使用 mod_rewrite 隐藏所有 PHP 扩展(包括子目录)
我正在尝试使用 mod_rewrite 隐藏网站 URL 末尾的 php 扩展名。该网站具有以下内容:
/index.php
/news.php
/about/index.php
/about/contact.php
我希望以下内容能够工作:
http://domain.com/news
http://domain.com/about
http://domain.com/about/contact
现在我正在使用以下重写,但它不适用于子目录
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ $1.php
TIA。
I am trying to hide the php extension at the end of a url for a site using mod_rewrite. The site has the following content:
/index.php
/news.php
/about/index.php
/about/contact.php
I would like the following to work:
http://domain.com/news
http://domain.com/about
http://domain.com/about/contact
Right now I am using the following rewrite, but it isn't working for sub-directories
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ $1.php
TIA.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
序言
首先,这篇文章是为了回答所提出的问题。为了您的利益,以及为了其他任何认为“混淆安全”毫无意义的人的利益,我还包括了一些更多的安全考虑因素(如果这是真的,就没有必要混淆密码......)我为所有人感到难过对于那些抨击这个问题的人,甚至对于你的雇主来说,我建议你花更多的时间来学习如何保护网站的安全。 OWASP 网站是一个很好的资源 (https://www.owasp.org)。
对于那些对此有疑问或想了解更多有关安全性的人,请参阅下面的安全注意事项。
解决方案
我发现的最佳解决方案是让您的服务器端技术特定文件看起来不存在。例如,当黑客在 .php 文件上被重定向,并在 .jsp 文件上被重定向到 404 时,显然您正在使用 PHP。您需要做的是使对 .php 的请求与对 .jsp、.cfn 等的请求看起来相同。
这可以通过使用站点欢迎文件和目录轻松完成。例如:
您需要将站点目录设置为:
另外,在您的 apache 配置文件(或 .htaccess)中,您为您的网站设置了DirectoryIndex:
完成设置后,可以通过以下方式访问其中每一个(这些也可以使用尾部斜杠):
现在已完成,您可以确定这件事的全部要点驱魔:隐藏您正在使用 PHP 的事实。您只需隐藏您正在使用 PHP 的事实,这只需通过使 index.php 的行为与您网站上的 index.cfm、index.py、index.jsp 等相同即可完成:返回 404 因为他们不存在...
重写块看起来像这样:
显然,这可以使用其他服务器端技术来完成,例如 ColdFusion、Python、Java、ASP.NET(天堂禁止您使用 Apache2 而不是 IIS ;))等...
其他注意事项
显然,安全站点使用具有多个方面的全面方法。请不要认为这篇文章是说,为了保护您的网站,您所需要做的就是混淆您正在使用的技术。显然,隐藏您正在使用的技术并不能解决该技术中的安全问题。这篇文章只是声称它是一个添加到集合中的好工具。您将需要在应用程序/解决方案的每一层应用其他安全层,以获得真正安全的站点。
诚然,混淆技术并不能愚弄最优秀的黑客和机器人。最好保持“如果可以访问,就可以被黑客攻击。期间”的心态。唯一真正安全的解决方案是切断服务器的电线。黑客和开发者之间的战斗是一场永无休止的战斗。这也是一场战斗。你可以把它比作孙子的《孙子兵法》。一个运行良好的网站在安全性方面对您不利。
重点是——黑客可以利用任何信息来利用你,他/她会的。因此,像了解用于呈现页面的服务器端技术一样重要的事情对黑客来说非常有用,他们可以利用特定技术中的弱点。这意味着隐藏扩展程序具有非常有效的目的,可以让黑客不断猜测。黑客不能只关注一种技术,而是必须猜测正在使用哪种技术,然后才能利用任何技术特定的弱点。底线:黑客知道的越少越好。
响应标头
许多服务器端技术都会有与其关联的特定标头响应信息,例如标识会话 ID 的 cookie(如 Java 中的 JSESSIONID)。混淆文件扩展名后,您需要考虑将用于会话的标头变量和其他参数重命名为您的应用程序特有的名称。如果不清理响应标头,隐藏您正在使用的扩展程序是毫无意义的。
XSS 和 SQL 注入
对于数据库驱动的应用程序来说,更大的威胁是跨站脚本 (XSS),甚至更糟糕的是 SQL 注入。如果您想保护您的网站 - 我也会花一些时间研究这些问题的解决方案。还要研究网络级资源注入(例如欺骗 DNS 条目以使站点看起来像是在您的域中)。
享受并祝你好运!
