Qualifying a directory prevents parsing PHP, restricting user_agent, PHP-related configuration

Restricting a directory against parsing PHP

A directory is forbidden to parse PHP, this is very useful, we do the site security, this use a lot,
For example, some directories can upload files, in order to avoid uploading files have xxx, so we prohibit the directory below the access to parse PHP.

Test target: Prevent PHP from parsing mm.com files in the Yang directory
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

Add the following content

<Directory /data/wwwroot/mm.com/yang>    php_admin_flag engine off    </Directory>

    ![](http://i2.51cto.com/images/blog/201806/02/0e26419c6e77ca3c9c32ff38d10225d9.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

Then create the Yang directory under the mm.com directory and create a index.php file
mkdir /data/wwwroot/mm.com/yangCreate Folder Yang
vim /data/wwwroot/mm.com/yang/index.phpCreate a index.php file

Under Index.php, add the following:

<?phpecho "帅陽陽";

Then we check the bug reload Apache
/usr/local/apache2.4/bin/apachectl -t
/usr/local/apache2.4/bin/apachectl graceful

Testing with Curl
curl -x192.168.71.131:80 mm.com/yang/index.php

You can see that PHP does not parse, direct output source code
This setting may not be very friendly and we can deny it directly

Edit a virtual host configuration file
Add the following content

<Directory /data/wwwroot/mm.com/yang>        php_admin_flag engine off        <FilesMatch (.*)\.php(.*)>           Order allow,deny           deny from all        </FilesMatch></Directory>

Then we check the bug reload Apache
/usr/local/apache2.4/bin/apachectl -t
/usr/local/apache2.4/bin/apachectl graceful

Tested to show 403 Forbidden
curl -x192.168.71.131:80 mm.com/yang/index.php

Limit User_agent

User-agent (browser type), that is, which browsers are not allowed to access our website
Experimental goal: Limit user_agent to curl or baidu.com access
Edit a virtual host configuration file
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

Add the following in the configuration file:

<IfModule mod_rewrite.c>        RewriteEngine on        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.*        RewriteRule  .*  -  [F]     </IfModule>

The 34th line is the condition, they use or as their connector, meaning that user_agent matches the above or below conditions, they are or the relationship, if not add or is the relationship, NC means ignoring the case,
The f at the end of line five indicates the meaning of forbidden.

Then we check the bug reload Apache
/usr/local/apache2.4/bin/apachectl -t
/usr/local/apache2.4/bin/apachectl graceful

Testing with Curl
curl -x192.168.71.131:80 ‘http://kjj.com/index.php‘ -I

Show 403 because user_agent is curl

Then we-a customize the User_agent
curl -A "huangmingyang" -x192.168.71.131:80 ‘http://kjj.com/index.php‘ -I

The result is 200, which can be accessed normally

Curl Common options:-a specifies user_agent,-e specifies Referer,-X is equivalent to omitting the hosts,-I view status codes only.

PHP Related Configuration

View PHP configuration file
Create a index.php in the Web site root directory
vim /data/wwwroot/mm.com/index.php

Add the following content

<?phpphpinfo();

Then visit the Web site in the browser
We can see the configuration information of PHP

You can see that the PHP configuration file is stored in:/usr/local/php/etc/php.ini
if (none) is shown in the loaded configuration file column, then the profile is not documented
If you need to start the configuration file, we can copy the template configuration file, template configuration file is usually placed inside the source package has, execute command:
cp php.ini-development /usr/local/php/etc/php.ini

After copying the configuration file, you need to reload the next Apache and then refresh it.

Editing a configuration file
vim /usr/local/php/etc/php.in

Enable Disable_functions to disable some dangerous functions and improve the security of the server
Search keyword: disable_functions find the following line:
disable_functions=

Add the following at a later
eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_clos

Define Date.timezone, Time zone
Search keyword: date.timezone find the following line:
Add the following to define the time zone as Shanghai
Asia/shanghai

Defining error logs
Search keyword: display_errors, find the segment in the picture
Change the on to OFF,
Incorrect information is not exported to the browser after the change, to avoid directory exposure

The wrong information is not visible, then we also need to configure the error log to facilitate the search for errors
Search keyword: error_log, find the line in the picture, you can define the error log to store the address

Define the level of error logging
Search keyword: error_rep, find the marked red line in the diagram, change the level to E_all, indicating that all warnings are logged

Open_basedir
Restrict the files that PHP can open to the specified directory tree, including the file itself. This directive is not affected by the open or closed security mode.
When a script tries to open a file with an example of fopen () or Gzopen (), the location of the file is checked. When the file is outside the specified directory tree, PHP will refuse to open it. All symbolic connections are parsed, so it is not possible to circumvent this restriction by symbolic connections.
Special values. Indicates that the working directory of the script will be used as the base directory. But this is a bit risky because the working directory of the script can easily be changed by ChDir ().
In the httpd.conf file, Open_basedir can be turned off, like any other configuration option, with "Php_admin_value open_basedir none" (for example, in some virtual hosts).
As an Apache module, the Open_basedir path in the parent directory is automatically inherited.
The limit specified with Open_basedir is actually a prefix, not a directory name. This means "Open_basedir =/dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. If you want to restrict access to only the specified directory, end the path name with a slash. For example: "Open_basedir =/dir/incl/".

Restrict user-actionable files to a directory for different site Settings Open_basedir

1. Edit a virtual host configuration file
   Vim/usr/local/httpd2.4/conf/extra/httpd-vhosts.conf
2. Add the following content to the configuration file to achieve
   Php_admin_value Open_basedir "/data/wwwroot/111.com:/tmp/"

Qualifying a directory prevents parsing PHP, restricting user_agent, PHP-related configuration