目录

一、限定某个目录禁止解析php
二、限制user_agent
三、php相关配置

一、限定某个目录禁止解析php

php中有一些危险的函数，网站入侵者可以在网站上传恶意的php木马进而获取服务器的最高权限，这是非常危险的。

应对方法是设置上传文件目录禁止解析php文件，上传的php木马文件不会被解析，这样入侵者无法进一步获取到更高的权限。

• 禁止解析PHP

[root@minglinux-01 ~] vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
···
 <Directory /usr/local/apache2.4/htdocs/ming1/upload>
        php_admin_flag engine off   //禁止解析PHP
        <FilesMatch（.*）\.php(.*)>    //禁止访问（.*）\.php(.*)
        Order allow,deny
        Deny from all
        <FilesMatch>
    </Directory>
···

• 测试

[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] mkdir /usr/local/apache2.4/htdocs/upload
[root@minglinux-01 ~] cp /usr/local/apache2.4/htdocs/1.php /usr/local/apache2.4/htdocs/ming1/upload/1.php
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php' -I
HTTP/1.1 403 Forbidden
Date: Mon, 19 Nov 2018 15:03:33 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-

• 注释掉<FilesMatch>，仅禁止PHP解析

[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php' -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 15:05:08 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Last-Modified: Mon, 19 Nov 2018 15:02:40 GMT
ETag: "24-57b05cee94b4e"
Accept-Ranges: bytes
Content-Length: 36
Cache-Control: max-age=0
Expires: Mon, 19 Nov 2018 15:05:08 GMT
Content-Type: application/x-httpd-php

[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php'
<?php
    echo "hello world \n";
?>

可以看到1.php可以被访问但无法正常解析，返回了源代码。

二、限制user_agent

• user_agent为浏览器标识，针对user_agent可以用来限制一些访问，比如可以限制一些不太友好的搜索引擎“爬虫”和cc攻击。“爬虫”抓取数据类似于用户用浏览器访问网站，当“爬虫”太多或者访问太频繁，就会浪费服务器资源。cc攻击是指用很多用户的电脑同时访问同一个站点，当访问量或者频率达到一定层次，服务器就会无法承受这些访问而不能正常工作。

• 这些恶意请求的user_agent相同或者相似，那我们就可以通过限制 user_agent发挥防攻击的作用。限制user_agent后，对方在访问时会收到状态码403，这样对方对服务器资源不会造成太大影响，仅仅是对方发送来了一个请求，带宽消耗也不会太大。

• 针对user_agent来做访问控制

[root@minglinux-01 ~] vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
···
<IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
        RewriteRule .* - [F]
    </IfModule>
···

方括号中的OR表示“或者”，NC表示“不区分大小写”，F相当于Forbidden。当user_agent匹配curl或者baidu.com时，都会触发下面的规则。

• 测试

[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] curl -x127.0.0.1:80 www.ming1.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Date: Tue, 20 Nov 2018 13:15:50 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1

• 查看日志

[root@minglinux-01 ~] tail -n2 /usr/local/apache2.4/logs/www.ming1.com-access_20181120.log 
127.0.0.1 - - [20/Nov/2018:21:15:50 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 403 - "-" "curl/7.29.0"
192.168.162.1 - - [20/Nov/2018:21:19:29 +0800] "GET /upload/1.php HTTP/1.1" 200 36 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"

• curl的-A选项指定user_agent

[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/upload/1.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 13:32:27 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Last-Modified: Mon, 19 Nov 2018 15:02:40 GMT
ETag: "24-57b05cee94b4e"
Accept-Ranges: bytes
Content-Length: 36
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 13:32:27 GMT
Content-Type: application/x-httpd-php
[root@minglinux-01 ~] curl -e "http://ming2.com" -A "ming" -x127.0.0.1:80 www.ming1.com/upload/1.php -I
[root@minglinux-01 ~] tail -n2 /usr/local/apache2.4/logs/www.ming1.com-access_20181120.log 
127.0.0.1 - - [20/Nov/2018:21:32:27 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 200 - "-" "ming"
127.0.0.1 - - [20/Nov/2018:21:35:15 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 200 - "http://ming2.com" "ming"

三、php相关配置

• 查看PHP配置文件位置
• 通过浏览器查看
  在网站目录下新建phpinfo的页面，然后通过浏览器访问。

[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/index.php 

<?php
phpinfo();

image.png

• PHP常用配置

1. disable_functions禁用函数

[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···            //找到disable_function行，在后面写入禁用函数
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
···

2. date.timezone定义时区
   不定义有时会有警告信息，编辑php.ini，找到date.timezone设置如下：

[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···
date.timezone = Asia/Shanghai   //定义所在时区为上海
···