Preamble
First off, this post is to answer the question posed. I also include some more security considerations for your benefit, and for anyone else's benefit who thinks that "security by obfuscation" is pointless (If that were true, there would be no need to obfuscate passwords...) I feel bad for all of those who bash the question, and even more, for your employers, I suggest you spend more time in learning about how to secure a site. The OWASP site is a good resource (https://www.owasp.org).
For those of you who question this, or would like to know a little more about security, please see Security Considerations below.
The Solution
The best solution that I have found is to make it appear that your server-side technology specific files don't exist. For example, when the hacker gets redirected on .php files, and 404 on .jsp files, you are obviously using PHP. What you need to do is make requests to .php look the same as requests to .jsp, .cfn etc.
This can easily be done by using your sites welcome file and directories. For example:
You will need to set your site directories up like:
Also, in your apache configuration file (or .htaccess), you went to set the DirectoryIndex for your site:
Once you have finished setting this up each of these can be accessed by (These would also work with trailing slashes):
Now that this is done, you can set up the whole point of this exorcise: hiding the fact that you are using PHP. You simply have to hide the fact that you are using PHP, this is simply done by making index.php act the same as index.cfm, index.py, index.jsp etc... would on your site: return a 404 because they don't exist...
The rewrite block would look something like:
Obviously, this can be done with other server-side technologies such as ColdFusion, Python, Java, ASP.NET (Heaven forbid you are using Apache2 instead of IIS ;) ) etc...
Other Considerations
Obviously a secure site uses a well rounded approach with many facets. Please don't take this post as saying that all you need to do to secure your site is to obfuscate what technology you are using. Clearly, hiding what technology you are using won't fix the security issues in that given technology. This post simply claims that it is a good tool to add to the set. You will need to apply other layers of security at each layer of the application/solution to have a truly secure site.
Granted, obfuscating the technology will not fool the best of hackers and bots. It is best to keep the mindset of "if it can be accessed, it can be hacked. Period.". The only truly secure solution is to cut the wires to the server. The battle between hacker and developer is a never-ending one. It is exactly that too, a battle. You could liken it a lot to Sun Tzu's "Art Of War". A well working site works against you in terms of security.
The point being - any information a hacker can use to exploit you, he/she will. Therefore, something as significant as knowing the server-side technology being used to render the pages would be of great use to hackers, they can exploit weaknesses in the specific technology. This means that hiding extensions has a very valid purpose, in keeping the hackers guessing. Instead of just focusing on one technology, the hacker has to guess which technology is being used before they can exploit any technology specific weakness. The bottom line: the less the hacker knows, the better.
Response Headers
Many server-side technologies will have specific header response information associated to them, such as the cookie that identifies the session ID (like JSESSIONID in Java). After obfuscating the file extension, you will need to look into renaming the header variables used for session and other parameters to something unique to your application. Without scrubbing the response headers, hiding what extension you are using is pointless.
XSS and SQL Injection
A bigger threat to DB driven applications is Cross-Site Scripting (XSS) and even worse, SQL Injection. If you are trying to secure your site - I would spend some time into looking into solutions for these as well. Look into network level resource injection as well (Such as spoofing DNS entries to make a site look like it is on your domain).
Enjoy and good luck!!
尝试以下解决方案:
http://www.interactivetools.com/docs/cmsbuilder/file_extensions.html
Try this solution:
http://www.interactivetools.com/docs/cmsbuilder/file_extensions.html
隐藏 php 扩展毫无用处。
这种事绝对没有任何意义。
如果您想要“人类可读”或“搜索引擎友好”的网址,我不会提供太多帮助。
在任何其他情况下,它都将毫无用处。
不要为每个页面使用单独的 PHP 脚本,而是尝试了解更多信息并实现某种内容管理系统,通过从数据库检索实际内容,仅使用一个 PHP 脚本来显示相同类型的几个页面。
hiding php extensions is useless.
there is absolutely no point in such a thing.
if you want "human-readable" or "seo-friendly" urls, i will do not much help.
in any other case it is going to be just useless.
instead of having separate PHP script for the each page, try to learn more and implement some sort of Content-Management System, using just one PHP script to display couple pages of the same kind, by retrieving the actual content from the database.
如果末尾有斜线,只需将其删除即可。这意味着复制粘贴您的规则(= 带和不带斜杠(没有找到其他方法)):
Just remove the slash at the end if it's present. This implies copy paste of your rule (= with and without the slash (didn't find another way)):