简体繁体 English

在数据库中阻止.htaccess或PHP中的IP地址？

[英]Block IP addresses in .htaccess or in PHP from database?

原文 2013-04-30 15:18:16 0 3 php/ mysql/ blocking/ web-crawler

I am building a bot-trap / crawler-trap to my website: 我正在为我的网站构建一个bot-trap / crawler-trap：

There is a hidden link somewhere on the page, which normal users do not see, but a robot sees. 页面上有一个隐藏的链接，普通用户看不到，但机器人看到了。 The link is also indicated in robots.txt , so Google will not fall into the trap. 该链接也在robots.txt ，因此Google不会陷入陷阱。 When a bot opens the hidden page, the IP automatically gets red-flagged in MySQL . 当机器人打开隐藏页面时，IP会自动在MySQL被标记为红色。

My question is: 我的问题是：

When a new IP gets flagged, which way is better to block that: Regenerate the .htaccess file, with the new IP added to it, so the webserver itself is going to do the blocking. 当新IP被标记时，哪种方式更好地阻止：重新生成.htaccess文件，并添加新IP，因此Web服务器本身将进行阻止。
Do not mess with .htaccess , rather look up the IP table from MySQL every time someone loads the page, and then decide in PHP what to do with the user. 不要乱用.htaccess ，而是在每次有人加载页面时从MySQL查找IP表，然后在PHP决定如何处理用户。

3 个解决方案

I would definitely go with option 2. The only reason being that I would be very uncomfortable that I have a .htaccess file being played with at random intervals in the website all the time. 我绝对会选择选项2.唯一的原因是我会非常不舒服，因为我一直在网站上随机播放.htaccess文件。 It is a nagging feeling like having a gun on my forehead all the time. 这种唠叨的感觉就像在我的额头上一直盯着枪。

If it is db driven the worst that can happen in a screw up is that some black listed IP got access still. 如果它是数据库驱动的，最糟糕的情况可能发生在搞砸了，一些黑名单的IP仍然可以访问。 With htaccess if there is a screwup, not only does every user's experience get messed up, secure data can be compromised as well.. 有了htaccess，如果有一个搞砸了，不仅每个用户的体验都搞砸了，安全数据也会受到影响。

Instead of messing around with Apache httpd configuration, which if your script gets wrong for whatever reason would crash your web stack, what about integrating with a system like fail2ban ? 而不是搞乱Apache httpd配置，如果你的脚本由于某种原因出错会导致你的web堆栈崩溃，那么与fail2ban这样的系统集成呢？

Blocking using a banning tool would be far more effective. 使用禁止工具阻止会更有效。

Which way is better? 哪种方式更好？ That highly depends on what you're able to do. 这在很大程度上取决于你能做什么。 The rules of thumb are: 经验法则是：

Do not use .htaccess files - configure your server directly. 不要使用.htaccess文件 - 直接配置您的服务器。
Connect Apache with your Mysql directly for authz. 将Apache与您的Mysql直接连接以进行authz。
Block incomming traffic in the TCP/IP layer (Iptables) 阻止TCP / IP层中的流量（Iptables）

Everything else is just crawling which you can do, but you should rest assured that you do it because you can't do it right. 其他所有东西都只是爬行，你可以做，但你应该放心，因为你不能做到这一点。 So do not care too much unless you strive for the best. 所以除非你努力做到最好，否则不要太在意。