Configure anti-theft chain and access control

11 once a week (December 25)
11.25 configure anti-theft chain
11.26 access control Directory
11.27 access control FilesMatch
extend
Several methods of limiting ip
http://ask.apelearn.com/question/6519

apache custom header
http://ask.apelearn.com/question/830

apache's keepalive and keepalivetimeout
http://ask.apelearn.com/question/556

Configure anti-theft chain
• realize the function of anti-theft chain by limiting the referer. If the referer is local, it can be accessed. If not, 403
Add the following to the configuration file

<Directory /data/wwwroot/www.123.com>
        SetEnvIfNoCase Referer "http://www.123.com" local_ref
        SetEnvIfNoCase Referer "http://123.com" local_ref
        SetEnvIfNoCase Referer "^$" local_ref
        <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">
            Order Allow,Deny
            Allow from env=local_ref
        </filesmatch>
    </Directory>
• curl -e "http://www.aminglinux.com/123.html" customreferer
curl -e "http://www.baidu.com/123.txt" -x127.0.0.1:80 123.com/15.png -I
curl -e "http://123.com/123.txt" -x127.0.0.1:80 123.com/15.png -I

<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/abc.com"
    ServerName abc.com
    ServerAlias www.abc.com www.111.com
    ErrorLog "logs/abc.com-error_log"
    CustomLog "logs/abc.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/123.com"
    ServerName 123.com
    ServerAlias www.123.com 1123.com.cn
#Configure anti stealing chain
 <Directory /data/wwwroot/123.com>
        SetEnvIfNoCase Referer "http://www.123.com" local_ref
        SetEnvIfNoCase Referer "http://123.com" local_ref
       # SetEnvIfNoCase Referer "^$" local_ref  
        <filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
          Order Allow,Deny
          Allow from env=local_ref
        </filesmatch>
  </Directory>

    <IfModule mod_expires.c>
     ExpiresActive on
     ExpiresByType image/gif  "access plus 1 days"
     ExpiresByType image/jpeg "access plus 24 hours"
     ExpiresByType image/png "access plus 24 hours" 
     ExpiresByType text/css "now plus 2 hour" 
     ExpiresByType application/x-javascript "now plus 2 hours" 
     ExpiresByType application/javascript "now plus 2 hours" 
     ExpiresByType application/x-shockwave-flash "now plus 2 hours" 
     ExpiresDefault "now plus 0 min" 
    </IfModule> 
    ErrorLog "logs/123.com-error_log" 
    SetEnvIf Request_URI ".*\.gif$" img 
    SetEnvIf Request_URI ".*\.jpg$" img 
    SetEnvIf Request_URI ".*\.png$" img 
    SetEnvIf Request_URI ".*\.bmp$" img 
    SetEnvIf Request_URI ".*\.swf$" img 
    SetEnvIf Request_URI ".*\.js$" img 
    SetEnvIf Request_URI ".*\.css$" img 
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/123.com-access_%Y%m%d.log 86400"  combined env=!img 

</VirtualHost> 

Access control Directory
• set a directory that can only be accessed through a white list, or deny an ip access. Core profile content

vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
  <Directory /data/wwwroot/www.123.com/admin/>
        Order deny,allow  #Sort, here is reject first before being allowed. Which is executed first? deny is executed first allReexecution Allow 
        Deny from all #Reject all
        Allow from 127.0.0.1  #Allow native
    </Directory>

• 403 curl test status codes

403 in the admin directory

Access control FilesMatch
Directory is the control directory. FilesMatch is to control a link (matching the page and the following parameters)
• core profile content

<Directory /data/wwwroot/123.com>
    <FilesMatch  "admin.php(.*)">
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </FilesMatch>
</Directory>

Tags: curl Apache Javascript vim

Posted on Sun, 03 May 2020 02:57:07 -0400 by schoenung