配置防盗链、访问控制

十一周一次课（12月25日）
11.25 配置防盗链
11.26 访问控制Directory
11.27 访问控制FilesMatch
扩展
几种限制ip的方法
http://ask.apelearn.com/question/6519

apache 自定义header
http://ask.apelearn.com/question/830

apache的keepalive和keepalivetimeout
http://ask.apelearn.com/question/556

配置防盗链
• 通过限制referer来实现防盗链的功能，如果referer是本站就能访问，如果不是就403
• 配置文件增加如下内容

<Directory /data/wwwroot/www.123.com>
        SetEnvIfNoCase Referer "http://www.123.com" local_ref
        SetEnvIfNoCase Referer "http://123.com" local_ref
        SetEnvIfNoCase Referer "^$" local_ref
        <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">
            Order Allow,Deny
            Allow from env=local_ref
        </filesmatch>
    </Directory>
• curl -e "http://www.aminglinux.com/123.html" 自定义referer
curl -e "http://www.baidu.com/123.txt" -x127.0.0.1:80 123.com/15.png -I
curl -e "http://123.com/123.txt" -x127.0.0.1:80 123.com/15.png -I

    DocumentRoot "/data/wwwroot/abc.com"
    ServerName abc.com
    ServerAlias www.abc.com www.111.com
    ErrorLog "logs/abc.com-error_log"
    CustomLog "logs/abc.com-access_log" common



    DocumentRoot "/data/wwwroot/123.com"
    ServerName 123.com
    ServerAlias www.123.com 1123.com.cn
#配置反盗链
 
        SetEnvIfNoCase Referer "http://www.123.com" local_ref
        SetEnvIfNoCase Referer "http://123.com" local_ref
       # SetEnvIfNoCase Referer "^$" local_ref  
        
          Order Allow,Deny
          Allow from env=local_ref
        
  

    
     ExpiresActive on
     ExpiresByType image/gif  "access plus 1 days"
     ExpiresByType image/jpeg "access plus 24 hours"
     ExpiresByType image/png "access plus 24 hours" 
     ExpiresByType text/css "now plus 2 hour" 
     ExpiresByType application/x-javascript "now plus 2 hours" 
     ExpiresByType application/javascript "now plus 2 hours" 
     ExpiresByType application/x-shockwave-flash "now plus 2 hours" 
     ExpiresDefault "now plus 0 min" 
     
    ErrorLog "logs/123.com-error_log" 
    SetEnvIf Request_URI ".*\.gif$" img 
    SetEnvIf Request_URI ".*\.jpg$" img 
    SetEnvIf Request_URI ".*\.png$" img 
    SetEnvIf Request_URI ".*\.bmp$" img 
    SetEnvIf Request_URI ".*\.swf$" img 
    SetEnvIf Request_URI ".*\.js$" img 
    SetEnvIf Request_URI ".*\.css$" img 
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/123.com-access_%Y%m%d.log 86400"  combined env=!img 

 

---

访问控制Directory
• 设置一个目录只能通过白名单访问，或者拒绝某个ip访问。核心配置文件内容

vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
  
        Order deny,allow  #排序，这里是先拒绝在被允许。哪个在前面就先执行哪个，deny在前面就先执行Deny from all再执行Allow 
        Deny from all #拒绝所有
        Allow from 127.0.0.1  #允许本机
    

• curl测试状态码为403则

admin目录下的都是403

访问控制FilesMatch
Directory是控制目录。FilesMatch是控制一个链接（匹配页面和后面所带的参数）
•核心配置文件内容

    
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1