.htaccess 在apache 2.4中合并子文件夹的IP和用户授权限制

qoefvg9y  于 2022-12-30  发布在  Apache
关注(0)|答案(3)|浏览(105)

我想限制访问一个完整的网站(Apache 2.4)的某些IP。在这之上,我想限制访问某些子文件夹与用户身份验证。用户身份验证是行不通的。这是我得到的:
在我的vhost配置中

<Location />
    # Localhost
    Require ip 127.0.0.1i
    # some other IP
    Require ip 1.2.3.4
<Location>

现在,我希望子文件夹/secure/需要有效的用户登录
<webroot>/secure/.htaccess看起来像

<RequireAll>
    Require all granted
    Require user user1 user2 user3
    AuthBasicProvider file
    AuthType Basic
    AuthName "Secure Folder Login"
    AuthUserFile /securePath/userAuth
</RequireAll>

我仍然可以从IP www.example.com访问/secure1.2.3.4不需要用户验证。感觉就像apache匹配Require ip 1.2.3.4指令的IP(在隐式RequireAny中),并且不关心可能的额外限制。

wxclj1h5

wxclj1h51#

如果你想阻止任何IP,但只有一个在您的列表中,并提供一个基本的登录提示允许的IP,你可以这样做(在你的.htaccess):

Require all denied
<RequireAll>
    Require valid-user
    Require ip 100.04.04.04
    AuthBasicProvider file
    AuthType Basic
    AuthName "Secure Folder Login"
    AuthUserFile /htdocs/www/web_projects/.htpasswd
</RequireAll>

而对于多个IP,则应执行以下操作:

Require all denied    
<RequireAll>
    <RequireAny>
        Require ip 78.53.160.0/19
        Require ip 80.171.1.0/24
        Require ip 80.171.2.0/23
        Require ip 80.171.4.0/22
        Require ip 80.171.8.0/21
        Require ip 80.171.16.0/20
        Require ip 80.171.32.0/19
        Require ip 80.171.64.0/18
    </RequireAny>
    <RequireAll>
        Require valid-user
        AuthBasicProvider file
        AuthType Basic
        AuthName "Secure Folder Login"
        AuthUserFile /htdocs/www/web_projects/.htpasswd
    </RequireAll>
</RequireAll>
sg24os4d

sg24os4d2#

至少位置(在位置,目录,文件和.htaccess指令之外)看起来是分开的,最后的,并且是以相反的顺序出现的。我没有完全检查,我找不到它的文档。
长话短说
我可以通过放置

<Location /secure/>
    Require all denied
    <RequireAll>
        Require user user1 user2 user3
        AuthBasicProvider file
        AuthType Basic
        AuthName "Secure Folder Login"
        AuthUserFile /securePath/userAuth
    </RequireAll>
</Location>

位于vhost配置中的<Location />Require ip 1.2.3.4</Location>下方(上述操作无效)。使用<Directory>块或.htaccess均无效。

1cklez4t

1cklez4t3#

仅将Require指令放在RequireAllRequireAny块中。此外,不要将Location块用于文件系统对象(实际目录),而应使用Directory

<Directory /opt/secure>
    Require all denied
    AuthBasicProvider file
    AuthType Basic
    AuthName "Secure Folder Login"
    AuthUserFile /opt/.htaccess
    <RequireAll>
        Require user1 user2 # or Require valid user
        <RequireAny>
            Require ip 78.53.160.0/19
            Require ip 80.171.1.0/24
            Require ip 80.171.2.0/23
            Require ip 80.171.4.0/22
            Require ip 80.171.8.0/21
            Require ip 80.171.16.0/20
            Require ip 80.171.32.0/19
            Require ip 80.171.64.0/18
        </RequireAny>
    </RequireAll>
</Directory>

相关问题