通常一個網站可能有後台管理也有 API,若同時放在一個網域下,例如: https://localhost/admin/ 及 https://localhost/api/ 這種方式,這種做法比較容易讓人猜測進而進行攻擊,若將其改成自訂的網域名稱,例如:https://getoutmyadmin.localhost 或者是 https://SweWECse2.localhost 讓人不容易摸到你的後台管理,當然只要是暴露在外部的網站都有可能遭受攻擊,這只是盡量避免被攻擊而已,至少減弱攻擊者的慾望,而不是大喇喇地把自己的後台名稱告訴別人,來攻擊我吧。
新增 config\domain.php 將所有會用到的 domain 集中管理。
<?php
return [
/*
|--------------------------------------------------------------------------
| Domain Setting
|--------------------------------------------------------------------------
*/
'Web' => env('WEB_DOMAIN', 'localhost'),
'Api' => env('API_DOMAIN', 'api.localhost'),
'Admin' => env('ADMIN_DOMAIN', 'admin.localhost'),
];
修改 Providers\RouteServiceProvider.php
<?php
namespace App\Providers;
use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Route;
class RouteServiceProvider extends ServiceProvider
{
/**
* This namespace is applied to your controller routes.
*
* In addition, it is set as the URL generator's root namespace.
*
* @var string
*/
protected $namespace = 'App\Http\Controllers';
/**
* The path to the "home" route for your application.
*
* @var string
*/
public const HOME = '/home';
/**
* Define your route model bindings, pattern filters, etc.
*
* @return void
*/
public function boot()
{
//
parent::boot();
}
/**
* Define the routes for the application.
*
* @return void
*/
public function map()
{
//給WEB用網域
$this->mapWebRoutes();
//給API用網域
$this->mapApiRoutes();
//給後台用網域
$this->mapAdminRoutes();
}
/**
* Define the "web" routes for the application.
*
* These routes all receive session state, CSRF protection, etc.
*
* @return void
*/
protected function mapWebRoutes()
{
Route::group([
'domain' => config('domain.Web'),
'middleware' => 'web',
'namespace' => $this->namespace,
], function ($router) {
require base_path('routes/web.php');
});
}
/**
* Define the "api" routes for the application.
*
* These routes are typically stateless.
*
* @return void
*/
protected function mapApiRoutes()
{
Route::group([
'domain' => config('domain.Api'),
'middleware' => 'api',
'namespace' => $this->namespace,
], function ($router) {
require base_path('routes/api.php');
});
}
/**
* Define the "admin" routes for the application.
*
* These routes are typically stateless.
*
* @return void
*/
protected function mapAdminRoutes()
{
Route::group([
'domain' => config('domain.Admin'),
'middleware' => 'admin',
'namespace' => $this->namespace,
], function ($router) {
require base_path('routes/admin.php');
});
}
}
由於 Laravel 安裝完就已經有提供 web.php 與 api.php ,這邊只要再新增 routes\admin.php 即可。(若有需要可自行增加更多的 domain)
<?php
/*
|--------------------------------------------------------------------------
| Web Admin Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/
Route::get('/', function () {
return "後台管理系統";
});
修改 .env
WEB_DOMAIN=localhost
API_DOMAIN=api.localhost
ADMIN_DOMAIN=admin.localhost設定 Apache Vhost
<VirtualHost *:80>
DocumentRoot "/laravel/public"
ServerName localhost
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/laravel/public"
ServerName admin.localhost
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/laravel/public"
ServerName api.localhost
</VirtualHost>