Apache防盗链配置,Directory访问控制,FilesMatch进行访问控制

2019独角兽企业重金招聘Python工程师标准>>>

防盗链配置

• 通过限制referer来实现防盗链的功能
• 配置前，使用curl -e 指定referer

[root@test-a test-webroot]# curl -e "http://www.test.com/1.html" -x127.0.0.1:80 "www.test.com/1.jpg" -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 22:18:28 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Last-Modified: Mon, 19 Nov 2018 00:30:17 GMT
ETag: "0-57af99f141942"
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Tue, 20 Nov 2018 22:18:28 GMT
Content-Type: image/jpeg

[root@test-a test-webroot]# curl -e "http://www.qq.com/1.html" -x127.0.0.1:80 "www.qq.com/1.jpg" -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 22:19:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Last-Modified: Mon, 19 Nov 2018 00:30:17 GMT
ETag: "0-57af99f141942"
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Tue, 20 Nov 2018 22:19:35 GMT
Content-Type: image/jpeg

• 配置，/usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增加如下内容，SetEnvIfNoCase Referer增加的是白名单

    SetEnvIfNoCase Referer "http://www.test.com" local_ref
    SetEnvIfNoCase Referer "http://test.com" local_ref
    SetEnvIfNoCase Referer "^$" local_ref  
    
        Order Allow,Deny
        Allow from env=local_ref
    

• 重新加载配置，测试

[root@test-a test-webroot]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a test-webroot]# curl -e "http://www.test.com/1.html" -x127.0.0.1:80 "www.test.com/1.jpg" -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 22:26:15 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Last-Modified: Mon, 19 Nov 2018 00:30:17 GMT
ETag: "0-57af99f141942"
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Tue, 20 Nov 2018 22:26:15 GMT
Content-Type: image/jpeg

[root@test-a test-webroot]# curl -e "http://www.qq.com/1.html" -x127.0.0.1:80 "www.qq.com/1.jpg" -I  # 403错误
HTTP/1.1 403 Forbidden
Date: Mon, 19 Nov 2018 22:26:17 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1

Directory访问控制

• 配置前

[root@test-a ~]# curl  -x127.0.0.1:80 www.test.com/admin/index.php
This is admin/index.php
[root@test-a ~]# curl  -x192.168.77.139:80 www.test.com/admin/index.php
This is admin/index.php

• 配置， /usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增加如下内容

Directory /usr/local/apache2.4/test-webroot/admin>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1 # 只允许本机的127.0.0.1访问

• 重新加载，测试

[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a ~]# curl  -x127.0.0.1:80 www.test.com/admin/index.php
This is admin/index.php
[root@test-a ~]# curl  -x192.168.77.139:80 www.test.com/admin/index.php




Forbidden
You don't have permission to access /admin/index.php
on this server.

FilesMatch访问控制

• 配置前

[root@test-a ~]# curl  -x192.168.77.139:80 www.test.com
It works!
[root@test-a ~]# curl  -x127.0.0.1:80 www.test.com
It works!

• 配置，/usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增加如下内容

    
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    

• 重新加载配置，访问测试

[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a ~]# curl  -x192.168.77.139:80 www.test.com




Forbidden
You don't have permission to access /
on this server.



[root@test-a ~]# curl  -x127.0.0.1:80 www.test.com
It works!
[root@test-a ~]# curl  -x127.0.0.1:80 'www.test.com/index.html?a=123'
It works!
[root@test-a ~]# curl  -x192.168.77.139:80 'www.test.com/index.html?a=123'




Forbidden
You don't have permission to access /index.html
on this server.

转载于:https://my.oschina.net/u/996931/blog/2878439