许多 PHP 网站使用的是 Apache 主机,相应的配置文件为 .htaccess,该文件中包含很多服务器端设置参数。与之相应的,对于 Windows 主机,在 IIS 上的配置文件为 Web.config。
本文主要叙述的是与 .htaccess 文件常规配置参数对应的 IIS 上的配置参数。
配置参数举例
下面的例子为 .htaccess 和 Web.config 文件配置参数。
.HTACCESS 文件
- #
- # Apache/PHP/Application settings:
- #
- # Protect files and directories from prying eyes.
- <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$">
- Order allow,deny
- </FilesMatch>
- # Don't show directory listings for URLs which map to a directory.
- Options -Indexes
- # Follow symbolic links in this directory.
- Options +FollowSymLinks
- # Make Application handle any 404 errors.
- ErrorDocument 404 /index.php
- # Force simple error message for requests for non-existent favicon.ico.
- <Files favicon.ico>
- ErrorDocument 404 "The requested file favicon.ico was not found.
- </Files>
- # Set the default handler.
- DirectoryIndex index.php
- # Override PHP settings. More in sites/default/settings.php
- # but the following cannot be changed at runtime.
- # PHP 4, Apache 1.
- <IfModule mod_php4.c>
- php_value magic_quotes_gpc 0
- php_value register_globals 0
- php_value session.auto_start 0
- php_value mbstring.http_input pass
- php_value mbstring.http_output pass
- php_value mbstring.encoding_translation 0
- </IfModule>
- # PHP 4, Apache 2.
- <IfModule sapi_apache2.c>
- php_value magic_quotes_gpc 0
- php_value register_globals 0
- php_value session.auto_start 0
- php_value mbstring.http_input pass
- php_value mbstring.http_output pass
- php_value mbstring.encoding_translation 0
- </IfModule>
- # PHP 5, Apache 1 and 2.
- <IfModule mod_php5.c>
- php_value magic_quotes_gpc 0
- php_value register_globals 0
- php_value session.auto_start 0
- php_value mbstring.http_input pass
- php_value mbstring.http_output pass
- php_value mbstring.encoding_translation 0
- </IfModule>
- # Requires mod_expires to be enabled.
- <IfModule mod_expires.c>
- # Enable expirations.
- ExpiresActive On
- # Cache all files for 2 weeks after access (A).
- ExpiresDefault A1209600
- # Do not cache dynamically generated pages.
- ExpiresByType text/html A1
- </IfModule>
- # Various rewrite rules.
- <IfModule mod_rewrite.c>
- RewriteEngine on
- # If your site can be accessed both with and without the 'www.' prefix, you
- # can use one of the following settings to redirect users to your preferred
- # URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
- #
- # To redirect all users to access the site WITH the 'www.' prefix,
- # (http://example.com/... will be redirected to http://www.example.com/...)
- # adapt and uncomment the following:
- # RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
- # RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
- #
- # To redirect all users to access the site WITHOUT the 'www.' prefix,
- # (http://www.example.com/... will be redirected to http://example.com/...)
- # uncomment and adapt the following:
- # RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
- # RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]
- # Modify the RewriteBase if you are using Application in a subdirectory or in a
- # VirtualDocumentRoot and the rewrite rules are not working properly.
