<Directory /data/wwwroot/www.123.com/upload>
php_admin_flag engine off
</Directory>
[root@hf-01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
把代码放入到配置文件中
<Directory /data/wwwroot/111.com/upload>
##把upload目录下所有的php禁止解析
php_admin_flag engine off //禁止解析php
<FilesMatch (.*)\.php(.*)> //现在这里所有访问php都会是403
##这里的 .用\脱义
Order allow,deny //如果不做这个deny,就会直接访问到源代码,这样就不太友好
Deny from all
</FilesMatch>
</Directory>
然后保存退出
[root@hf-01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@hf-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@hf-01 111.com]#
[root@hf-01 111.com]# mkdir upload
[root@hf-01 111.com]# ls
123.php admin index.php QQ111.jpg upload
[root@hf-01 111.com]# cp 123.php upload/
[root@hf-01 111.com]#
[root@hf-01 111.com]# curl -x127.0.0.1:80 '111.com/upload/123.php' -I
HTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 16:09:43 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@hf-01 111.com]#
[root@hf-01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<Directory /data/wwwroot/111.com/upload>
##把upload目录下所有的php禁止解析
php_admin_flag engine off
#<FilesMatch (.*)\.php(.*)>
##这里的 .用\脱义
#Order allow,deny
#Deny from all
#</FilesMatch>
</Directory>
然后保存退出
[root@hf-01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@hf-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@hf-01 111.com]#
[root@hf-01 111.com]# !curl
curl -x127.0.0.1:80 '111.com/upload/123.php'
<?php
echo "123.php";
[root@hf-01 111.com]#
<Directory /data/wwwroot/111.com/upload>
##把upload目录下所有的php禁止解析
php_admin_flag engine off
<FilesMatch (.*)\.php(.*)>
##这里的 .用\脱义
Order allow,deny
Deny from all
</FilesMatch>
</Directory>
[root@hf-01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@hf-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@hf-01 111.com]#
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
[root@hf-01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //条件
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC] //条件
RewriteRule .* - [F]
</IfModule>
[root@hf-01 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@hf-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@hf-01 111.com]#
[root@hf-01 111.com]# curl -x127.0.0.1:80 '111.com/upload/123.php' -I
HTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 20:52:15 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
[root@hf-01 111.com]# curl -x127.0.0.1:80 '111.com/123.php' -I
HTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 20:53:30 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
[root@hf-01 111.com]#
[root@hf-01 logs]# tail -5 /usr/local/apache2.4/logs/123.com-access_20171227.log
192.168.74.1 - - [27/Dec/2017:04:32:09 +0800] "GET /123.php HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.74.1 - - [27/Dec/2017:04:32:10 +0800] "GET /123.php HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.74.1 - - [27/Dec/2017:04:32:17 +0800] "GET /upload/123.php HTTP/1.1" 403 223 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0"
127.0.0.1 - - [27/Dec/2017:04:52:15 +0800] "HEAD HTTP://111.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:04:53:30 +0800] "HEAD HTTP://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
[root@hf-01 logs]#
模拟user_agent,去访问会看到状态码为200 可以正常访问
[root@hf-01 111.com]# curl -A "hanfeng hanfeng" -x127.0.0.1:80 '111.com/123.php' -I
HTTP/1.1 200 OK
Date: Tue, 26 Dec 2017 21:17:47 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
[root@hf-01 111.com]# curl -A "hanfeng hanfeng" -x127.0.0.1:80 '111.com/123.php'
123.php[root@hf-01 111.com]#
[root@hf-01 111.com]#
[root@hf-01 111.com]# !tail
tail -5 /usr/local/apache2.4/logs/123.com-access_20171227.log
192.168.74.1 - - [27/Dec/2017:04:32:17 +0800] "GET /upload/123.php HTTP/1.1" 403 223 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0"
