Qualifying a directory prohibits parsing PHP, restricting user_agent, PHP's configuration files, PHP's dynamic extension modules

1, limit a directory to prohibit parsing PHP (some directory Users can upload files or images, may be malicious people upload other files):
Editor:/usr/local/apache2.4/conf/extra/httpd-vhosts.conf

Join:

<Directory/var/www/222/upload>
Php_admin_flag engine off
</Directory>

Build directory:mkdir/var/www/222/upload-p
Write PHP file:echo "<?php phpinfo ();?>" >/var/www/222/upload/index.php
Check syntax:/usr/local/apache2.4/bin/apachectl-t

Restart, access, test:

There is no problem accessing other files in the upload directory:

File upload directory PHP does not parse or prohibit access to the main purpose, is to prevent malicious people upload related Trojan. (Note: The directory where the static files are stored is not allowed to put PHP files)

2, limit user_agent (can be understood as the identity of the browser, if you encounter a CC attack, you can disable the attacker's browser)

Editor:/usr/local/apache2.4/conf/extra/httpd-vhosts.conf Join:

<ifmodule mod_rewrite.c>
Rewriteengine on
Rewritecond%{http_user_agent}. *curl.* [Nc,or] (NC, ignores case, or is or is or is the meaning of the next condition)
Rewritecond%{http_user_agent}. *baidu.com.* [NC]
Rewriterule. *-[F] (F,forbidden)
</IfModule>

Check the configuration file, restart, Access test:

To view the Access log:

In this way, malicious attacks can be prevented relatively.

Curl-i only See status information-A specifies agent-x (omit host, specify target Ip:port directly)

  3, the preparation of PHP configuration files : can be viewed via PHP's Phpinfo () function, and, of course, in a directory that has been specified at the time of installation ,

Locate the path and then make the configuration:

Set time zone:date.timezone
Change it to:date.timezone =asia/shanghai or: Date.timezone =asia/chongqing

Then, set some of the functions that are forbidden to access:
disable_functions=
Change it to:Disable_functions=eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system, CHROOT,SCANDIR,CHGRP,CHOWN,ESCAPESHELLCMD,ESCAPESHELLARG,SHELL_EXEC,PROC_GET_STATUS,INI_ALTER,INI_RESTORE,DL, Pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close

Access:

In order not to show this, it is formulated:display_errors
Change it to:display_errors = Off

Restart Apache:/usr/local/apache2.4/bin/apachectl Graceful
Then visit again:

Set the error log in the php.ini file, because it does not see any problems (the reason is not found), so you have to view the log

Turn on the error log:log_errors = on

Set the path to the error log:error_log =/tmp/php_errors.log

Set the error log level:error_reporting = e_all & ~e_deprecated

Then, restart, access

To view logs:

It is important to note that the directory where the log is stored must have access rights (related users).

To set permissions for a site-independent directory or file activity open_base = dir_name: (for example, if the site is compromised, it may still be infiltrated by others, which is only within the scope of this directory)

But this way, it will be all the Dir_name directory to limit, so, the meaning is not big.
So only the configuration file of the virtual machine is changed:/usr/local/apache2.4/conf/extra/httpd-vhost.conf
Add in:
php_admin_value open_basedir "/var/www/222/:/tmp/" (prevents, continues to expand after being invaded)

Check the configuration, reboot, visit:

Then, change it correctly:

Control permissions to this directory are set to complete.

4, PHP dynamic expansion module:

For example, add a Phpredis module:
Download Phpredis:wget-c https://codeload.github.com/phpredis/phpredis/zip/develop
renamed:MV develop Phpredis-develop.zip
decompression:unzip phpredis-develop.zip
Access:CD phpredis-develop/
run:/usr/local/php56/bin/phpize (in the Directory sub-branch/usr/local/php56/bin/phpize, for what purpose is configure file)
Compounding:./configure--with-php-config=/usr/local/php56/bin/php-config
Compile and install: Make&& make install
Editor: Vim/usr/local/php56/etc/php.ini
join:extension=redis.so
view:/usr/local/php56/bin/php-m |grep redis

To some Phpredis, the load succeeds.

Other installation modules, if the source package is installed to have, you can perform the relevant installation operation under Ext.

Qualifying a directory prohibits parsing PHP, restricting user_agent, PHP's configuration files, PHP's dynamic extension modules