我尝试限制所有路径(包括test.tonnerklaps.local)对某个虚拟主机的访问。唯一公共可访问的路径应该是“/webhook/bitbucket”。
这是我的主机配置:
<VirtualHost *:443>
ServerName test.tonnerklaps.local
DocumentRoot /srv/satisfy/public
SSLCertificateFile /etc/ssl/certs/test.tonnerklaps.local.pem
SSLCertificateKeyFile /etc/ssl/private/test.tonnerklaps.local-key.pem
<Location "/">
LogMessage "L root %{REQUEST_URI}"
<RequireAll>
AuthType Basic
AuthName "Resticted Access"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
Require user packagist
</RequireAll>
</Location>
<Location "/webhook/bitbucket">
LogMessage "L webhook %{REQUEST_URI}"
Require all granted
</Location>
</VirtualHost>
问题是我也被要求在“/webhook/bitbucket”上进行身份验证。有趣的是,这似乎与“/"有关。
因为这是按预期工作的:
<Location "/admin">
LogMessage "L admin %{REQUEST_URI}"
<RequireAll>
AuthType Basic
AuthName "Resticted Access"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
Require user packagist
</RequireAll>
</Location>
<Location "/admin/configuration">
LogMessage "L admin.configuration %{REQUEST_URI}"
Require all granted
</Location>
但真正让我惊讶的是,下面的也不起作用。虽然else路径从未被记录,但我在“/webhook/bitbucket”上得到了身份验证提示。
<If "%{REQUEST_URI} == '/webhook/bitbucket'">
LogMessage "If %{REQUEST_URI}"
Require all granted
</If>
<Else>
LogMessage "Else %{REQUEST_URI}"
<RequireAll>
AuthType Basic
AuthName "Resticted Access"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
Require user packagist
</RequireAll>
</Else>
有什么想法吗?
我试着在Apache/2.4.54(Ubuntu)上运行satisfy(composer create-project playbloom/satisfy
)。我在另一个php应用程序(concrete CMS)上也得到了同样的行为。
更新
我在没有应用程序的情况下测试了<Location>
(只是创建了文件夹结构和index.php文件)。这是工作的。无论如何,仍然没有线索为什么它在应用程序中不工作,也没有线索为什么<If>
不工作。
更新2
这是我用的最新配置。
<Location "/webhook/bitbucket">
AuthMerging Off
LogMessage "L webhook %{REQUEST_URI}"
AuthType None
Require all granted
</Location>
<Location "/">
LogMessage "L root %{REQUEST_URI}"
AuthMerging Off
AuthType Basic
AuthName "Resticted Access"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
Require user packagist
</Location>
更新3
在satisfy/public文件夹里有这个.htaccess-File。它一定和这个有关,但是我还不能理解它。
<IfModule mod_rewrite.c>
Options -MultiViews +Indexes
RewriteEngine On
# Determine the RewriteBase automatically and set it as environment variable.
RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
# Set the HTTP_AUTHORIZATION header removed by apache as environment variable.
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect to URI without front controller to prevent duplicate content.
# We only do this redirect on the initial rewrite to prevent endless redirect loops.
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^index\.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L]
# If the requested filename exists or should exist, simply serve it.
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_URI} =/favicon.ico [OR]
RewriteCond %{REQUEST_URI} =/robots.txt
RewriteRule .? - [L]
# Rewrite all other queries to the front controller.
RewriteRule .? %{ENV:BASE}/index.php [QSA,L]
</IfModule>
#Compress JSON files
<IfModule mod_headers.c>
<IfModule mod_deflate.c>
<IfModule mod_filter.c>
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE application/json
</IfModule>
</IfModule>
</IfModule>
1条答案
按热度按时间xpszyzbs1#
我的问题似乎没有解决办法,因为在每次重写之前和之后都会检查请求(这很有意义)。因此,路径“/webhook/bitbucket”被重写为index.php,重写后,看起来不可能检查原始请求是什么($REQUEST_URI不再是“/webhook/bitbucket”)。至少在apache级别上是这样的。应用程序似乎以某种方式获得了相同的请求URI。仍然不完全确定这部分是如何工作的。如果有人能提供更多的信息,我很乐意听到它。
最后我禁用了.htaccess并将其与我的vh配置合并。这样我就可以防止webhook路径被重写,并且只允许对该路径进行无限制访问。然后我将其命名为
index.php/webhook/bitbucket
。只要. htaccess没有相关更改,这也是更新保存。