Apache (httpd) configuration--anti-theft chain configuration and access control

First, configure the anti-theft chain

Through the way of anti-theft chain, can be set to restrict the third-party site by reference to obtain the image on the server, data, etc., if you want to obtain the site's picture data, only through the site access to obtain, this also effectively reduce the resources of the server.

What is Referer?

Referer is part of the header of the HTTP packet, and when the browser sends a request to the server, it takes Referer, which tells the browser what page link the request was taken from, and the browser processes the link and displays it.
For example: On a site of a page http://aaa.com/a.html inside the link to visit the B station of a page http://bbb.com/b.html , then B site Reffer ishttp://aaa.com/a.html

Step 1: Modify the virtual host configuration file

[[email protected] ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf     <Directory /data/wwwroot/123test>#       把linuxtest.com设为白名单，对应规则Allow        SetEnvIfNoCase Referer "http://linuxtest.com" local_ref#       把某个ip设为白名单，对应规则Allow        SetEnvIfNoCase Referer "http:http://120.78.56.104/" local_ref#       把空referer设为白名单，对应规则Allow；空referer即直接访问的地址        SetEnvIfNoCase Referer "^$" local_ref#       对txt、doc等格式的文件执行访问控制        <FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">#           白名单地址allow，其他deny#           执行顺序依次为allow、deny，反过来将导致都被禁止访问            Order Allow,Deny#           白名单为local_ref对应的地址            Allow from env=local_ref        </FilesMatch>    </Directory>[[email protected] ~]# /usr/local/apache2/bin/apachectl -tSyntax OK[[email protected] ~]# /usr/local/apache2/bin/apachectl graceful

Ii. access Control (Directory)

Restrict user access to a subset of directories, allowing specific IP access

Step 1: Modify the virtual host configuration file

[[email protected] ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf  //添加以下内容    <Directory /data/wwwroot/123test/admin/>        Order deny,allow#       设定Deny和Allow的先后顺序        Deny from all        Allow from 127.0.0.1#       只允许本地访问    </Directory>[[email protected] ~]# /usr/local/apache2/bin/apachectl -tSyntax OK[[email protected] ~]# /usr/local/apache2/bin/apachectl graceful

Step 2: Test whether it takes effect

[[email protected] ~]# curl -x 127.0.0.1:80 -e "http://linuxtest.com" linuxtest.com/admin/admintest.php -IHTTP/1.1 200 OKDate: Tue, 06 Mar 2018 09:40:48 GMTServer: Apache/2.4.29 (Unix) PHP/5.6.30X-Powered-By: PHP/5.6.30Cache-Control: max-age=0Expires: Tue, 06 Mar 2018 09:40:48 GMTContent-Type: text/html; charset=UTF-8//来源IP：127.0.0.1访问成功[[email protected] ~]# curl -x 192.168.204.128.1:80 -e "http://linuxtest.com" linuxtest.com/admin/admintest.php -Icurl: (5) Could not resolve proxy: 192.168.204.128.1; 未知的名称或服务[[email protected] ~]# curl -x 192.168.204.128:80 -e "http://linuxtest.com" linuxtest.com/admin/admintest.php -IHTTP/1.1 403 ForbiddenDate: Tue, 06 Mar 2018 09:41:41 GMTServer: Apache/2.4.29 (Unix) PHP/5.6.30Content-Type: text/html; charset=iso-8859-1//非来源IP则被阻止访问

Third, access control (FilesMatch)

Restricting access to specified files

Step 1: Modify the configuration file

[[email protected] ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf    //加入以下内容<Directory /data/wwwroot/123test>    //对文件admin.php进行限制    <FilesMatch  "admin.php(.*)">         Order deny,allow        Deny from all        Allow from 127.0.0.1    </FilesMatch></Directory>[[email protected] ~]# /usr/local/apache2/bin/apachectl -tSyntax OK[[email protected] ~]# /usr/local/apache2/bin/apachectl graceful

Step 2: Test

[[email protected] ~]# curl -x 127.0.0.1:80 http://linuxtest.com/admin/admintest.php?123 -IHTTP/1.1 404 Not FoundDate: Tue, 21 Nov 2017 15:12:34 GMTServer: Apache/2.4.28 (Unix) PHP/5.6.30Content-Type: text/html; charset=iso-8859-1//说明：使用允许的ip访问，由于文件不存在，返回404状态码

Apache (httpd) configuration--anti-theft chain configuration and access control