.htaccess文件中不应忽视安全指令

二, 06/03/2008 - 06:47 — admin

谈到.htaccess文件的写法好像是老生常谈，但有很多人不能规范并且兼顾安全地写好这个文件的指令！
.htaccess提供给我们高度的灵活性同时又带有很强的风险性，是一柄典型的双刃剑。不仅是在Bluehost虚拟主机上是这样，任何可以使用.htaccess的虚拟主机都具有这种风险性。今晨调整完我的网站后浏览一个blog时竟意外的发现他的一些重要的目录没有保护可以完全列出！也就是说他没有在.htaccess中写下面的指令：

   # !!!
   Options -indexes

导致相关目录中的重要文件和备份文件完全暴露在网络上，是不细心还是不熟悉不得而知，本文特别强调“Options -indexes”是一个重要的安全性指令，是所有.htaccess文件中必不可少的一项，除非需要指定某一目录的特殊用途，例如：提供列出文件索引方式的下载服务。相关.htaccess的文章您可以参考:
bluehost .htaccess 。
下面大家还可以参考一下Drupal的默认.htaccess文件，严谨、规范完全可以当作一个范本。

#
# Apache/PHP/Drupal settings:
#

# Protect files and directories from prying eyes.

  Order allow,deny


# Don't show directory listings for URLs which map to a directory.
Options -Indexes

# Follow symbolic links in this directory.
Options +FollowSymLinks

# Customized error messages.
ErrorDocument 404 /index.php

# Set the default handler.
DirectoryIndex index.php

# Override PHP settings. More in sites/default/settings.php
# but the following cannot be changed at runtime.

# PHP 4, Apache 1.

  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0


# PHP 4, Apache 2.

  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0


# PHP 5, Apache 1 and 2.

  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0


# Requires mod_expires to be enabled.

  # Enable expirations.
  ExpiresActive On

  # Cache all files for 2 weeks after access (A).
  ExpiresDefault A1209600

  # Do not cache dynamically generated pages.
  ExpiresByType text/html A1


# Various rewrite rules.

  RewriteEngine on

  # If your site can be accessed both with and without the 'www.' prefix, you
  # can use one of the following settings to redirect users to your preferred
  # URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
  #
  # To redirect all users to access the site WITH the 'www.' prefix,
  # (http://example.com/... will be redirected to http://www.example.com/...)
  # adapt and uncomment the following:
  # RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
  # RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
  #
  # To redirect all users to access the site WITHOUT the 'www.' prefix,
  # (http://www.example.com/... will be redirected to http://example.com/...)
  # uncomment and adapt the following:
  # RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
  # RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

  # Modify the RewriteBase if you are using Drupal in a subdirectory or in a
  # VirtualDocumentRoot and the rewrite rules are not working properly.
  # For example if your site is at http://example.com/drupal uncomment and
  # modify the following line:
  # RewriteBase /drupal
  #
  # If your site is running in a VirtualDocumentRoot at http://example.com/,
  # uncomment the following line:
  # RewriteBase /

  # Rewrite URLs of the form 'index.php?q=x'.
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]


# $Id: .htaccess,v 1.90 2007/10/05 14:43:23 dries Exp $

-->点这里查看Bluehost支持的环境和产品详情列表。

作者: wwww.bluehost-cn.com
原载: Bluehost之家
本文链接: bluehost-htaccess-security-settings

转载时请以链接形式注明作者和原始出处及本声明。

试用bluehost...

要发表评论，请先登录或注册

bluehost-cn.com Bluehost之家最全面的中文bluehost技术交流网站