HTTPD Anti-theft chain

Configuring the anti-theft chain

Why to configure the anti-theft chain
If the server is in accordance with the use of traffic to use the billing, if the site pictures and other files are directly referenced to other sites in the article, because it is a copy of the picture link, essentially access to the content of this part or directly to their own server request download, which will result in data traffic and network resources increase, According to the amount of billing, the monthly also need to pay additional non-own site traffic to pay, for this kind of stealing other people's website file resources to configure the anti-theft chain, so that the copied file links in other places outside the site can not open or normal display
To implement the anti-theft chain, we must first understand the implementation principle of hotlinking, mentioned the implementation principle of the anti-theft chain has to start from the HTTP protocol, in the HTTP protocol, there is a header field called Referer, in the format of the URL to indicate from where to link to the current page or file. In other words, through Referer, the Web site can detect the source page of the target page access, and if it is a resource file, it can be traced to the page address where it is displayed. With the Referer tracking source is good to do, at this time can be handled by technical means, once detected source is not the site to block or return to the specified page.

Anti-theft chain configuration

[[email protected] conf]# less extra/httpd-vhosts.conf <Directory /usr/local/httpd/docs/123.com> ?  SetEnvIfNoCase Referer "http://123,com" local_ref ?  SetEnvIfNoCase Referer "http://abcd.com" local_ref ?  SetEnvIfNoCase Referer "^$"  local_ref ?  <FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)"> ? ? ? ? Order Allow,Deny ? ? ? ? Allow from env=Local_ref ?  </FilesMatch></Directory>

To see if the httpd Master profile opens the rewrite module, open the configuration of the line without opening it

[[email protected] conf]# vim httpd.confLoadModule rewrite_module modules/mod_rewrite.so

Reload the configuration in the virtual host

[[email protected] conf]# /usr/local/httpd/bin/apachectl -tSyntax OK[[email protected] conf]# /usr/local/httpd/bin/apachectl graceful

Test the anti-theft chain in HTTP, which is illustrated with PNG images

[[email protected] 123.com]# curl -x127.0.0.1:80 123.com/girl.png -IHTTP/1.1 403 ForbiddenDate: Mon, 30 Jul 2018 09:23:23 GMTServer: Apache/2.4.33 (Unix) PHP/5.6.37Content-Type: text/html; charset=iso-8859-1

Because the access is not a normal web site, resulting in the picture in the test can not be displayed properly, can only show the prompt to block links 403 Forbidden

Access Control Directory

Access control can be used to control access to the background management page, set access rights for background management, such as restricting IP, allowing only designated IP access
只允许127.0.0.1访问/usr/local/httpd/docs/123.com/admin/中的内容，其他的主机ip都不允许访问该目录下的内容。Order Deny,allow? Deny all requests and allow partial access first? Deny from all denies all access? Allow from? xunyu

<Directory /usr/local/httpd/docs/123.com/admin/> ? ?  Order deny,allow ? ?  Deny from all ? ?  Allow from 127.0.0.1</Directory>

Verifying access control restrictions

[[email protected] extra]# cd /usr/local/httpd/docs/123.com/[[email protected] 123.com]# lsgirl.png index.php[[email protected] 123.com]# mkdir admin[[email protected] 123.com]# echo "1234556677" > 1.html[[email protected] 123.com]# curl -x127.0.0.1:80 123.com/admin/1.html1234556677[[email protected] 123.com]# curl -x192.168.1.223:80 www.123.com/admin/1.html<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

Access Control FilesMatch

FilesMatch Controls access, allowing only the specified IP to access the specified page when any character is added after the domain name path, where only loopback address access is allowed, in order to prevent executable malicious code from running in the Web address bar

<Directory /usr/local/httpd/docs/123.com> ? ?  <FilesMatch 1.html(.*)> ? ?  Order deny,allow ? ?  Deny from all ? ?  Allow from 127.0.0.1 ? ?  </FilesMatch></Directory>

Verify that 192.168.1.223 does not allow access to the state of the specified page's IP, 127.0.0.1 to a state that can be accessed, 192.168.1.223 access to the specified page cannot add any characters, and can add any character after accessing the unrestricted page, such as:

--------------------看网页内容---------------[[email protected] extra]# curl -x127.0.0.1:80 www.123.com/admin/1.html?while 1234556677[[email protected] extra]# curl -x192.168.1.223:80 www.123.com/admin/1.html?while <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

HTTPD Anti-theft chain