- 论坛徽章:
- 0
|
[每周讨论专题]--第三期--Apache安全认证
提一些补充意见:
1。首先默认apache对以.ht开头的文件默认就是保护的,除非你的apache的版本太低
大家可看apache的默认配置有这么一段
#
# The following lines prevent .htaccess files from being viewed by
# Web clients. Since .htaccess files often contain authorization
# information, access is disallowed for security reasons. Comment
# these lines out if you want Web visitors to see the contents of
# .htaccess files. If you change the AccessFileName directive above,
# be sure to make the corresponding changes here.
#
# Also, folks tend to use names such as .htpasswd for password
# files, so this will protect those as well.
#
<Files ~ "^\.ht">;
Order allow,deny
Deny from all
Satisfy All
</Files>;
可以说apache还是想到了这个安全问题,所以大家不妨把密码文件都存为以.ht开头的文件,比武.htpasswd,责任默认都无法获取这个文件
2。另外用到用户验证可以不用All,可以只设置AuthConfig
3。不知哪位能讲讲用mysql或者其他数据库来验证apache,我觉得这个比较新鲜,呵呵
4。能不能讲讲怎么防止文件盗链,虽然网上有讲怎么设置,但我始终没成功过,不知是不是网上讲的都是错误的,还是自己错了 |
|