3. display_errors错误显示

···
display_errors = Off //off表示关闭，不在浏览器显示错误。
···
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php     //没有任何输出
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 14:54:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 14:54:35 GMT
Content-Type: text/html; charset=UTF-8

这样配置后网页上不会显示任何错误信息，curl也不返回错误，那我们无法获取和分析错误信息了，所以我们需要配置一下 error_log错误日志。

4. error_log错误日志

log_errors = On   //开启错误日志

error_log = /tmp/php_errors.log  //设定错误日志路径

error_reporting = E_ALL //设定错误日志的级别

错误日志的级别，E_ALL为所有类型的日志，不管是提醒还是警告都会记录。在开发环境下面设置为E_ALL，可以方便程序员排查问题，但也会造成日志记录很多无意义的内容。

• 测试

[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 15:13:56 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 15:13:56 GMT
Content-Type: text/html; charset=UTF-8
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php
[root@minglinux-01 ~] ls -l /tmp/php_errors.log 
-rw-r--r-- 1 daemon daemon 157 11月 20 23:13 /tmp/php_errors.log
[root@minglinux-01 ~] cat !$
cat /tmp/php_errors.log
[20-Nov-2018 23:13:56 Asia/Shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2

由于配置了display_errors = Off，所以curl命令返回状态码200，浏览器访问也没有报错信息，但错误日志显示了phpinfo函数是被禁用了，访问没有成功。

若以上配置都完成但始终无法在设定路径生成错误日志文件时，应该去检查生成文件的目录的权限信息（daemon是否对该目录有写权限），或者手动创建php_errors.log，生成后再修改文件属主为daemon，权限改为777。

• 再模拟一个错误

[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php
//随便写一些东西
<?php
echo 1abc;
wqraw f
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php 
[root@minglinux-01 ~] 
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 20 Nov 2018 15:31:20 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Connection: close
Content-Type: text/html; charset=UTF-8

[root@minglinux-01 ~] !cat
cat /tmp/php_errors.log
[20-Nov-2018 23:13:56 Asia/Shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
[20-Nov-2018 23:21:37 Asia/Shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
[20-Nov-2018 23:22:01 Asia/Shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
[20-Nov-2018 23:31:16 Asia/Shanghai] PHP Parse error:  syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:31:20 Asia/Shanghai] PHP Parse error:  syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2

可以看到错误日志和前面的不一样了

5. open_basedir安全选项

open_basedir的作用是可以在一台服务器上将网站的目录间隔离，入侵者就算黑了其中一个目录但无法继续黑其他网站或目录。

• 在php.ini中设置open_basedir

[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···
open_basedir = /usr/local/apache2.4/htdocs/ming:/tmp  //限制PHP只能在ming和tmp两个目录下活动
···

• 测试

[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 20 Nov 2018 15:54:02 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Connection: close
Content-Type: text/html; charset=UTF-8

[root@minglinux-01 ~] tail -n5 /tmp/php_errors.log
[20-Nov-2018 23:31:20 Asia/Shanghai] PHP Parse error:  syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:54:02 Asia/Shanghai] PHP Parse error:  syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Warning:  Unknown: open_basedir restriction in effect. File(/usr/local/apache2.4/htdocs/ming1/2.php) is not within the allowed path(s): (/usr/local/apache2.4/htdocs/ming:/tmp) in Unknown on line 0
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Fatal error:  Unknown: Failed opening required '/usr/local/apache2.4/htdocs/ming1/2.php' (include_path='.:/usr/local/php/lib/php') in Unknown on line 0

错误日志显示由于ming1目录不属于允许访问目录，所以被限制访问了。

• open_basedir的ming目录改为ming1

[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
open_basedir = /usr/local/apache2.4/htdocs/ming1:/tmp
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 16:03:46 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 16:03:46 GMT
Content-Type: text/html; charset=UTF-8

修改后可以正常访问了。

• 如果服务器上跑的站点比较多，那在php.ini中设置就不合适了，因为在php.ini中只能定义一次，也就是说所有站点都一起定义限定的目录，那这样似乎起不到隔离多个站点的目的。我们可以给单个虚拟主机设置open_basedir。如下所示：

···
php_admin_value open_basedir "/usr/local/apache2.4/htdocs/ming1:/tmp"
···

我们可以给任意虚拟主机设置open_basedir，只需要在虚拟主机相应的区域加上以上代码即可。

在open_basedir中允许tmp是因为站点的临时文件会写在/tmp目录下，如果tmp目录禁止了可能会导致上传不了图片的问题。

扩展

apache开启压缩 http://ask.apelearn.com/question/5528
apache2.2到2.4配置文件变更 http://ask.apelearn.com/question/7292
apache options参数 http://ask.apelearn.com/question/1051
apache禁止trace或track防止xss http://ask.apelearn.com/question/1045
apache 配置https 支持ssl http://ask.apelearn.com/question/1029