Prohibit certain directories from parsing access identity restrictions in PHP and httpd

Prohibit a directory from parsing PHP syntax

Why disallow a directory to parse PHP
If there is a directory of static files in the directory of the Web site, then the directory should be forbidden to parse PHP, because this directory is generally uploaded pictures and other files, if you parse PHP, then it is possible to be uploaded by someone else to the end of the picture format is essentially a PHP parsing file, Accessing the file in the browser resolves the php syntax, and if the file has some kind of malicious code, it is most likely to get root privileges
Add the configuration in the virtual host configuration file:

<Directory /usr/local/httpd/docs/123.com/imges> ? ? ?  php_admin_flag engine off ? ? ? ?#<FilesMatch  (.*)\.php(.*)> ? ? ? ?#Order allow,deny ? ? ? ?#Deny from all ? ? ? ?#</FilesMatch></Directory>

Comments out of the content of the end of the PHP file is not allowed to access, but we do not want to access the PHP page display 403, just let the PHP page can not be resolved, only configure the Php_admin_flag parameter, configuration save and reload the configuration file content

[[email protected] extra]# /usr/local/httpd/bin/apachectl -tSyntax OK[[email protected] extra]# /usr/local/httpd/bin/apachectl graceful

Restricting user-side browser identity access

User_agent is a user's browser comes with an identity, access to the site will be recorded in the log user access to the browser identity, prohibit some client browser identity access, to prevent non-meaningful access to the client, such as crawler, webxxx and other traffic, Analyze these logs to determine the security of website access
Add user_agent filtering to the virtual host configuration file, NC means matching the bar, or or, matching multiple user_agent must use or to represent multiple match conditions

<IfModule mod_rewrite.c> ? ? RewriteEngine on ? ? RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] ? ? RewriteCond %[HTTP_USER_AGENT] .*baidu.com.* [NC] ? ? RewriteRule .* - [F]</IfModule>

Reload Configuration

[[email protected] extra]# /usr/local/httpd/bin/apachectl -tSyntax OK[[email protected] extra]# /usr/local/httpd/bin/apachectl graceful

Test access and view access logs

 [[email protected] extra]# curl-x127.0.0.1:80 www.123.com <! DOCTYPE HTML PUBLIC "-//ietf//dtd HTML 2.0//en" >

HTTPD Virtual Host user access directory restrictions
If the directory of a virtual host is accessed illegally, then this configuration can restrict the access to other directories in this directory, you need to define a different directory in the HTTPD virtual host configuration file, TMP is a temporary saved directory, if the TMP directory is limited, So when the site upload pictures even temporary files can not be written, so that will not be able to store pictures and other files

<VirtualHost *:80> ? DocumentRoot "/usr/local/httpd/docs/123.com" ? ServerName 123.com ? ServerAlias www.123.com-------------------限制虚拟主机访问目录的配置php_admin_value open_bashdir "/usr/local/httpd/docs/123.com:/tmp"

PHP Configuration

Add php.ini configuration file in httpd parsing, by default find PHP configuration file by writing to parse PHP page to complete. Such as

<?phpphpinfo();php\>

In the configuration file (php.ini) path of the page, view the installation path to PHP, and in the loaded config files, look at the PHP profile path as follows ():

If there is no path to the loaded configuration file, you need to copy the PHP template profile to the ETC directory in PHP and reload the httpd to let HTTP reload the PHP module

[[email protected] local]# cp src/php-7.2.8/php.ini-production /usr/local/php7/etc/php.ini[[email protected] local]# /usr/local/httpd/bin/apachectl -tSyntax OK[[email protected] local]# /usr/local/httpd/bin/apachectl graceful

Configuration in PHP

[[email protected] local]# vim /usr/local/php7/etc/php.ini

Disable dangerous function disable_functions in PHP

disable_functions =eval,assert,popen,passthru,escapeshllarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close

PHP Definition Time zone Date.timezone

[Date]; Defines the default timezone used by the date functions; http://php.net/date.timezonedate.timezone = Asia/Shanghai

Define whether the error log is turned on
Log_errors Log Store path error_log, log save path must give Apache user daemon writable permission, so as to be able to log
Logging Level Error_repartinge_all & ~e_notice (Show all errors, except for notices)? Define this common error logging level

log_errors = Onerror_log = /tmp/php_errors.logerror_reporting = E_ALL

PHP configuration Open_bashdir, restrict the host to only one directory of content to access, only in one directory to access
If the directory of a virtual host is accessed illegally, then this configuration can restrict access to other directories that cannot be skipped in this directory

open_bashdir = /usr/local/httpd/docs/123.com/

Restrictions in PHP restrict access to only one virtual host, if you want to limit the number of virtual hosts. PHP.ini configuration file can not be implemented, you need to define a different directory in the HTTPD virtual host configuration file, TMP is a temporary saved directory, if the TMP directory is limited, then the site upload pictures even temporary files can not be written, so that will not be able to store pictures and other files

php_admin_value open_bashdir "/usr/local/httpd/docs/123.com:/tmp"

Prohibit certain directories from parsing access identity restrictions in PHP and httpd