Apache:限制并发数,定制index目录,让图片有防止盗链功能
时间:2007-09-03
来源:互联网
Apache:限制并发数,定制index目录,让图片有防止盗链功能 Apache 安装、配置
使用 mod_limitipconn.c 来限制 apache 的并发数 >>
定制 Apache index 目录 >>
让apache上的图片有防止盗链的功能 >>
安装 Apache 2.0.48 (查看Install手册)
考虑到以后要 rewite_url 来使 google 更加容易收录网站,特地添加了 mod_rewrite 。
同时为了限制流量,特别加了 mod_limitpcnn.c 补丁 , 所以多了一个 --enable-forward 选项。
建议安装完毕以后不要删除安装目录,以便以后升级时使用。
记得升级前关闭 apache2.0
编译过程:
#./configure --enable-so --enable-speling --enable-rewrite --with-ssl=/usr/local/ssl --enable-forward
# make
# make install
这个例子里面是编译了 mod_so,mod_speling 和 openssl 支持。同样有另外几种写法:#./configure --enable-so --enable-speling --enable-rewrite --with-ssl=/usr/local/ssl --enable-forward
# make
# make install
或者#./configure --enable-modules=”so speling”
--enable-MODULE[=shared] 编译并包含模块 MODULE. MODULE 是文档中去掉”_module ”的模块名。要将一个模块编译成为 DSO, 需要加 -shared 选项 , 即 --enable-mods-shared 。(查看 MODULE 手册)
注意 :"如果希望核心能够装载 DSO,而不实际编译任何动态模块,则要明确指定 --enable-modules=so 或者 --enable-so" (查看 DSO 手册),所以前面的顺序不能交换顺序。 查看所有apache 的 configure 参数
安装完毕后可以用以下命令来查看启动了那些模块
# apachectl -l
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c mod_imap.c
mod_actions.c
mod_speling.c
mod_userdir.c
mod_alias.c
mod_rewrite.c
mod_so.c
接着,将启动程序放入开机程序中去。 如果要启动 ssl 加密网页,则必须通过手动启动 apache2.0 (参见 ssl 部分)
# echo "/usr/local/apache2/bin/apachectl start" >> /etc/rc.d/rc.local
参考:
If you want your server to continue running after a system reboot , you should add a call to apachectl to your system startup files (typically rc.local or a file in an rc.N directory). This will start Apache as root. Before doing this ensure that your server is properly configured for security and access restrictions.
在 profile 里面添加以上的语句来设置路径,使得在 bash 下更容易控制 apachectl, 省去了输入路径的麻烦。
# vi /etc/profile
PATH=" $PATH:usr/local/apache2/bin:”
配置 apache2.0
# vi /usr/local/apache2/conf/httpd.conf
配置文件请看文件 httpd.conf (设置文档目录为/home/dalouis/public_html)
#chmod 755 - R /home/dalouis/
设置目录的可读性为 drwxr-xr-x(755), 否则会出现 "Forbidden You don't have permission to access / on this server."
一些关于安全性的配置:
考虑到 cgi-bin 的安全性问题,我们暂时将 cgi-bin 去掉。将所有 httpd.conf 中的所有关于 cgi-bin 的行加上 "#".
Xiyang 的配置
我用的: mod_limitipconn, mod_expires, mod_gzip, mod_php4, mod_so, mod_access, mod_alias, mod_userdir, mod_dir, mod_autoindex, mod_status, mod_mime, mod_log_config, http_core
关于超时的问题
在我编写好所有的产品查看页面的时候,经常会出现因为超时,或者流量过大 ,apache 停止工作的问题,原因有二,一是代码的不科学性,二是 apache 的设置问题。
以下是对设置的一点改动:
