访问日志:顾名思义就是当有人访问咱们的站点,就会被记录些信息!其实这个还是蛮重要,尤其是站点受到攻击,直接命令的日志可以让我们迅速找到攻击者IP的规律!
根据咱们之前的配置,访问日志如下:
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/test3.com"
ServerName www.test3.com
ServerAlias www.haha.com
#<Directory /data/wwwroot/test3.com>
# <FilesMatch 123.php>
# AllowOverride AuthConfig
# AuthName "test3.com user auth"
# AuthType Basic
# AuthUserFile /data/.htpasswd
# require valid-user
# </FilesMatch>
#</Directory>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.test3.com$
RewriteRule ^/(.*)$ http://www.test3.com/$1 [R=301,L]
</IfModule>
ErrorLog "logs/haha.com-error_log"
CustomLog "logs/haha.com-access_log" common
</VirtualHost>
ErrorLog "logs/haha.com-error_log"
CustomLog "logs/haha.com-access_log" common
我们进入如下目录去查看:
[[email protected] ~]# ls /usr/local/apache2.4/logs/
access_log haha.com-access_log httpd.pid test1.com-error_log
error_log haha.com-error_log test1.com-access_log
如下就是咱们之前配置并测试的日志记录:当然我们也可以去修改更加详细的去展示
[[email protected] ~]# cat /usr/local/apache2.4/logs/haha.com-access_log
192.168.230.128 - - [30/Jul/2017:18:44:39 +0800] "GET HTTP://www.test3.com/ HTTP/1.1" 200 24
127.0.0.1 - - [31/Jul/2017:22:03:04 +0800] "GET HTTP://www.test3.com/ HTTP/1.1" 401 381
127.0.0.1 - - [31/Jul/2017:22:09:19 +0800] "GET HTTP://www.test3.com/ HTTP/1.1" 401 381
127.0.0.1 - - [31/Jul/2017:22:11:50 +0800] "GET HTTP://www.test3.com/ HTTP/1.1" 401 381
127.0.0.1 - - [31/Jul/2017:22:22:43 +0800] "GET HTTP://www.test3.com/ HTTP/1.1" 200 24
127.0.0.1 - - [31/Jul/2017:22:23:01 +0800] "GET HTTP://www.test3.com/123.php HTTP/1.1" 401 381
127.0.0.1 - zhdy [31/Jul/2017:22:23:50 +0800] "GET HTTP://www.test3.com/123.php HTTP/1.1" 200 28
127.0.0.1 - zhdy [31/Jul/2017:23:15:07 +0800] "GET HTTP://www.test3.com/123.php HTTP/1.1" 200 28
127.0.0.1 - - [31/Jul/2017:23:16:13 +0800] "HEAD HTTP://www.haha.com/ HTTP/1.1" 301 -
127.0.0.1 - - [31/Jul/2017:23:18:17 +0800] "HEAD HTTP://www.haha.com/asd.php HTTP/1.1" 301 -
进入主配置文件:
[root@localhost ~]# vim /usr/local/apache2.4/conf/httpd.conf
搜索 /LogFormat 找到如下两行:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
“%{Referer}i”:从哪个网址跳转到咱们的站点,例如咱们经常添加些友链,如果网友从你又链访问你的站点,则你就会看到这个Referer
“%{User-Agent}i”:用户代理。例如通过浏览器去访问,或者通过curl,假如用google浏览器访问咱们的站点,就会默认显示浏览器的相关信息。
下面咱们把这种简单显示的格式改为含有Referer和User-Agent的这种
ErrorLog "logs/haha.com-error_log"
CustomLog "logs/haha.com-access_log" combined
将最后的common改为combined即可!