- # For example if your site is at http://example.com/application uncomment and
- # modify the following line:
- # RewriteBase /application
- #
- # If your site is running in a VirtualDocumentRoot at http://example.com/,
- # uncomment the following line:
- # RewriteBase /
- # Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
- RewriteCond %{REQUEST_FILENAME} !-f
- RewriteCond %{REQUEST_FILENAME} !-d
- RewriteCond %{REQUEST_URI} !=/favicon.ico
- RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
- </IfModule>
- # $Id: .htaccess,v 1.90.2.1 2008/07/08 09:33:14 goba Exp $
本文禁止住转载。任何形式转载请联系作者(时光在路上 www.timezls.com)。时光在路上保留所有权利
WEB.CONFIG 文件配置参数举例
- <?xml version="1.0" encoding="UTF-8"?>
- <configuration>
- <configSections>
- <sectionGroup name="system.webServer">
- <sectionGroup name="rewrite">
- <section name="rewriteMaps" overrideModeDefault="Allow" />
- <section name="rules" overrideModeDefault="Allow" />
- </sectionGroup>
- </sectionGroup>
- </configSections>
- <system.webServer>
- <security>
- <!-- This section should be uncommented after
- installation to secure the installation. -->
- <!--
- <requestFiltering>
- <denyUrlSequences>
- <add sequence="engine" />
- <add sequence="inc" />
- <add sequence="info" />
- <add sequence="module" />
- <add sequence="profile" />
- <add sequence="po" />
- <add sequence="sh" />
- <add sequence="theme" />
- <add sequence="tpl(\.php" />
- <add sequence="Root" />
- <add sequence="Tag" />
- <add sequence="Template" />
- <add sequence="Repository" />
- <add sequence="code-style" />
- </denyUrlSequences>
- <fileExtensions>
- <add fileExtension=".sql" allowed="false" />
- <add fileExtension=".pl" allowed="false" />
- </fileExtensions>
- </requestFiltering>
- -->
- </security>
- <directoryBrowse enabled="true" />
- <caching>
- <profiles>
- <add extension=".php" policy="DisableCache" kernelCachePolicy="DisableCache" />
- <add extension=".html" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="14:00:00:00" />
- </profiles>
- </caching>
- <rewrite>
- <rules>
- <rule name="block favicon" stopProcessing="true">
- <match url="favicon\.ico" />
- <action type="CustomResponse" statusCode="404" subStatusCode="1"
- statusReason="The requested file favicon.ico was not found"
- statusDescription="The requested file favicon.ico was not found" />
- </rule>
- <rule name="Imported Rule 1" stopProcessing="true">
- <match url="^(.*)$" ignoreCase="false" />
- <conditions>
- <add input="{HTTP_HOST}" pattern="^example\.com$" />
- </conditions>
- <action type="Redirect" redirectType="Permanent" url="http://www.example.com/{R:1}" />
- </rule>
- <rule name="Imported Rule 2" stopProcessing="true">
- <match url="^(.*)$" ignoreCase="false" />
- <conditions>
- <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
- <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
- <add input="{URL}" pattern="^/favicon.ico$" ignoreCase="false" negate="true" />
- </conditions>
- <action type="Rewrite" url="index.php?q={R:1}" appendQueryString="true" />
- </rule>
- </rules>
- </rewrite>
- <defaultDocument>
- <files>
- <remove value="index.php" />
- <add value="index.php" />
- </files>
- </defaultDocument>
- <!-- HTTP Errors section should only be enabled if the "Error Pages"
- feature has been delegated as "Read/Write" at the Web Server level.
- <httpErrors>
- <remove statusCode="404" subStatusCode="-1" />
- <error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
- </httpErrors>
- -->
- </system.webServer>
- </configuration>
禁止访问某文件
在 .htacess 文件中,可以运用 FilesMatch 指令来禁止访问某类文件:
- <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$">
- Order allow,deny
- </FilesMatch>
本文禁止住转载。任何形式转载请联系作者(时光在路上 www.timezls.com)。时光在路上保留所有权利
IIS 中,可以使用请求筛选模块 Request Filtering 模块,通过设置 Web.config 来限制浏览器访问某类文件:
- <security>
- <requestFiltering>
- <denyUrlSequences>
- <add sequence="engine" />
- <add sequence="inc" />
- <add sequence="info" />
- <add sequence="install" />
- <add sequence="module" />
- <add sequence="profile" />
- <add sequence="po" />
- <add sequence="sh" />
- <add sequence="theme" />
- <add sequence="tpl(\.php" />
- <add sequence="Root" />
- <add sequence="Tag" />
- <add sequence="Template" />
- <add sequence="Repository" />
- <add sequence="code-style" />
- </denyUrlSequences>
- <fileExtensions>
- <add fileExtension=".sql" allowed="false" />
- <add fileExtension=".pl" allowed="false" />
- </fileExtensions>
- </requestFiltering>
- </security>
另外也可以通过URL 重写组件来设定、禁止某类文件访问,返回代码为 403。使用该模块组件的好处是,可以使用正则表达:
- <rule name="Protect files and directories from prying eyes" stopProcessing="true">
- <match url="\.(engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
- <action type="CustomResponse" statusCode="403" subStatusCode="0"
- statusReason="Forbidden"
- statusDescription="Access is forbidden." />
- </rule>
默认文件
在 .htaccess 中,可以通过 DirectoryIndex 设置默认文件,告诉服务器如果没有相应 URL 时,需要加载哪些索引文件。
本文禁止全文转载。任何形式转载请联系作者(时光在路上 www.timezls.com) Copyright © 2023. All Rights Reserved
- # Set the default handler.
