合理分权是提升管理效率的有效方法，通过本讲内容所讲而已对Apache进行合理配置，进行针对性的授权，从而提升对Apache的管理以及安全性。

11.25 配置防盗链

编辑虚拟主机配置文件：

[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
    
             SetEnvIfNoCase Referer "http://111.com" local_ref        SetEnvIfNoCase Referer "http://aaa.com" local_ref        #SetEnvIfNoCase Referer "^$" local_ref        #定义referer白名单        
     
                  Order Allow,Deny            Allow from env=local_ref        #定义规则：允许变量local_ref指定的referer访问，拒绝其他所有访问。        
         
    :wq保存检测语法错误并重载：[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl -tSyntax OK[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl graceful[root@cham002 ~]# ls /data/wwwroot/111.com/123.php  index.php  photo1.jpg现在我们来测试一下，打开photo1.jpg

上图这样子用浏览器直接打开photo1.jpg是打不开得。

把这个链接放到帖子里。

打开肯定也是Forbidden的。想让他不是Forbidden要把贴子网站添加到白名单里去。直接复制网址

注： 如果在referer白名单中不加“^#”（空referer），直接访问指定内容将会被拒绝。

curl命令

curl -e 指定referer

11.26 访问控制Directory

编辑虚拟主机配置文件：

[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf     
            Order deny,allow        Deny from all        Allow from 127.0.0.1    #只允许IP--127.0.0.1访问“/data/wwwroot/111.com/admin/”目录中的内容:wq[root@cham002 ~]# ls /data/wwwroot/111.com  abc.com[root@cham002 ~]# cd /data/wwwroot/[root@cham002 wwwroot]# cd 111.com/[root@cham002 111.com]# ls123.php  index.php  photo1.jpg[root@cham002 111.com]# mkdir admin[root@cham002 111.com]# ls123.php  admin  index.php  photo1.jpg[root@cham002 111.com]# touch admin/index.php[root@cham002 111.com]# ls adminindex.php[root@cham002 111.com]# echo "1212121" > admin/index.php[root@cham002 111.com]# cat !$cat admin/index.php1212121[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -tSyntax OK[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful[root@cham002 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php[root@cham002 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php1212121[root@cham002 111.com]# curl -x192.168.230.150:80 111.com/admin/index.php1212121#测试失败。查看httpd-vhosts.conf    Directory 目录没改。[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf     
            Order deny,allow        Deny from all        Allow from 127.0.0.1    [root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -tSyntax OK[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful[root@cham002 111.com]# curl -x127.0.0.1:80 111.com/admin/index.php -IHTTP/1.1 200 OKDate: Mon, 25 Dec 2017 12:50:49 GMTServer: Apache/2.4.29 (Unix) PHP/7.1.6X-Powered-By: PHP/7.1.6Content-Type: text/html; charset=UTF-8[root@cham002 111.com]# curl -x192.168.230.136:80 111.com/admin/index.php -I^C[root@cham002 111.com]# curl -x192.168.230.150:80 111.com/admin/index.php -IHTTP/1.1 403 ForbiddenDate: Mon, 25 Dec 2017 12:51:09 GMTServer: Apache/2.4.29 (Unix) PHP/7.1.6Content-Type: text/html; charset=iso-8859-1

**说明：**本节用于设定指定IP访问指定目录的权限！

11.27 访问控制FilesMatch

[root@cham002 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf  使用FilesMatch参数：   
            
     
              Order deny,allow        Deny from all        Allow from 127.0.0.1        
         
    [root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -tSyntax OK[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful[root@cham002 111.com]# curl -x192.168.230.150:80 http://111.com/admin/adfsfds -IHTTP/1.1 404 Not FoundDate: Mon, 25 Dec 2017 14:03:52 GMTServer: Apache/2.4.29 (Unix) PHP/7.1.6Content-Type: text/html; charset=iso-8859-1[root@cham002 111.com]# curl -x192.168.230.150:80 'http://111.com/admin.php?adfsfds' -IHTTP/1.1 403 ForbiddenDate: Mon, 25 Dec 2017 14:04:40 GMTServer: Apache/2.4.29 (Unix) PHP/7.1.6Content-Type: text/html; charset=iso-8859-1[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/admin.php?adfsfds' -IHTTP/1.1 404 Not FoundDate: Mon, 25 Dec 2017 14:05:04 GMTServer: Apache/2.4.29 (Unix) PHP/7.1.6Content-Type: text/html; charset=iso-8859-1#因为访问的文件不存在，所以报错：404！