Apache访问控制
Apache访问控制
访问控制白名单IP
通过访问控制,限制一个白名单ip,只允许某一个网段或者指定ip访问。
具体访问控制限制效果需要根据实际情况来进行配置,可以针对某一个项目目录,也可以针对某一个项目文件。
配置访问控制Directory
1.增加访问控制
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf //增加Directory模块
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/apache2.4/docs/www.111.com"
ServerName www.111.com
ServerAlias 111.com
<Directory /usr/local/apache2.4/docs/www.111.com/admin/>
Order deny,allow //先拒绝后允许
Deny from all //全部拒绝访问
Allow from 127.0.0.1 //允许本机访问
</Directory>
ErrorLog "logs/www.111.com-error_log"
CustomLog "logs/www.111.com-access_log" combined
</VirtualHost>
/usr/local/apache2.4/bin/apachectl -t
/usr/local/apache2.4/bin/apachectl graceful
2.创建admin目录
cd /usr/local/apache2.4/docs/www.111.com/
mkdir admin
vim /admin/admin.php
<?php
echo "www.111.com --admin.php";
?>
3.进行验证
因为限制的为www.111.com/admin/目录下,其他内容可以正常访问
[root@antong ~]# curl -x192.168.200.10:80 www.111.com/images/img.jpg -I
HTTP/1.1 200 OK
Date: Wed, 11 Aug 2021 04:31:55 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.30
Last-Modified: Wed, 04 Aug 2021 18:02:13 GMT
ETag: "ede7-5c8bf9a161340"
Accept-Ranges: bytes
Content-Length: 60903
Content-Type: image/jpeg
通过ip来访问www.111.com/admin/目录被拒绝,返回状态码403
[root@antong ~]# curl -x192.168.200.10:80 www.111.com/admin/admin.php -I
HTTP/1.1 403 Forbidden
Date: Wed, 11 Aug 2021 04:32:42 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
使用本机地址访问成功,返回200
[root@antong ~]# curl -x127.0.0.1:80 www.111.com/admin/admin.php -I
HTTP/1.1 200 OK
Date: Wed, 11 Aug 2021 04:36:21 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
配置访问控制FilesMatch
1.在配置文件添加FilesMatch
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf //增加FilesMatch
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/apache2.4/docs/www.111.com"
ServerName www.111.com
ServerAlias 111.com
<Directory /usr/local/apache2.4/docs/www.111.com/admin/>
<FilesMatch admin.php(.*)>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
ErrorLog "logs/www.111.com-error_log"
CustomLog "logs/www.111.com-access_log" combined
</VirtualHost>
/usr/local/apache2.4/bin/apachectl -t
/usr/local/apache2.4/bin/apachectl graceful
2.curl来查看配置结果
使用ip地址访问123.php成功
[root@antong ~]# curl -x192.168.200.10:80 www.111.com/admin/123.php -I
HTTP/1.1 200 OK
Date: Wed, 11 Aug 2021 05:01:31 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
使用ip地址访问admin.php被拒绝,因为限制的为admin.php开头的文件
[root@antong ~]# curl -x192.168.200.10:80 www.111.com/admin/admin.php -I HTTP/1.1 403 Forbidden
Date: Wed, 11 Aug 2021 05:03:28 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
[root@antong ~]# curl -x192.168.200.10:80 www.111.com/admin/admin.phpasd -I
HTTP/1.1 403 Forbidden //即使没有这个文件也返回403禁止访问
Date: Wed, 11 Aug 2021 05:04:49 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
使用本机地址访问成功
[root@antong ~]# curl -x127.0.0.1:80 www.111.com/admin/admin.php -I
HTTP/1.1 200 OK
Date: Wed, 11 Aug 2021 05:07:12 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
[root@antong ~]# curl -x127.0.0.1:80 www.111.com/admin/admin.phpsdasd -I
HTTP/1.1 404 Not Found //因为没有这个文件,所以返回404,可以进行访问
Date: Wed, 11 Aug 2021 05:07:18 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
配置访问控制禁止php解析
1.配置文件
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf //增加Directory模块
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/apache2.4/docs/www.111.com"
ServerName www.111.com
ServerAlias 111.com
<Directory /usr/local/apache2.4/docs/www.111.com/upload/>
php_admin_flag engine off
</Directory>
ErrorLog "logs/www.111.com-error_log"
CustomLog "logs/www.111.com-access_log" combined
</VirtualHost>
/usr/local/apache2.4/bin/apachectl -t
/usr/local/apache2.4/bin/apachectl graceful
2.进行验证
[root@antong ~]# curl -x192.168.200.10:80 www.111.com/upload/123.php
<?php
echo "www.111.com --admin.php";
?>
访问控制user_agent
user_agent就是浏览器标识,网站被多个站点同时恶意访问时,网站会崩溃,也就是CC攻击。配置user_agent可以提供资源供用户使用,也可以防止遭受到黑客攻击,提高安全性。
配置访问控制user_agent
根据实际情况来限制user_agent
1.修改配置文件
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf //增加Directory模块
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/apache2.4/docs/www.111.com"
ServerName www.111.com
ServerAlias 111.com
<IfModule mod_rewrite.c>
RewriteEngine on //开启Rewrite这个模块
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //定义方法,NC表示忽略大小写,OR表示或,条件都成立
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F] //定义的规则,F表示Forbidden
</IfModule>
ErrorLog "logs/www.111.com-error_log"
CustomLog "logs/www.111.com-access_log" combined
</VirtualHost>
/usr/local/apache2.4/bin/apachectl -t
/usr/local/apache2.4/bin/apachectl graceful
2.进行测试
因为限制了curl,所以访问失败。
[root@antong ~]# curl -x192.168.200.10:80 www.111.com/upload/123.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/123.php
on this server.<br />
</p>
</body></html>
使用电脑浏览器则可以正常访问
curl通过-A参数修改agent实现访问
[root@antong ~]# curl -A "Antong" -x192.168.200.10:80 www.111.com/upload/123.php -I HTTP/1.1 200 OK
Date: Wed, 11 Aug 2021 11:24:21 GMT
Server: Apache/2.4.33 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8