防盗链配置
- 通过限制referer来实现防盗链的功能
- 配置前,使用curl -e 指定referer
[root@test-a test-webroot]# curl -e "http://www.test.com/1.html" -x127.0.0.1:80 "www.test.com/1.jpg" -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 22:18:28 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Last-Modified: Mon, 19 Nov 2018 00:30:17 GMT
ETag: "0-57af99f141942"
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Tue, 20 Nov 2018 22:18:28 GMT
Content-Type: image/jpeg
[root@test-a test-webroot]# curl -e "http://www.qq.com/1.html" -x127.0.0.1:80 "www.qq.com/1.jpg" -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 22:19:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Last-Modified: Mon, 19 Nov 2018 00:30:17 GMT
ETag: "0-57af99f141942"
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Tue, 20 Nov 2018 22:19:35 GMT
Content-Type: image/jpeg
- 配置,/usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增加如下内容,SetEnvIfNoCase Referer增加的是白名单
<Directory "/usr/local/apache2.4/test-webroot">
SetEnvIfNoCase Referer "http://www.test.com" local_ref
SetEnvIfNoCase Referer "http://test.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">
Order Allow,Deny
Allow from env=local_ref
</filesmatch>
</Directory>
[root@test-a test-webroot]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a test-webroot]# curl -e "http://www.test.com/1.html" -x127.0.0.1:80 "www.test.com/1.jpg" -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 22:26:15 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Last-Modified: Mon, 19 Nov 2018 00:30:17 GMT
ETag: "0-57af99f141942"
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Tue, 20 Nov 2018 22:26:15 GMT
Content-Type: image/jpeg
[root@test-a test-webroot]# curl -e "http://www.qq.com/1.html" -x127.0.0.1:80 "www.qq.com/1.jpg" -I # 403错误
HTTP/1.1 403 Forbidden
Date: Mon, 19 Nov 2018 22:26:17 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.32
Content-Type: text/html; charset=iso-8859-1
Directory访问控制
[root@test-a ~]# curl -x127.0.0.1:80 www.test.com/admin/index.php
This is admin/index.php
[root@test-a ~]# curl -x192.168.77.139:80 www.test.com/admin/index.php
This is admin/index.php
- 配置, /usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增加如下内容
Directory /usr/local/apache2.4/test-webroot/admin>
Order deny,allow
Deny from all
Allow from 127.0.0.1 # 只允许本机的127.0.0.1访问
</Directory>
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a ~]# curl -x127.0.0.1:80 www.test.com/admin/index.php
This is admin/index.php
[root@test-a ~]# curl -x192.168.77.139:80 www.test.com/admin/index.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /admin/index.php
on this server.<br />
</p>
</body></html>
FilesMatch访问控制
[root@test-a ~]# curl -x192.168.77.139:80 www.test.com
It works!
[root@test-a ~]# curl -x127.0.0.1:80 www.test.com
It works!
- 配置,/usr/local/apache2.4/conf/extra/httpd-vhosts.conf对应的虚拟网站增加如下内容
<Directory /usr/local/apache2.4/test-webroot/>
<FilesMatch index.html(.*)>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
[root@test-a ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@test-a ~]# curl -x192.168.77.139:80 www.test.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>
[root@test-a ~]# curl -x127.0.0.1:80 www.test.com
It works!
[root@test-a ~]# curl -x127.0.0.1:80 'www.test.com/index.html?a=123'
It works!
[root@test-a ~]# curl -x192.168.77.139:80 'www.test.com/index.html?a=123'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.<br />
</p>
</body></html>