11.28 limit a directory to prohibit parsing PHP 11.29 restrictions user_agent 11.30/11.31

11.28 restricting a directory from parsing PHP

Core configuration file Contents
<Directory/data/wwwroot/www.123.com/upload>
Php_admin_flag engine off
</Directory>
Curl test directly returned the PHP source code, did not parse

Curl-x127.0.0.1:80 ' http://123.com/upload/123.php '

11.29 Limit User_agent

User_agent can be understood as a browser identifier
Core configuration file Contents
<ifmodule mod_rewrite.c>
Rewriteengine on
Rewritecond%{http_user_agent}. Curl. [Nc,or]
Rewritecond%{http_user_agent}. baidu.com. [NC]
Rewriterule. *-[F]
</IfModule>
Curl-a "123123" specifies user_agent

[Email protected] upload]# curl-x127.0.0.1:80 ' http://123.com '
<! DOCTYPE HTML PUBLIC "-//ietf//dtd HTML 2.0//en" >
<title>403 forbidden</title>
<p>you don ' t has permission to access/
On this server.<br/>
</p>
</body>[Email protected] upload]# curl-x127.0.0.1:80 ' http://123.com/upload/123.php '
<! DOCTYPE HTML PUBLIC "-//ietf//dtd HTML 2.0//en" >
<title>403 forbidden</title>
<p>you don ' t has permission to access/upload/123.php
On this server.<br/>
</p>
</body>

11.30/11.31 PHP Related Configuration

To view the PHP configuration file:

/usr/local/php/bin/php-i|grep-i "Loaded configuration file"
PHP parameters

Set time zone
Date.timezone
Some feature options:
"Eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown, Escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog, Readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo "
The above feature options can be limited by "disable_function" to improve the security of the site:

disable_function=
Log related
Display_errors=on/off: Set whether the cause of the error is displayed, it is important to note that the error log must be set, the save path, and the error log level to be set to OFF (to prevent users from seeing), or the cause of the error cannot be found.

Log_errors=on/off Open/Close error log

"error_log=/tmp/" sets the save path for the error log. If the log cannot be produced after the path is defined, you need to check the directory where the log file is located for write (w) permissions

"Errorreporting =" Sets the error log level with the following levels: E all, ~e NOTICE, ~e STRICT, ~eDEPRECATED (can be freely combined). Production environment use: E all & ~e_ notice is available.

Official Note:

E_all (Show all errors, warnings and notices including coding standards.)
E_all & ~e_notice (Show all errors, except for notices)
E_all & ~e_notice & ~e_strict (Show all errors, except for notices and coding standards warnings.)
e_compile_error| e_recoverable_error| e_error| E_core_error (Show only errors)
Safety parameter "Open_basedir"
Open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes more sense if used in a per-directory
; or per-virtualhost Web server configuration file.
If the Open_basedir option is set, all operations on the file will be restricted to the specified directory and its subdirectories.
It is important to set this directive in each directory or virtual host Web server configuration file.
Description: The contents of the php.ini file are configured for all virtual hosts.

Problem: One server runs more than one virtual host, so setting this option under this file is not appropriate. So, how do you set this configuration?

Method: The configuration file for each virtual host is set up separately.

[Email protected] 123.com]# vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
Php_admin_value Open_basedir "/data/wwwroot/123.com:/tmp/"
Description: "Php_admin_value" can define parameters in the php.ini. Use this method in each virtual host to set the relevant "Open_basedir" Can!
The "/tmp/" directory is opened here to allow temporary files to be written correctly.

11.28 limit a directory to prohibit parsing PHP 11.29 restrictions user_agent 11.30/11.31