127.0.0.1 - - [27/Dec/2017:04:52:15 +0800] "HEAD HTTP://111.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:04:53:30 +0800] "HEAD HTTP://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:05:17:47 +0800] "HEAD HTTP://111.com/123.php HTTP/1.1" 200 - "-" "hanfeng hanfeng"
127.0.0.1 - - [27/Dec/2017:05:19:40 +0800] "GET HTTP://111.com/123.php HTTP/1.1" 200 7 "-" "hanfeng hanfeng"
[root@hf-01 111.com]#
[root@hf-01 111.com]# ls
11.png 123.php admin index.php inedx.php upload
[root@hf-01 111.com]# vi index.php
[root@hf-01 111.com]# cd /usr/local/src/php-5.6.30/
[root@hf-01 php-5.6.30]# cp php.ini-development /usr/local/php/etc/php.ini
[root@hf-01 php-5.6.30]# /usr/local/apache2.4/bin/apachectl graceful
[root@hf-01 php-5.6.30]#
这时用浏览器访问看到配置文件的路径
[root@hf-01 php-5.6.30]# vim /usr/local/php/etc/php.ini
搜索 /disable
在disable_functions =后禁掉一些危险的函数
disable_functions =eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
然后保存
[root@hf-01 php-5.6.30]# /usr/local/apache2.4/bin/apachectl graceful
[root@hf-01 php-5.6.30]#
[root@hf-01 php-5.6.30]# vim /usr/local/php/etc/php.ini
搜索/timezone
在date.timezone定义时区
需要删除 ; 分号
date.timezone = Asia/shanghai
搜索/display
需要删除 ; 分号
将display_errors = On更改为display_errors = Off
然后保存退出
[root@hf-01 php-5.6.30]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@hf-01 php-5.6.30]# /usr/local/apache2.4/bin/apachectl graceful
[root@hf-01 php-5.6.30]#
搜索/log_errors,将错误日志文件打开
log_errors = On
搜索/error_log,将错误日志文件定义到tmp目录下
需要删除 ; 分号
error_log = /tmp/php_errors.log
然后保存退出
[root@hf-01 php-5.6.30]# curl -A "a" -x127.0.0.1:80 http://111.com/index.php
[root@hf-01 php-5.6.30]# ls /tmp/
mysql.sock php_errors.log
10 查看php_errors.log文件,会看到属主属组是daemon
[root@hf-01 php-5.6.30]# ls -l /tmp/php_errors.log
-rw-r--r-- 1 daemon daemon 135 12月 27 07:30 /tmp/php_errors.log
[root@hf-01 php-5.6.30]#
[root@hf-01 php-5.6.30]# ps aux |grep httpd
root 2539 0.0 1.2 258304 12708 ? Ss 04:26 0:01 /usr/local/apache2.4/bin/httpd -k graceful
daemon 3685 0.0 0.9 545132 9580 ? Sl 07:30 0:00 /usr/local/apache2.4/bin/httpd -k graceful
daemon 3686 0.0 0.9 545132 9580 ? Sl 07:30 0:00 /usr/local/apache2.4/bin/httpd -k graceful
daemon 3687 0.0 1.2 610668 12388 ? Sl 07:30 0:00 /usr/local/apache2.4/bin/httpd -k graceful
root 3776 0.0 0.0 112676 984 pts/0 R+ 07:33 0:00 grep --color=auto httpd
[root@hf-01 php-5.6.30]#
[root@hf-01 php-5.6.30]# grep error_log /usr/local/php/etc/php.ini
; server-specific log, STDERR, or a location specified by the error_log
; Set maximum length of log_errors. In error_log information about the source is
error_log = /tmp/php_errors.log
;error_log = syslog
; OPcache error_log file name. Empty string assumes "stderr".
;opcache.error_log=
[root@hf-01 php-5.6.30]#
- 可以先创建好/tmp/php_errors.log文件,然后赋予chmod 777权限
[root@hf-01 php-5.6.30]# cat /tmp/php_errors.log //会告诉你因为安全的原因,这个函数已经被禁掉了
[26-Dec-2017 23:30:19 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2
[root@hf-01 php-5.6.30]#
[root@hf-01 php-5.6.30]# vim /usr/local/php/etc/php.ini
搜索/open_basedir,并上删除 ; 号
open_basedir = /data/wwwroot/111.com:/tmp
然后保存退出
[root@hf-01 php-5.6.30]# curl -A "a" -x127.0.0.1:80 http://111.com/index.php -I
HTTP/1.1 200 OK
Date: Wed, 27 Dec 2017 00:04:36 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
[root@hf-01 php-5.6.30]#
[root@hf-01 php-7.1.6]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
php_admin_value open_basedir "/data/wwwroot/111.com:/tmp/"
然后保存退出
[root@hf-01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@hf-01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@hf-01 php-7.1.6]#
[root@hf-01 php-7.1.6]# curl -A "a" -x127.0.0.1:80 http://111.com/index.php
111.com[root@hf-01 php-7.1.6]#