![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2019-05-23
目錄
- 優先次序
- Files 與 FilesMatch
- DirectoryMatch
- Location 與 LocationMatch
- Files
- Testing Code
優先次序
- <Location> # 最優先 (立即生效)
- <Files> <FilesMatch> # 當 <Files> 與 <FilesMatch> 有矛盾時, 最尾出現的勝
- <Directory>
Files 與 FilesMatch
Files:
(1) apply to matched filenames (支援"*", "?")
<Files *.ini>
deny from all
</Files>
<Files "?at.*">
# This would apply to cat.html, bat.html, hat.php and so on.
</Files>(2) Some File need to keep secret ("~" => 用 Regular expressions)
* Regex can also be used, with the addition of the ~ character.
<Files ~ "\.(htaccess|htpasswd|ini|bak|old|log|sh|sql)$">
deny from all
</Files>(3) 777 的 folder 一定唔比訪問 php, html, js 之類
* <Files> sections can be used inside .htaccess files.
<Files ~ "\.(php|html|htm|js)$">
deny from all
</Files>FilesMatch:
apply to regular-expression matched filenames
<FilesMatch "\.(gif|jpe?g|png)$">
# 直接用 regular expression
</FilesMatch>
應用
Block files start with "." (i.e. .gitignore)
<FilesMatch "^\.">
Order allow,deny
Deny from all
</FilesMatch>
DirectoryMatch
* "<Directory>" 是 full path 來 (i.e. /home/vhost/...), "<DirectoryMatch>" 係 regex
* DirectoryMatch 不可以寫在 .htaccess
i.e.
Define RoundcubeRoot /usr/share/roundcubemail
<DirectoryMatch "^${RoundcubeRoot}/(config|temp|logs)">
Require all denied
</DirectoryMatch># Block folders start with "." (i.e. .git/ .vscode/ .history/)
# "\/\." 亦即係中 "/." <DirectoryMatch "\/\."> Require all denied </DirectoryMatch>
* 注意: ".well-known" 亦會被 block
進階版
<DirectoryMatch "\/\.(?!well-known)">
Require all denied
</DirectoryMatch>
當多 Folder 時
<DirectoryMatch "\/\.">
Require all denied
</DirectoryMatch>
<DirectoryMatch "\/\.well-known|\/\.thumbscatalog">
Require all granted
</DirectoryMatch>在 .htaccess 實現 DirectoryMatch 保護
用 RedirectMatch
# For vscode IDE RedirectMatch 404 /\.vscode RedirectMatch 404 /\.history RedirectMatch 404 /\.git RedirectMatch 404 /\.gitignore
用 RewriteRule
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|vendor|program\/(include|lib|localization|steps)) - [F]
Remark
nginx setting
location ~ /\. { deny all; }
Location 與 LocationMatch
* "<Location>" 只可以用在 Server 及 vhost config 內 !!
<Location "/private1"> # requests to /private1, /private1/ and /private1/file.txt </Location> <Location /private2/> # 不同的 FS 位置可以相同的 URL !! # /private2other 不包含其內 !! </Location> <Location ~ "/(extra|special)/data"> # "~" 使用 regex # "|" OR # "?" matches any single character (不包括"/") # "*" matches any sequences of characters (不包括"/") </Location>
welcome.conf
# 在 Centos 安裝 Apache 時, 就會有 /etc/httpd/conf.d/welcome.conf
# 它的目的是當訪問空目錄時就會出 403 並且不會 list dictionary
<LocationMatch "^/+$"> Options -Indexes ErrorDocument 403 /error/noindex.html </LocationMatch>
Override it in the appropriate virtual host
<LocationMatch "^/+$">
Options +Indexes
</LocationMatch>LocationMatch
與 Location 的分別:
- regex version of <Location>
- argument as regular expression instead of a simple string
i.e.
# match URLs that contained the substring /extra/data or /special/data (not start with)
<LocationMatch "/(extra|special)/data">
# ...
</LocationMatch>named groups capture
Support from 2.4.8 onwards
named groups and backreferences are captured and written to the environment
with the corresponding name prefixed with "MATCH_" and in upper case.
In order to prevent confusion, numbered (unnamed) backreferences are ignored.
<LocationMatch "^/combined/(?<sitename>[^/]+)">
Require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
</LocationMatch>Remark
FileSystem 的 /home///foo 相當於 /home/foo, 但是在 URL-space 就未必一樣了
Files
<Files "test.txt">
# 不論在那個目錄的 test.txt 都生效
</Files>
<Files "?at.*">
# This would apply to cat.html, bat.html, hat.php and so on.
</Files>
<Files ~ "\.(gif|jpe?g|png)$">
# regular expression
</Files>
Testing Code
<Directory /home/vhosts/datahunter.org/web/test/>
Order Allow,Deny
Allow from 127.0.0.1
</Directory>
<Location /test/>
Order Allow,Deny
Allow from ALL
</Location>
<FilesMatch "\.txt$">
Order Allow,Deny
Allow from 127.0.0.1
</FilesMatch>
<Files "test.txt">
Order Allow,Deny
Allow from 127.0.0.1
</Files>
PHP 不能執行
# 原因: 在 .htaccess 被轉變了
.htaccess
<Files *.php>
ForceType ...
</Files>
