配置防盜鏈、訪問控制Directory、訪問控制FilesMatch
配置防盜鏈
我的網站遇到最多的是兩類盜鏈,一是圖片盜鏈,二是文件盜鏈。曾經有一個訪問量極大的網站盜鏈我網站的圖片,一天竟然消耗了數G的流量。同時,我站放的不少幾十兆的大型軟件也常遭到文件盜鏈,大量消耗我站資源。
1、新增內容
[root@centos7 local]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.111.com www.example.com
<Directory /data/wwwroot/111.com>
SetEnvIfNoCase Referer "http://111.com" local_ref
SetEnvIfNoCase Referer "http://ask.apelearn.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
#定義referer白名單
<FilesMatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
Order Allow,Deny
Allow from env=local_ref
#定義規則:允許變量local_ref指定的referer訪問,拒絕其他所有訪問。
</FilesMatch>
</Directory>
2、[root@centos7 local]# /usr/local/apache2.4/bin/apachectl graceful
3、-e :表示指定referer,現在http://ask.apelearn.com/已經在白名單,所以是允許的
[root@centos7 local]# curl -e "http://ask.apelearn.com/" -x127.0.0.1:80 111.com/3.png -I
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2017 12:45:00 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Last-Modified: Thu, 09 Nov 2017 12:45:00 GMT
ETag: W/"a102-55d97420ac440"
Accept-Ranges: bytes
Content-Length: 41218
Cache-Control: max-age=86400
Expires: Fri, 10 Nov 2017 12:45:00 GMT
Content-Type: image/png
4、不在白名單中就403
[root@centos7 local]# curl -e "http://1323.com/" -x127.0.0.1:80 111.com/3.png -I
HTTP/1.1 403 Forbidden
Date: Thu, 09 Nov 2017 12:49:29 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
訪問控制Directory
1、[root@centos7 local]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.111.com www.example.com
<Directory /data/wwwroot/111.com/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1
#只允許IP--127.0.0.1訪問“/data/wwwroot/111.com/admin/”目錄中的內容
#先拒絕所有的,在允許allow的,先後順序
</Directory>
2、mkdir /data/wwwroot/111.com/admin/ && vi admin.html
3、[root@centos7 local]# /usr/local/apache2.4/bin/apachectl graceful
驗證:
[root@centos7 local]# curl -x127.0.0.1:80 111.com/admin/admin.html
this is admin.html
[root@centos7 local]# curl -x192.168.3.74:80 111.com/admin/admin.html -I
HTTP/1.1 403 Forbidden
Date: Thu, 09 Nov 2017 12:53:39 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
訪問控制FilesMatch
1、[root@centos7 local]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.111.com www.example.com
<Directory /data/wwwroot/111.com>
<FilesMatch admin.html(.*)>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
2、[root@centos7 local]# /usr/local/apache2.4/bin/apachectl graceful
3、[root@centos7 local]# curl -x127.0.0.1:80 111.com/admin.html
this file admin.html
擴展:
1. 禁止訪問某些文件/目錄
增加Files選項來控制,比如要不允許訪問 .inc 擴展名的文件,保護php類庫:
<Files~"\.inc$">
Order Allow,Deny
Deny from all
</Files>
2. 禁止訪問某些指定的目錄:(可以用 來進行正則匹配)
<Directory~"^/var/www/(.+/)*[0-9]{3}">
Order Allow,Deny
Deny from all
</Directory>
3. 通過文件匹配來進行禁止,比如禁止所有針對圖片的訪問:
<FilesMatch \.?i:gif|jpe?g|png)$>
Order Allow,Deny
Deny from all
<FilesMatch>
4. 針對URL相對路徑的禁止訪問
<Location /dir/>
Order Allow,Deny
Deny from all
</Location>
本文出自 “探索發現新事物” 博客,請務必保留此出處http://shenj.blog.51cto.com/5802843/1980632
配置防盜鏈、訪問控制Directory、訪問控制FilesMatch