# KeepAlive: Whether or not to allow persistent connections(more than
# one request per connection). Set to "Off" to deactivate.
# KeepAlive Off
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
# MaxKeepAliveRequests 0
# KeepAliveTimeout: Number of seconds to wait for the next request
# from the same client on the same connection.
# KeepAliveTimeout 0
# 记录访问者的 HTTP-REFERER 和 AGENT, 有助于统计来者是通过什么搜索引擎找到我们的网站的。 或者在原有的CustomLog行,将参数由 common 改成 combined
# If you would like to have agent and referer logfiles,
# uncomment the following directives.
CustomLog logs/referer_log referer
CustomLog logs/agent_log agent
CustomLog logs/www.domain.com-access_log combined
使用 mod_limitipconn.c 来限制 apache 的并发数
Package: http://dominia.org/djao/limit/
安装使用说明: http://dominia.org/djao/limitipconn2-README
这里的安装建议使用动态 DSO 并 patch apache2.0, 以使得 apache2.0 可以认识在代理后方的 IP 。但是要 重新编译 apache2.0, 以下是介绍。
## Instructions for building DSO with proxy tracking:
# tar xzvf httpd-2.0.39.tar.gz
# tar xzvf mod_limitipconn-0.22.tar.gz
# cd httpd-2.0.39
# patch -p1 < ../mod_limitipconn-0.22/apachesrc.diff
# ./buildconf
# ./configure --enable-so --enable-speling --enable-rewrite --with-ssl=/usr/local/ssl --enable-forward
# make
# make install
# cd ../mod_limitipconn-0.22
# PATH=/usr/local/apache2/bin:$PATH
# make install
安装过程
# lynx http://dominia.org/djao/limit/mod_limitipconn-0.22.tar.gz
# tar -zxvf mod_limitipconn-0.22.tar.gz
# cd httpd-2.0.48
# patch -p1 < ../mod_limitipconn-0.22/apachesrc.diff
patching file configure.in
Hunk #1 succeeded at 373 (offset 55 lines).
patching file include/scoreboard.h
patching file modules/generators/mod_status.c
Hunk #1 succeeded at 746 (offset -1 lines).
patching file server/scoreboard.c
# ./configure --enable-so --enable-speling --enable-rewrite --with-ssl=/usr/local/ssl --enable-forward
# make
# make install
# cd ../mod_limitipconn-0.22
# PATH=/usr/local/apache2/bin:$PATH
# make install
----------------------------------------------------------------------
Libraries have been installed in:
/usr/local/apache2/modules
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/local/apache2/modules/mod_limitipconn.so
[activating module `limitipconn' in /usr/local/apache2/conf/httpd.conf]
检查 httpd.conf 文件,发现增加了一下一行
LoadModule limitipconn_module modules/mod_limitipconn.so
同时需要设置以下参数在 httpd.conf 中 , 也可以在单个虚拟服务器中。
ExtendedStatus On
# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so
MaxConnPerIP 3
# exempting images from the connection limit is often a good
# idea if your web page has lots of inline images, since these
# pages often generate a flurry of concurrent image requests
# NoIPLimit image/*
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
# OnlyIPLimit audio/mpeg video
注意: LoadModule limitipconn_module modules/mod_limitipconn.so 必须放在虚拟服务器之前!否则不能启动。
定制 Apache index 目录
在 Apache 中设置目录 有 Options Indexes 属性的时候,可以索引文件夹内容,但是如果要定制显示的内容,就必须添加以下几行到各个服务器的设置中去。(可以是全局,也可以是虚拟服务器或者目录) MODULE: mod_autoindex
ReadmeName /README.shtml
HeaderName /HEADER.shtml
IndexOptions +SuppressHTMLPreamble FancyIndexing VersionSort FoldersFirst NameWidth=* (Optoional)
但是,我在按照步骤,添加以上设置、设置文件夹可被索引属性、制作页首和页尾上传后,仍旧发现不能显示。最终发现,由于我安装了 PHP, 为了使得 PHP 代码可以被嵌入 .html 和 .htm 文档中,我将 httpd.conf 中的一条属性设置为:
AddType application/x-httpd-php .php .html .htm
这使得 apache 不能识别原本设置的 README.html 和 HEADER.html,以下这点是从apache的文档中找到类似的解说.
参考
Filename must resolve to a document with a major content type of text/* ( e.g. , text/html , text/plain , etc.). This means that filename may refer to a CGI script if the script's actual file type (as opposed to its output) is marked as text/html such as with a directive like:
AddType text/html .cgi
Content negotiation will be performed if Options MultiViews is in effect. If filename resolves to a static text/html document (not a CGI script) and either one of the options Includes or IncludesNOEXEC is enabled, the file will be processed for server-side includes (see the mod_include documentation).
