Apache-2.2
如何防止 Apache2 嘗試將文件作為腳本執行?
所以基本上,我完全按照這個關於 iptraf 監控和 rrdtool的指南進行操作。我
/usr/lib/cgi-bin/
像往常一樣將它用於 cgi 腳本。然後,當我從瀏覽器訪問它時,它製作的圖像似乎被破壞了。出於調試目的,我暫時將權限設置為 777。我認為 Apache2 正在嘗試將 png 文件作為腳本執行。我該如何防止呢?下面是我的配置文件。提前致謝!哦。我以root身份執行。
#tail /var/log/apache2/error.log [Sun Mar 01 06:13:05 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-25-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:13:05 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-80-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:13:05 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-22-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:13:49 2015] [error] [client 192.168.0.241] (8)Exec format error: exec of '/usr/lib/cgi-bin/tcp_services-80-6hr.png' failed, referer: http://192.168 .0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:13:49 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-80-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:13:49 2015] [error] [client 192.168.0.241] (8)Exec format error: exec of '/usr/lib/cgi-bin/tcp_services-119-6hr.png' failed, referer: http://192.16 8.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:13:49 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-119-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:13:49 2015] [error] [client 192.168.0.241] (8)Exec format error: exec of '/usr/lib/cgi-bin/tcp_services-25-6hr.png' failed, referer: http://192.168 .0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:13:49 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-25-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] (8)Exec format error: exec of '/usr/lib/cgi-bin/tcp_services-22-6hr.png' failed, referer: http://192.168 .0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-22-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] (8)Exec format error: exec of '/usr/lib/cgi-bin/tcp_services-80-6hr.png' failed, referer: http://192.168 .0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] (8)Exec format error: exec of '/usr/lib/cgi-bin/tcp_services-443-6hr.png' failed, referer: http://192.16 8.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] (8)Exec format error: exec of '/usr/lib/cgi-bin/tcp_services-25-6hr.png' failed, referer: http://192.168 .0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-80-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-443-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-25-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] (8)Exec format error: exec of '/usr/lib/cgi-bin/tcp_services-119-6hr.png' failed, referer: http://192.16 8.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:04 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-119-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:12 2015] [error] [client 192.168.0.241] (8)Exec format error: exec of '/usr/lib/cgi-bin/tcp_services-22-6hr.png' failed, referer: http://192.168 .0.1/cgi-bin/tcp.cgi [Sun Mar 01 06:14:12 2015] [error] [client 192.168.0.241] Premature end of script headers: tcp_services-22-6hr.png, referer: http://192.168.0.1/cgi-bin/tcp.cgi
這是啟用站點的配置。
#cat /etc/apache2/sites-enabled/001-exynis <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> Options +ExecCGI FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options +ExecCGI Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> <Directory /var/www/tcpmon/> Options +ExecCGI Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
這是我的 apache2.conf 文件。我在底部添加了AddHandler和ScriptAlias 。
#cat /etc/apache2/apache2.conf # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See http://httpd.apache.org/docs/2.2/ for detailed information about # the directives and /usr/share/doc/apache2-common/README.Debian.gz about # Debian specific hints. # It is split into several files forming the configuration hierarchy outlined # below, all located in the /etc/apache2/ directory: # # /etc/apache2/ # |-- apache2.conf # | `-- ports.conf # |-- mods-enabled # | |-- *.load # | `-- *.conf # |-- conf.d # | `-- * # `-- sites-enabled # `-- * # # # * apache2.conf is the main configuration file (this file). It puts the pieces # together by including all remaining configuration files when starting up the # web server. # Global configuration # # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation (available # at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # #ServerRoot "/etc/apache2" # # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # LockFile ${APACHE_LOCK_DIR}/accept.lock # # PidFile: The file in which the server should record its process # identification number when it starts. # This needs to be set in /etc/apache2/envvars # PidFile ${APACHE_PID_FILE} # # Timeout: The number of seconds before receives and sends time out. # Timeout 300 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive On # # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. # MaxKeepAliveRequests 100 # # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # KeepAliveTimeout 5 ## ## Server-Pool Size Regulation (MPM specific) ## # prefork MPM # StartServers: number of server processes to start # MinSpareServers: minimum number of server processes which are kept spare # MaxSpareServers: maximum number of server processes which are kept spare # MaxClients: maximum number of server processes allowed to start # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule mpm_prefork_module> StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 0 </IfModule> # worker MPM # StartServers: initial number of server processes to start # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadLimit: ThreadsPerChild can be changed to this maximum value during a # graceful restart. ThreadLimit can only be changed by stopping # and starting Apache. # ThreadsPerChild: constant number of worker threads in each server process # MaxClients: maximum number of simultaneous client connections # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule mpm_worker_module> StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxClients 150 MaxRequestsPerChild 0 </IfModule> # event MPM # StartServers: initial number of server processes to start # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadsPerChild: constant number of worker threads in each server process # MaxClients: maximum number of simultaneous client connections # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule mpm_event_module> StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxClients 150 MaxRequestsPerChild 0 </IfModule> # These need to be set in /etc/apache2/envvars User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} # # AccessFileName: The name of the file to look for in each directory # for additional configuration directives. See also the AllowOverride # directive. # AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy all </Files> # # DefaultType is the default MIME type the server will use for a document # if it cannot otherwise determine one, such as from filename extensions. # If your server contains mostly text or HTML documents, "text/plain" is # a good value. If most of your content is binary, such as applications # or images, you may want to use "application/octet-stream" instead to # keep browsers from trying to display binary files as though they are # text. # # It is also possible to omit any default MIME type and let the # client's browser guess an appropriate action instead. Typically the # browser will decide based on the file's extension then. In cases # where no good assumption can be made, letting the default MIME type # unset is suggested instead of forcing the browser to accept # incorrect metadata. # DefaultType None # # HostnameLookups: Log the names of clients or just their IP addresses # e.g., www.apache.org (on) or 204.62.129.132 (off). # The default is off because it'd be overall better for the net if people # had to knowingly turn this feature on, since enabling it means that # each client request will result in AT LEAST one lookup request to the # nameserver. # HostnameLookups Off # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here. If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. # ErrorLog ${APACHE_LOG_DIR}/error.log # # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. # LogLevel warn # Include module configuration: Include mods-enabled/*.load Include mods-enabled/*.conf # Include list of ports to listen on and which to use for name based vhosts Include ports.conf # # The following directives define some format nicknames for use with # a CustomLog directive (see below). # If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i # LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent # Include of directories ignores editors' and dpkg's backup files, # see the comments above for details. # Include generic snippets of statements Include conf.d/ # Include the virtual host configurations: Include sites-enabled/ ServerName myserver AddHandler cgi-script .rcgi .cgi ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AddType image/png .png AddType image/gif .gif
將您的圖片移出
/usr/lib//cgi-bin/
文件夾並將它們放在/var/www/
相應更新路徑中的某個位置。每次您嘗試訪問
cgi-bin
路徑中的任何文件時,都期望通過執行該文件來生成內容。
我們通過 NAS-CIFS 共享為我們的一個微不足道的網站提供服務,因此 unix 模式都是由 crock 組成的。一切都是模式可執行的,不能用
chmod
.我發現我的問題是
ScriptAlias
告訴 Apache 執行所有內容,甚至是圖像。我認為去<Directory ...> -ExecCGI...
-subimg
-directory 可能是個好主意,但沒有奏效。我通過將圖像從 bin-dir(現在它們是姐妹)下移出並添加單獨的
Alias
(沒有腳本!)和<Directory...>
.