- DirectoryIndex index.php
而对于使用 IIS 服务的 Windows 主机,默认文件应该设置在网站的高级别上。例如,对于 PHP,Module Handler 通常设置为 Web server 水平,默认文件也应该设置在这个水平,而不是放在网站局部。在 Web.config 文件中应该确保这样设置:
- <defaultDocument>
- <files>
- <remove value="index.php" />
- <add value="index.php" />
- </files>
- </defaultDocument>
本文禁止无授权转载 - 时光在路上 www.timezls.com 保留所有权利
URL 重写
IIS 包含了重写模块。可以该扩展来重新定义 URL 请求。最常用的 URL 重写为伪静态网址设置。
许多 PHP 系统目前使用 .htaccess 文件设置 URL 重写。这些规则可以告诉 Apache 相应模块在何时、如何响应网址请求。Windows主机的 IIS 服务设置类似下面这样。
例如,在 .htaccess 文件中,设置如下:
- RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
- RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
- RewriteCond %{REQUEST_FILENAME} !-f
- RewriteCond %{REQUEST_FILENAME} !-d
- RewriteCond %{REQUEST_URI} !=/favicon.ico
- RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
而使用 IIS 的 URL 重写模块,则可以这样设置:
- <rewrite>
- <rules>
- <rule name="Imported Rule 1" stopProcessing="true">
- <match url="^(.*)$" ignoreCase="false" />
- <conditions>
- <add input="{HTTP_HOST}" pattern="^example\.com$" />
- </conditions>
- <action type="Redirect" redirectType="Permanent" url="http://www.example.com/{R:1}" />
- </rule>
- <rule name="Imported Rule 2" stopProcessing="true">
- <match url="^(.*)$" ignoreCase="false" />
- <conditions>
- <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
- <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
- <add input="{URL}" pattern="^/favicon.ico$" ignoreCase="false" negate="true" />
- </conditions>
- <action type="Rewrite" url="index.php?q={R:1}" appendQueryString="true" />
- </rule>
- </rules>
- </rewrite>
错误页面处理
.htaccess 文件中的 ErrorDocument 指令会告诉网站服务器加载页面时显示 404 或“File Not Found”错误:
- # Make Application handle any 404 errors.
- ErrorDocument 404 /index.php
IIS 中,可以使用 httpErrors 指令。由于 IIS 默认关闭了此功能,需要下面这段代码注释掉:
- <!-- HTTP Errors section should only be enabled if the "Error Pages"
- feature has been delegated as "Read/Write" at the Web Server level.
- <httpErrors>
- <remove statusCode="404" subStatusCode="-1" />
- <error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
- </httpErrors>
- -->
本文禁止全文转载。任何形式转载请联系作者(时光在路上 www.timezls.com) Copyright © 2023. All Rights Reserved
文件夹浏览
许多服务器配置时会让用户查看一些不包含默认文件的文件夹内的文件列表。另一个安全措施就是可以禁止客户端浏览某些文件夹。在 .htaccess 文件中,可以这样设置:
- # Don't show directory listings for URLs which map to a directory.
- Options -Indexes
IIS 中可以通过 Web.config 文件中 directoryBrowse 指令设置:
- <directoryBrowse enabled="false" />
缓存时间
缓存 Caching 指令用来确保静态文件缓存一定时间,而动态内容不缓存。在 .htaccess 文件中,通过 mod_expires 模块的 ExpiresBy 指令设置:
本文禁止全文转载。任何形式转载请联系作者(时光在路上 www.timezls.com) Copyright © 2023. All Rights Reserved
- # Requires mod_expires to be enabled.
- <IfModule mod_expires.c>
- # Enable expirations.
- ExpiresActive On
- # Cache all files for 2 weeks after access (A).
- ExpiresDefault A1209600
- # Do not cache dynamically generated pages.
- ExpiresByType text/html A1
- </IfModule>
Web.config 文件中,IIS 通过 Output Caching 模块和 caching 指令控制缓存。例如,你可以将 .html 文件设置成缓存 14 天,也可以设置不缓存 PHP 文件:
- <caching>
- <profiles>
- <add extension=".php" policy="DisableCache" kernelCachePolicy="DisableCache" />
- <add extension=".html" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="14:00:00:00" />
- </profiles>
- </caching>
本文禁止全文转载。任何形式转载请联系作者(时光在路上 www.timezls.com) Copyright © 2023. All Rights Reserved
