首頁 » apache » 10. Apache 2.4

Apache 2.4 的 ACL

由 datahunter 在 三, 30/03/2016 - 09:32 發表

最後更新: 2022-09-28

目錄

 

Apache 的 ACL

 

2.2 -> 2.4

V 2.2

Order deny,allow
Deny from all

V 2.4

 * The Require must not be combined with the deprecated "Order allow,deny" directives

否則不論 Require 是什麼也會被 deny

# Order allow,deny
Require all denied

 * 當有幾個" Require" 而又無被 <RequireAll> 包住, 咁就當被包住 <RequireAny>

Enclose a group of authorization

<RequireAll>
    ...
</RequireAll>

<RequireAny>
    ...
</RequireAny>

RequireAny

 * Apache 2.4 沒有了 "Satisfy Any", 改用了 "<RequireAny>"

P.S.

Satisfy 係可以設定在 host-level ACL 或 user authentication 的滿足條件

i.e.

Satisfy Any

相當於

Require valid-user
Require ip x.x.x.x

  * 當有多項 "Require ip" 時, 它們是被視為 <RequireAny> 關係的.

Require 的 OPTS

Require all granted
Require all denied
Require env env-var [env-var] ...                 # Access is allowed only if one of the given environment variables is set.
Require method http-method [http-method]
Require expr expression

Some of the allowed syntaxes provided by

mod_authz_user:

Require user userid [userid] ...

Require valid-user

mod_authz_groupfile are:

Require group group-name [group-name] ...

Require valid-user

mod_authz_host

Subnet

Require ip 10 172.16.0.0/12 192.168.0.0/255.255.0.0

多行

Require ip 10
Require ip 172.16.0.0/12
Require ip 192.168.0.0/16

 

Require ip 10 \
    172.16.0.0/12 \
    192.168.0.0/16 \

P.S.

Access controls which are applied in this way are effective for all methods.

<Limit> - apply access controls only to specific methods

<Limit POST PUT DELETE>
  Require valid-user
</Limit>

 

Deny from a List

 

.conf setting

<Location />
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

IPList.conf

Require not ip 10.10.1.23

 

Basic Login

 

# Access Control
AuthName          "Restricted Area"
AuthType          Basic
AuthBasicProvider file
AuthUserFile      /home/vhosts/xxxx/htpasswd
Require           valid-user

 

Require Method

 

The method provider allows using the HTTP method in authorization decisions.
The GET and HEAD methods are treated as equivalent.

# The following example will allow GET, HEAD, POST, and OPTIONS requests without authentication,
#  and require a valid user for all other methods:

<RequireAny>
     Require method GET POST OPTIONS
     Require valid-user
</RequireAny>

 

Troubleshoot

 

Q1. 加了 "Require valid-user" 導致 "404"

A1. 加入 'ErrorDocument 401 "Authorisation Required"' 就可以解決

 

 

 

»
  • 瀏覽次數: 2497

Creative Commons license icon Creative Commons license icon