重新加载配置文件 -t , graceful
[[email protected] ~]# cat /usr/local/apache2.4/logs/haha.com-access_log
127.0.0.1 - - [31/Jul/2017:22:23:01 +0800] "GET HTTP://www.test3.com/123.php HTTP/1.1" 401 381
127.0.0.1 - zhdy [31/Jul/2017:22:23:50 +0800] "GET HTTP://www.test3.com/123.php HTTP/1.1" 200 28
127.0.0.1 - zhdy [31/Jul/2017:23:15:07 +0800] "GET HTTP://www.test3.com/123.php HTTP/1.1" 200 28
127.0.0.1 - - [31/Jul/2017:23:16:13 +0800] "HEAD HTTP://www.haha.com/ HTTP/1.1" 301 -
127.0.0.1 - - [31/Jul/2017:23:18:17 +0800] "HEAD HTTP://www.haha.com/asd.php HTTP/1.1" 301 -
127.0.0.1 - - [31/Jul/2017:23:42:34 +0800] "HEAD HTTP://www.haha.com/asd.php HTTP/1.1" 301 - "-" "curl/7.29.0"
127.0.0.1 - - [31/Jul/2017:23:42:41 +0800] "HEAD HTTP://www.haha.com/asd.php HTTP/1.1" 301 - "-" "curl/7.29.0"
电脑没有修改hosts,所以展示不出来User-Agent,明天回到公司整下!
当有网友访问我们的站点,站内会有很多的静态文件,如图片、css、js等,但是每当我们查看某个IP都是访问了咱们站内的什么内容时候,往往会因为这些多出来的元素导致不可以很直观的看出来访问的页面,所以咱们可以让这些元素可以不用记录在访问日志中。
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/haha.com"
ServerName www.haha.com
ErrorLog "logs/haha.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "logs/haha.com-access_log" combined env=!img
</VirtualHost>
把如上以gif,jpg,png,bmp,swf,js,.css结尾的全部标记为img
CustomLog "logs/haha.com-access_log" combined env=!img
除了咱们自定义的img文件,全部都记录在如上此文件中!
在重载之前,先查看一下访问日志:
[[email protected] ~]# tail /usr/local/apache2.4/logs/haha.com-access_log
192.168.59.130 - - [29/Jul/2017:18:38:56 +0800] "GET HTTP://www.haha.com/ HTTP/1.1" 200 23
127.0.0.1 - - [01/Aug/2017:16:26:40 +0800] "HEAD HTTP://www.haha.com/ HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [01/Aug/2017:16:26:40 +0800] "HEAD HTTP://www.haha.com/ HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [01/Aug/2017:16:26:50 +0800] "HEAD HTTP://www.haha.com/asd.jpg HTTP/1.1" 404 - "-" "curl/7.29.0"
当==重载(graceful)==配置之后再次测试:
[[email protected]02 ~]# curl -x127.0.0.1:80 haha.com/asdasd.gif -I
HTTP/1.1 404 Not Found
Date: Tue, 01 Aug 2017 08:33:13 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
[[email protected]02 ~]# curl -x127.0.0.1:80 haha.com/asdasd.png -I
HTTP/1.1 404 Not Found
Date: Tue, 01 Aug 2017 08:33:18 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
[[email protected]02 ~]# tail /usr/local/apache2.4/logs/haha.com-access_log
127.0.0.1 - - [01/Aug/2017:16:32:03 +0800] "HEAD HTTP://www.haha.com/asdasd.gif HTTP/1.1" 404 - "-" "curl/7.29.0"
127.0.0.1 - - [01/Aug/2017:16:32:13 +0800] "HEAD HTTP://www.haha.com/asdasd.jpg1 HTTP/1.1" 404 - "-" "curl/7.29.0"
127.0.0.1 - - [01/Aug/2017:16:32:13 +0800] "HEAD HTTP://www.haha.com/asdasd.jpg1 HTTP/1.1" 404 - "-" "curl/7.29.0"
不展示太多了,其目的就是确认下!已经成功配置!虽然没有成功访问图片,但是关于png和gif的图片压根就没有记录日志!
默认情况下log日志格式为:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
其中%h 是记录访问者的IP,如果在web的前端有一层代理,那么这个%h其实就是代理机器的IP,这不是我们想要的。
在这种情况下,%{X-FORWARDED-FOR}i 字段会记录客户端真实的IP。
所以log日志改为:
LogFormat "%h %{X-FORWARDED-FOR}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined