Linux Learning Summary (37) Lamp Forbidden PHP parsing user_agent access control PHP related configuration

A prohibit PHP parsing

In order to make certain websites more secure, prevent criminals to upload some kind of disguised malicious Trojan files, (such as PHP files), steal the server important resources, we have to protect against some directory, prohibit its parsing PHP
Core configuration file Contents

 <Directory /data/wwwroot/www.123.com/upload>        php_admin_flag engine off    </Directory>

Modify the virtual host configuration file,-T, graceful after testing

We found that the 123.php placed in other locations, can be normal parsing, placed in the upload directory, directly returned to the source code, not resolved.

Two access control user-agent

The user agent Chinese name is called "UA", which is a special string header that allows the server to identify the operating system and version, CPU type, browser and version, browser rendering engine, browser language, browser plugin, etc. used by the client.
Before we configure useragent, let's look at what useragent and refer look like with Curl access and browser access first. First use the browser to access the next

"http://ask.apelearn.com/question/17964" This is referer information, mozilla/5.0 (Windows NT 6.3; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/49.0.2623.112 safari/537.36 This long string is useragent information
We use the Curl command to access,-e specifies that referer-a specifies useragent can interpret lvlinux as a crawler message

curl -x127.0.0.1:80 -e "http://www.baidu.com" -A "lvlinux" 123.comcurl -x127.0.0.1:80 123.com

Compare the above two access logs, we found the first visit recorded referer Baidu, and UserAgent Lvlinux. The second article records an empty referer,useragent for curl/7.29.0
With user_agent restricted access, the core profile contents are as follows

 <IfModule mod_rewrite.c>        RewriteEngine on        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]        RewriteRule  .*  -  [F]    </IfModule>

    NC是不区分大小写，OR是两条语句的逻辑连接符，或者的意思，F是forbidden

Curl-a "123123" specifies user_agent
We perform the following three curl separately to see the results

curl -x127.0.0.1:80 123.com -Icurl -A "baidu.com" -x127.0.0.1:80 123.com -I

curl -A "sfsdf" -x127.0.0.1:80 123.com -I

Three PHP related configurations

Check out the PHP configuration file location first
We have copied PHP configuration files before we installed PHP php.ini
However, we installed two versions of PHP, how to view the current Apache currently using the PHP configuration file, through the browser to view the Phpinfo file information, it can be very intuitive to see.

Below we edit the file to do some necessary configuration
1. Disable the invocation of some functions. This can be very effective to curb some Trojan trouble.
Search Disabls_functions Add the following function.
eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfor
After graceful, test phpinfo access with the browser, appeared
Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/www.123.com/345.php on line 2
2 Turn off error message page display
This error message exposes our site directory, and we do not want him to display, continue to edit the configuration file
Defineddisplay_errors=off
This time the access will find no output.
3 Defining error logs
In order to locate access to PHP parsing failures in the future, we need to define the error log separately for PHP.
Search for Log_erros, change to the following
log_errors=on
Search Error_log, specify error log location
error_log=/var/log/php/php_errors.log
Then search for error_reporting, define the level of error logs to be logged, referring to the selected records.
error_reporting = E_ALL & ~E_NOTICEFollow the prompts to choose a format that does not record notice
4 Defining the time zone
After the log configuration is complete, search under Date.timezone to define the time zone to prevent some error messages.
date.timezone =Asia/Shanghai
5 definition Open_basedir
In order to effectively minimize the disaster, for example, we have a site hacked by hackers, so as to prevent him from continuing to black into other sites,
It is necessary for us to set up a quarantine directory between individual websites and stop the loss in time. We found a open_basedir inside php.ini.
, but he can only do the limitations on the total PHP site. For a single site, we need to define it in the Apache virtual host configuration file. That is, in the corresponding virtual host, the corresponding configuration can be added.
For the convenience of testing, we set a subdirectory onlyphp to illustrate its role
php_admin_value open_basedir "/data/wwwroot/123.com/onlyphp/:/tmp/"
curl -x127.0.0.1:80 http://123.com/123.php -I

curl -x127.0.0.1:80 http://123.com/onlyphp/123.php -I

Note that this configuration is only for PHP operations, restricting PHP parsing, and not restricting access to other HTML. However, the above example is only to illustrate the operating principle of the Open_basedir, the actual application of course we do not do so, for each virtual host we can configure a open_basedir, so that its PHP parsing isolation from each other. That is to say, for Www.123.com website, we set Open_basedir to/data/wwwroot/123.com/:/tmp/for www.abc.com website, we set to/data/wwwroot/abc.com /:/tmp/instead of dropping the data directly into the Wwwroot directory. The purpose of setting the/tmp/directory is to allow data to be cached, or to upload data such as images.

Linux Learning Summary (37) Lamp Forbidden PHP parsing user_agent access control PHP related configuration