mod ssl,apache2.4
Apache parameters (Options)

Directives control which server features will be used in a particular directory. The Options property has a very special feature: If you do not use "+" or "-" to increase or decrease a function, then all functions of the previously defined options will be canceled until you specify some functionality for it. So the options property is not relevant in the overall settings and the virtual host settings, and does not work with each other because they are overloaded within a specific range. If you want to use the options settings in the overall settings in the virtual host, do not specify the Options property in the virtual host settings. If you want to add or decrease functionality, use the "+" or "-" notation. The Options directive controls which server features will be used in a particular directory. The option can be set to None, in which case no extra features will be enabled. or set to one or more of the following options:

All:
This is the default setting for all features except MultiViews.
EXECCGI: Allow CGI scripts to be executed
FollowSymLinks:
The server uses symbolic connections in this directory.
Note: Even though the server uses symbolic connections, it does not change the pathname used to match the configuration segment. If this configuration is in a configuration segment, this setting is ignored.
Includes: Allow server-side containment.
IncludesNOEXEC:
Allow server-side containment, but disable the #exec command and the #exec CGI (Common Gateway Interface, which is the server-side interface used to initialize software services. ）。 However, you can still use the # include virtual CGI script from the Scriptaliase directory.
CGI (Common Gateway Interface) Universal Gateway Interface, it is a program, running on the server, providing the interface with the client HTML page, the popular CGI is like a bridge, the Web page and the Web server to connect the execution program, It passes the instruction that the HTML receives to the server, then returns the result of the server execution to the HTML page, the CGI can implement the processing table, the database query, sends the e-mail and so on many operations, the most common CGI program is the counter. CGI makes a Web page not static, but interactive.

Indexes:
If a URL mapped to a directory is requested, and there is no directoryindex (for example: index.html) In this directory, the server returns a formatted list of directories.

MultiViews: A multi-attention graph that allows content negotiation.

SymLinksIfOwnerMatch:
The server uses a symbolic connection only if it has the same user ID as its destination directory or file owner.
Note: If this configuration appears in the configuration segment, this option is ignored. In general, if a directory is set to the options multiple times, the most special one will be fully accepted, and the settings of each option are not fused to each other. However, this option will be merged if all of the options are applied with a + or-symbol prior to the option command. All options preceded by a + sign will force the override of the current optional setting, and all previous options with the-number will force the removal from the current optional settings.

Eg: if there are no + and-symbols:

Options Indexes FollowSymLinks

Options includes
Only includes is set to the/web/docs/spec directory. However, if the second options directive uses the + and-symbols:

Options Indexes FollowSymLinks

Options +includes-indexes
Then there will be FollowSymLinks and includes set to the/web/docs/spec directory.

Apache prohibits trace or track against XSS attacks

Trace and track are the HTTP methods used to debug Web server connections. A cross-site scripting vulnerability exists in a server that supports this approach, often referred to as XST when describing various browser defects. An attacker could exploit this vulnerability to spoof legitimate users and obtain their private information.

Disable trace: Use the rewrite feature

Rewriteengine on
Rewritecondi%{request_method} ^trace
Rewriterule. *-[F]
Or you can configure the appropriate parameters directly in Apache configuration file.

Traceenable off
Apache Configuration HTTPS Support SSL

?? The SSL (secure Sockets Layer Secure Socket) protocol, and its successor, TLS (Transport Layer Security) protocol, is a security protocol that provides security and data integrity for network communications. TLS and SSL encrypt the network connection at the transport layer, which ensures the security of network data transmission, and uses data encryption technology to ensure that the data will not be intercepted and tapped during the network transmission. The SSL protocol has become a global standard, and all major browsers and Web server programs support the SSL protocol, which can be activated by installing an SSL certificate.
?? An SSL certificate is a server digital certificate that adheres to the SSL protocol, is issued by a trusted certificate authority (CA), authenticates the server, and is deployed on the server with both Web site authentication and encrypted transport dual functionality.

Installing OpenSSL
Apache2.0 recommended to install version 0.9, I have tried 2.0.59 to openssl-1.0 compilation does not pass. Download openssl:http://www.openssl.org/source/
TAR-ZXF openssl-0.9.8k.tar.gz
#解压安装包
CD openssl-0.9.8k
#进入已经解压的安装包
./configure
#配置安装. Recommended default configuration
Make && make install
#编译及安装
OpenSSL will be installed to/usr/local/ssl by default.

Let Apache support SSL
When compiling, you specify SSL support.
Static
--enable-ssl=static--with-ssl=/usr/local/ssl
Dynamic
--enable-ssl=shared--with-ssl=/usr/local/ssl
The second method generates the Mod_ssl.so module in the module/directory, and Static does not, but the second method also needs to be added to the httpd.conf:

LoadModule ssl_module modules/mod_ssl.so
Generate certificate
Create private key
Before you create a certificate request, you need to first generate the server certificate private key file.
Cd/usr/local/ssl/bin
#进入openssl安装目录
OpenSSL genrsa-out server.key 2048
#运行openssl命令, Generates a 2048-bit long private key Server.key file.
#如果您需要对server. Key to add a protection password, use the-des3 extension command. Encrypted format private keys are not supported in Windows environments, and when you use an encrypted private key in a Linux environment, you will need to enter that private key password each time you restart Apache.
# (example: OpenSSL genrsa-des3-out server.key 2048)

CP server.key/usr/local/apache/conf/ssl.key/
Generate a certificate request (CSR) file
OpenSSL Req-new-key server.key-out CERTREQ.CSR
Country Name://ISO Standard code for your country, China CN
State or Province Name://Your unit is located in the province/municipality
Locality Name://city/district where your organization is located
Organization Name://Your organization/organization/company's legal names
Organizational unit Name://Department
Common Name://Common name, for example: www.itrus.com.cn. This must exactly match the domain name that you applied when you accessed the server that provided the SSL service.
Email Address://Your e-mail addresses, do not enter, direct enter skip
"Extra" attributes//The following information does not have to be entered, enter skip until the command is completed.
Back up the private key and submit a certificate request
Please submit the certificate request file CERTREQ.CSR to Tianwei integrity, and backup save certificate private key file Server.key, wait for the certificate to be issued. The server certificate key pair must be paired, and the loss of the private key file will cause the certificate to be unavailable.
Install the certificate
Obtain the server Certificate Intermediate CA Certificate
To secure server certificate client compatibility, the server certificate requires the installation of two intermediate CA certificates (different brand certificates, possibly one intermediate certificate), and the intermediate CA certificate from the message:

Paste the two intermediate CA certificate contents (including "-----Begin CERTIFICATE-----" and "-----End CERTIFICATE-----") from begin to end in the certificate issuance message into a text editor such as Notepad, The middle is separated by a carriage return line break. Modify the file name extension to save as a conf/ssl.crt/intermediatebundle.crt file (if you have only one intermediate certificate, you only need to save and install one intermediate certificate).

Obtaining an EV server certificate
Paste the server certificate contents (including "-----Begin CERTIFICATE-----" and "-----End CERTIFICATE-----") from begin to end in the certificate issuance message into a text editor such as Notepad, Save as SSL.CRT/SERVER.CRT file.

Configure Apache2.0

To edit the configuration file httpd.conf, add the following:

Listen 443
Namevirtualhost *:443

DocumentRoot "/data/web/www"ServerName aaa.com:443ErrorLog "logs/error.log"CustomLog "logs/access.log" combined    SSLEngine on    SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt    SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key    SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediatebundle.crt

Lamp Environment-limited PHP parsing, useragent, PHP-related configuration, Apache-related configuration