我将上述 PHP 的 Type 的最终 .html 和 .htm 去掉以后,就可以正常显示了。于是想办法新添加一个种后缀名为 README 和 HEADER 专用:
AddType text/html .shtml
然后修改 README.html 和 HEADER.html 为 README.shtml 和 HEADER.shtml 即可。要注意的是,因为我要列出的目录都为 open source, 所以有很多名字为“ README ”的文件。因此,要将其中的一条配置做小小的修改。(就是隐藏某些文件的配置)
IndexIgnore .??* *~ *# HEADER.* README.* RCS CVS *,v *,t
参考文档:
http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#headername
http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#indexoptions
让apache上的图片有防止盗链的功能
参考文档:
Preventing Image 'Theft' By: Ken Coar
Preventing hot linking of images by JavaScript Kit
SetEnvIfNoCase 和 SetEnvIf 的说明文档
http://httpd.apache.org/docs-2.0/mod/mod_setenvif.html#setenvif
httpd.conf 的修改处
######## Preventing Image 'Theft' ########
SetEnvIfNoCase Referer “^http://(.)+/\.fjhr\.com/” local_ref=1
SetEnvIfNoCase Referer “^http://(.)+/\.hzmjp\.com/” local_ref=1
SetEnvIfNoCase Referer “^http://(.)+/\.dalouis\.com/” local_ref=1
SetEnvIfNoCase Referer “^http://(.)+/\.necktie\.gov\.cn/” local_ref=1
SetEnvIfNoCase Referer “^http://(.)+/\.necktie\.net\.cn/” local_ref=1
SetEnvIfNoCase Referer “-” local_ref=1
######## Allow the LOGO image Theft ##########
SetEnvIf Request_URI “/images/logo(.)+” local_ref=0
Order Allow,Deny
Allow from env=local_ref
使用 mod_limitipconn.c 来限制 apache 的并发数 >>
定制 Apache index 目录 >>
让apache上的图片有防止盗链的功能 >>
安装 Apache 2.0.48 (查看Install手册)
考虑到以后要 rewite_url 来使 google 更加容易收录网站,特地添加了 mod_rewrite 。
同时为了限制流量,特别加了 mod_limitpcnn.c 补丁 , 所以多了一个 --enable-forward 选项。
建议安装完毕以后不要删除安装目录,以便以后升级时使用。
记得升级前关闭 apache2.0
编译过程:
#./configure --enable-so --enable-speling --enable-rewrite --with-ssl=/usr/local/ssl --enable-forward
# make
# make install
这个例子里面是编译了 mod_so,mod_speling 和 openssl 支持。同样有另外几种写法:#./configure --enable-so --enable-speling --enable-rewrite --with-ssl=/usr/local/ssl --enable-forward
# make
# make install
或者#./configure --enable-modules=”so speling”
--enable-MODULE[=shared] 编译并包含模块 MODULE. MODULE 是文档中去掉”_module ”的模块名。要将一个模块编译成为 DSO, 需要加 -shared 选项 , 即 --enable-mods-shared 。(查看 MODULE 手册)
注意 :"如果希望核心能够装载 DSO,而不实际编译任何动态模块,则要明确指定 --enable-modules=so 或者 --enable-so" (查看 DSO 手册),所以前面的顺序不能交换顺序。 查看所有apache 的 configure 参数
安装完毕后可以用以下命令来查看启动了那些模块
# apachectl -l
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c mod_imap.c
mod_actions.c
mod_speling.c
mod_userdir.c
mod_alias.c
mod_rewrite.c
mod_so.c
接着,将启动程序放入开机程序中去。 如果要启动 ssl 加密网页,则必须通过手动启动 apache2.0 (参见 ssl 部分)
# echo "/usr/local/apache2/bin/apachectl start" >> /etc/rc.d/rc.local
参考:
If you want your server to continue running after a system reboot , you should add a call to apachectl to your system startup files (typically rc.local or a file in an rc.N directory). This will start Apache as root. Before doing this ensure that your server is properly configured for security and access restrictions.
