86.Apache (httpd) configuration--anti-theft chain configuration and access control

First, configure the anti-theft chain

Through the way of anti-theft chain, can be set to restrict the third-party site by reference to obtain the image on the server, data, etc., if you want to obtain the site's picture data, only through the site access to obtain, this also effectively reduce the resources of the server.
What is Referer?

Referer is part of the header of the HTTP packet, and when the browser sends a request to the server, it takes Referer, which tells the browser what page link the request was taken from, and the browser processes the link and displays it.
For example: In a site of a page http://aaa.com/a.html inside the link to visit the B station of a page http://bbb.com/b.html, then the B site Reffer is http://aaa.com/a.html

Step 1: Modify the virtual host configuration file

[[email protected] ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf     <Directory /data/wwwroot/123test>#       把linuxtest.com设为白名单，对应规则Allow        SetEnvIfNoCase Referer "http://linuxtest.com" local_ref#       把某个ip设为白名单，对应规则Allow        SetEnvIfNoCase Referer "http:http://120.78.56.104/" local_ref#       把空referer设为白名单，对应规则Allow；空referer即直接访问的地址        SetEnvIfNoCase Referer "^$" local_ref#       对txt、doc等格式的文件执行访问控制        <FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">#           白名单地址allow，其他deny#           执行顺序依次为allow、deny，反过来将导致都被禁止访问            Order Allow,Deny#           白名单为local_ref对应的地址            Allow from env=local_ref        </FilesMatch>    </Directory>[[email protected] ~]# /usr/local/apache2/bin/apachectl -tSyntax OK[[email protected] ~]# /usr/local/apache2/bin/apachectl graceful

Ii. access Control (Directory)

Restrict user access to some directories, allow specific IP access Step 1: Modify the virtual host profile [[email protected] ~]# vim/usr/local/apache2/conf/extra/httpd-vhosts.conf/ /Add the following <Directory/data/wwwroot/123test/admin/> order deny,allow# set the precedence of deny and allow Deny fro M all enable from 127.0.0.1# only allow local access </directory>[[email protected] ~]#/usr/local/apache2/bin/a Pachectl-tsyntax ok[[email protected] ~]#/usr/local/apache2/bin/apachectl Graceful Step 2: Test is in effect [[email  Protected] ~]# curl-x 127.0.0.1:80-e http://linuxtest.com linuxtest.com/admin/admintest.php-ihttp/1.1 E, Mar 2018 09:40:48 gmtserver:apache/2.4.29 (Unix) php/5.6.30x-powered-by:php/5.6.30cache-control:max-age= 0expires:tue, Mar 2018 09:40:48 gmtcontent-type:text/html; charset=utf-8//source ip:127.0.0.1 Access successful [[email protected] ~]# curl-x 192.168.204.128.1:80-e "http://linuxtest.com" Linuxtest.com/admin/admintest.php-icurl: (5) Could not resolve proxy:192.168.204.128.1; Unknown name or service [[Email protEcted] ~]# curl-x 192.168.204.128:80-e "http://linuxtest.com" linuxtest.com/admin/admintest.php-ihttp/1.1 403 Forbiddendate:tue, Mar 2018 09:41:41 gmtserver:apache/2.4.29 (Unix) php/5.6.30content-type:text/html; charset=iso-8859-1//non-source IP is blocked from Access

Third, access control (FilesMatch)

限制指定文件的访问步骤1：修改配置文件[[email protected] ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf    //加入以下内容<Directory /data/wwwroot/123test>    //对文件admin.php进行限制    <FilesMatch  "admin.php(.*)">         Order deny,allow        Deny from all        Allow from 127.0.0.1    </FilesMatch></Directory>[[email protected] ~]# /usr/local/apache2/bin/apachectl -tSyntax OK[[email protected] ~]# /usr/local/apache2/bin/apachectl graceful步骤2：测试[[email protected] ~]# curl -x 127.0.0.1:80 http://linuxtest.com/admin/admintest.php?123 -IHTTP/1.1 404 Not FoundDate: Tue, 21 Nov 2017 15:12:34 GMTServer: Apache/2.4.28 (Unix) PHP/5.6.30Content-Type: text/html; charset=iso-8859-1//说明：使用允许的ip访问，由于文件不存在，返回404状态码

Iv. access Control (user_agent)

User_agent (user agent): refers to the browser (search engine) information including hardware platform, system software, application software and user preferences. Sometimes the website is attacked by CC, the principle is: The attacker uses the proxy server (meat machine) to generate a legitimate request to the victim host to achieve DDoS and camouflage. One feature of CC attacks is that their useragent are consistent, so they can be blocked by limiting the attacker's useragent approach. Step 1: Modify the configuration file [[email protected] 123test]# vim/usr/local/apache2/conf/extra/httpd-vhosts.conf <IfModule mod_ Rewrite.c> rewriteengine on Rewritecond%{http_user_agent}. *curl.* [Nc,or] Rewritecond%{HTTP_US    Er_agent}. *baidu.com.* [NC] rewriterule. *-[f]# NC means ignore case, or option indicates or (without any option table and) the next condition is connected, F=forbidden forbidden. </ifmodule>[[email protected] 123test]#/usr/local/apache2/bin/apachectl-tsyntax OK[[email  Protected] 123test]#/usr/local/apache2/bin/apachectl Graceful Step 2: Test [[email protected] 123test]# curl-x 192.168.204.128:80 linuxtest.com/-ihttp/1.1 403 forbiddendate:wed, Mar 2018 07:01:54 gmtserver:apache/2.4.29 (Unix) php/5.6.30content-type:text/html; Charset=iso-8859-1[[email protected] 123test]# curl-a "www.baidu.com"-X 192.168.204.128:80linuxtest.com/-ihttp/1.1 403 forbiddendate:wed, Mar 2018 07:02:20 gmtserver:apache/2.4.29 (Unix) PHP/5.6.30Content-T ype:text/html; CHARSET=ISO-8859-1//-A designation user_agent[[email protected] 123test]# curl-a "www"-X 192.168.204.128:80 linuxtest.com /-ihttp/1.1 okdate:wed, Mar 2018 07:02:29 gmtserver:apache/2.4.29 (Unix) Php/5.6.30x-powered-by:php/5.6.30cache -control:max-age=0expires:wed, Mar 2018 07:02:29 gmtcontent-type:text/html; Charset=utf-8 the first and second matches the corresponding conditions respectively, so the status code is 403.

86.Apache (httpd) configuration-anti-theft chain configuration and access control