11.25 配置防盗链 11.26 访问控制Directory 11.27 访问控制FilesMatch

配置防盗链 
• 通过限制referer来实现防盗链的功能，如果referer是本站就能访问，如果不是就403 
• 配置文件增加如下内容

<Directory /data/wwwroot/www.123.com>
        SetEnvIfNoCase Referer "http://www.123.com" local_ref
        SetEnvIfNoCase Referer "http://123.com" local_ref
        SetEnvIfNoCase Referer "^$" local_ref
        <filesmatch ".(txt|doc|mp3|zip|rar|jpg|gif)">
            Order Allow,Deny
            Allow from env=local_ref
        </filesmatch>
    </Directory>
• curl -e "http://www.aminglinux.com/123.html" 自定义referer
curl -e "http://www.baidu.com/123.txt" -x127.0.0.1:80 123.com/15.png -I
curl -e "http://123.com/123.txt" -x127.0.0.1:80 123.com/15.png -I

 

<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/abc.com"
    ServerName abc.com
    ServerAlias www.abc.com www.111.com
    ErrorLog "logs/abc.com-error_log"
    CustomLog "logs/abc.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/data/wwwroot/123.com"
    ServerName 123.com
    ServerAlias www.123.com 1123.com.cn
#配置反盗链
 <Directory /data/wwwroot/123.com>
        SetEnvIfNoCase Referer "http://www.123.com" local_ref
        SetEnvIfNoCase Referer "http://123.com" local_ref
       # SetEnvIfNoCase Referer "^$" local_ref  
        <filesmatch ".(txt|doc|mp3|zip|rar|jpg|gif|png)">
          Order Allow,Deny
          Allow from env=local_ref
        </filesmatch>
  </Directory>

    <IfModule mod_expires.c>
     ExpiresActive on
     ExpiresByType image/gif  "access plus 1 days"
     ExpiresByType image/jpeg "access plus 24 hours"
     ExpiresByType image/png "access plus 24 hours" 
     ExpiresByType text/css "now plus 2 hour" 
     ExpiresByType application/x-javascript "now plus 2 hours" 
     ExpiresByType application/javascript "now plus 2 hours" 
     ExpiresByType application/x-shockwave-flash "now plus 2 hours" 
     ExpiresDefault "now plus 0 min" 
    </IfModule> 
    ErrorLog "logs/123.com-error_log" 
    SetEnvIf Request_URI ".*.gif$" img 
    SetEnvIf Request_URI ".*.jpg$" img 
    SetEnvIf Request_URI ".*.png$" img 
    SetEnvIf Request_URI ".*.bmp$" img 
    SetEnvIf Request_URI ".*.swf$" img 
    SetEnvIf Request_URI ".*.js$" img 
    SetEnvIf Request_URI ".*.css$" img 
    CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/123.com-access_%Y%m%d.log 86400"  combined env=!img 

</VirtualHost> 

---

访问控制Directory 
• 设置一个目录只能通过白名单访问，或者拒绝某个ip访问。核心配置文件内容

vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
  <Directory /data/wwwroot/www.123.com/admin/>
        Order deny,allow  #排序，这里是先拒绝在被允许。哪个在前面就先执行哪个，deny在前面就先执行Deny from all再执行Allow 
        Deny from all #拒绝所有
        Allow from 127.0.0.1  #允许本机
    </Directory>

• curl测试状态码为403则 

admin目录下的都是403 

访问控制FilesMatch 
Directory是控制目录。FilesMatch是控制一个链接（匹配页面和后面所带的参数） 
•核心配置文件内容

<Directory /data/wwwroot/123.com>
    <FilesMatch  "admin.php(.*)">
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </FilesMatch>
</Directory>