在 profile 里面添加以上的语句来设置路径,使得在 bash 下更容易控制 apachectl, 省去了输入路径的麻烦。
# vi /etc/profile
PATH=" $PATH:usr/local/apache2/bin:”
配置 apache2.0
# vi /usr/local/apache2/conf/httpd.conf
配置文件请看文件 httpd.conf (设置文档目录为/home/dalouis/public_html)
#chmod 755 - R /home/dalouis/
设置目录的可读性为 drwxr-xr-x(755), 否则会出现 "Forbidden You don't have permission to access / on this server."
一些关于安全性的配置:
考虑到 cgi-bin 的安全性问题,我们暂时将 cgi-bin 去掉。将所有 httpd.conf 中的所有关于 cgi-bin 的行加上 "#".
Xiyang 的配置
我用的: mod_limitipconn, mod_expires, mod_gzip, mod_php4, mod_so, mod_access, mod_alias, mod_userdir, mod_dir, mod_autoindex, mod_status, mod_mime, mod_log_config, http_core
关于超时的问题
在我编写好所有的产品查看页面的时候,经常会出现因为超时,或者流量过大 ,apache 停止工作的问题,原因有二,一是代码的不科学性,二是 apache 的设置问题。
以下是对设置的一点改动:
# KeepAlive: Whether or not to allow persistent connections(more than
# one request per connection). Set to "Off" to deactivate.
# KeepAlive Off
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
# MaxKeepAliveRequests 0
# KeepAliveTimeout: Number of seconds to wait for the next request
# from the same client on the same connection.
# KeepAliveTimeout 0
# 记录访问者的 HTTP-REFERER 和 AGENT, 有助于统计来者是通过什么搜索引擎找到我们的网站的。 或者在原有的CustomLog行,将参数由 common 改成 combined
# If you would like to have agent and referer logfiles,
# uncomment the following directives.
CustomLog logs/referer_log referer
CustomLog logs/agent_log agent
CustomLog logs/www.domain.com-access_log combined
使用 mod_limitipconn.c 来限制 apache 的并发数
Package: http://dominia.org/djao/limit/
安装使用说明: http://dominia.org/djao/limitipconn2-README
这里的安装建议使用动态 DSO 并 patch apache2.0, 以使得 apache2.0 可以认识在代理后方的 IP 。但是要 重新编译 apache2.0, 以下是介绍。
## Instructions for building DSO with proxy tracking:
# tar xzvf httpd-2.0.39.tar.gz
# tar xzvf mod_limitipconn-0.22.tar.gz
# cd httpd-2.0.39
# patch -p1 < ../mod_limitipconn-0.22/apachesrc.diff
# ./buildconf
# ./configure --enable-so --enable-speling --enable-rewrite --with-ssl=/usr/local/ssl --enable-forward
# make
# make install
# cd ../mod_limitipconn-0.22
# PATH=/usr/local/apache2/bin:$PATH
# make install
安装过程
# lynx http://dominia.org/djao/limit/mod_limitipconn-0.22.tar.gz
# tar -zxvf mod_limitipconn-0.22.tar.gz
# cd httpd-2.0.48
# patch -p1 < ../mod_limitipconn-0.22/apachesrc.diff
patching file configure.in
Hunk #1 succeeded at 373 (offset 55 lines).
patching file include/scoreboard.h
patching file modules/generators/mod_status.c
Hunk #1 succeeded at 746 (offset -1 lines).
patching file server/scoreboard.c
# ./configure --enable-so --enable-speling --enable-rewrite --with-ssl=/usr/local/ssl --enable-forward
# make
# make install
# cd ../mod_limitipconn-0.22
# PATH=/usr/local/apache2/bin:$PATH
# make install
----------------------------------------------------------------------
Libraries have been installed in:
/usr/local/apache2/modules
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/local/apache2/modules/mod_limitipconn.so
[activating module `limitipconn' in /usr/local/apache2/conf/httpd.conf]
检查 httpd.conf 文件,发现增加了一下一行
LoadModule limitipconn_module modules/mod_limitipconn.so
同时需要设置以下参数在 httpd.conf 中 , 也可以在单个虚拟服务器中。
ExtendedStatus On
# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so
MaxConnPerIP 3
# exempting images from the connection limit is often a good
# idea if your web page has lots of inline images, since these
# pages often generate a flurry of concurrent image requests
# NoIPLimit image/*
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
# OnlyIPLimit audio/mpeg video
注意: LoadModule limitipconn_module modules/mod_limitipconn.so 必须放在虚拟服务器之前!否则不能启动。
定制 Apache index 目录
在 Apache 中设置目录 有 Options Indexes 属性的时候,可以索引文件夹内容,但是如果要定制显示的内容,就必须添加以下几行到各个服务器的设置中去。(可以是全局,也可以是虚拟服务器或者目录) MODULE: mod_autoindex
ReadmeName /README.shtml
HeaderName /HEADER.shtml
IndexOptions +SuppressHTMLPreamble FancyIndexing VersionSort FoldersFirst NameWidth=* (Optoional)
但是,我在按照步骤,添加以上设置、设置文件夹可被索引属性、制作页首和页尾上传后,仍旧发现不能显示。最终发现,由于我安装了 PHP, 为了使得 PHP 代码可以被嵌入 .html 和 .htm 文档中,我将 httpd.conf 中的一条属性设置为:
AddType application/x-httpd-php .php .html .htm
这使得 apache 不能识别原本设置的 README.html 和 HEADER.html,以下这点是从apache的文档中找到类似的解说.
参考
Filename must resolve to a document with a major content type of text/* ( e.g. , text/html , text/plain , etc.). This means that filename may refer to a CGI script if the script's actual file type (as opposed to its output) is marked as text/html such as with a directive like:
AddType text/html .cgi
Content negotiation will be performed if Options MultiViews is in effect. If filename resolves to a static text/html document (not a CGI script) and either one of the options Includes or IncludesNOEXEC is enabled, the file will be processed for server-side includes (see the mod_include documentation).
我将上述 PHP 的 Type 的最终 .html 和 .htm 去掉以后,就可以正常显示了。于是想办法新添加一个种后缀名为 README 和 HEADER 专用:
AddType text/html .shtml
然后修改 README.html 和 HEADER.html 为 README.shtml 和 HEADER.shtml 即可。要注意的是,因为我要列出的目录都为 open source, 所以有很多名字为“ README ”的文件。因此,要将其中的一条配置做小小的修改。(就是隐藏某些文件的配置)
IndexIgnore .??* *~ *# HEADER.* README.* RCS CVS *,v *,t
参考文档:
http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#headername
http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#indexoptions
让apache上的图片有防止盗链的功能
参考文档:
Preventing Image 'Theft' By: Ken Coar
Preventing hot linking of images by JavaScript Kit
SetEnvIfNoCase 和 SetEnvIf 的说明文档
http://httpd.apache.org/docs-2.0/mod/mod_setenvif.html#setenvif
httpd.conf 的修改处
######## Preventing Image 'Theft' ########
SetEnvIfNoCase Referer “^http://(.)+/\.fjhr\.com/” local_ref=1
SetEnvIfNoCase Referer “^http://(.)+/\.hzmjp\.com/” local_ref=1
SetEnvIfNoCase Referer “^http://(.)+/\.dalouis\.com/” local_ref=1
SetEnvIfNoCase Referer “^http://(.)+/\.necktie\.gov\.cn/” local_ref=1
SetEnvIfNoCase Referer “^http://(.)+/\.necktie\.net\.cn/” local_ref=1
SetEnvIfNoCase Referer “-” local_ref=1
######## Allow the LOGO image Theft ##########
SetEnvIf Request_URI “/images/logo(.)+” local_ref=0
Order Allow,Deny
Allow from env=local_ref
作者: netseek 发布时间: 2007-09-03
相关阅读 更多
热门阅读
-
office 2019专业增强版最新2021版激活秘钥/序列号/激活码推荐 附激活工具
阅读:74
-
如何安装mysql8.0
阅读:31
-
Word快速设置标题样式步骤详解
阅读:28
-
20+道必知必会的Vue面试题(附答案解析)
阅读:37
-
HTML如何制作表单
阅读:22
-
百词斩可以改天数吗?当然可以,4个步骤轻松修改天数!
阅读:31
-
ET文件格式和XLS格式文件之间如何转化?
阅读:24
-
react和vue的区别及优缺点是什么
阅读:121
-
支付宝人脸识别如何关闭?
阅读:21
-
腾讯微云怎么修改照片或视频备份路径?
阅读:28
