<Directory> <Files> <FilesMatch> <Location>

由 datahunter 在五, 23/08/2013 - 23:28 發表

最後更新: 2019-05-23

優先次序

<Location> # 最優先 (立即生效)
<Files> <FilesMatch> # 當 <Files> 與 <FilesMatch> 有矛盾時, 最尾出現的勝
<Directory>

Files 與 FilesMatch

Files:

(1) apply to matched filenames (支援"*", "?")

<Files *.ini>
    deny from all
</Files>


<Files "?at.*">
    # This would apply to cat.html, bat.html, hat.php and so on.
</Files>

(2) Some File need to keep secret ("~" => 用 Regular expressions)

* Regex can also be used, with the addition of the ~ character.

<Files ~ "\.(htaccess|htpasswd|ini|bak|old|log|sh|sql)$">
    deny from all
</Files>

(3) 777 的 folder 一定唔比訪問 php, html, js 之類

* <Files> sections can be used inside .htaccess files.

<Files ~ "\.(php|html|htm|js)$">
    deny from all
</Files>

FilesMatch:

apply to regular-expression matched filenames

<FilesMatch "\.(gif|jpe?g|png)$">
    # 直接用 regular expression
</FilesMatch>

應用

Block files start with "." (i.e. .gitignore)

<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

DirectoryMatch

* "<Directory>" 是 full path 來 (i.e. /home/vhost/...), "<DirectoryMatch>" 係 regex

* DirectoryMatch 不可以寫在 .htaccess

i.e.

Define RoundcubeRoot /usr/share/roundcubemail
<DirectoryMatch "^${RoundcubeRoot}/(config|temp|logs)">
    Require all denied
</DirectoryMatch>

# Block folders start with "." (i.e. .git/ .vscode/ .history/)

# "\/\." 亦即係中 "/."
<DirectoryMatch "\/\.">
  Require all denied
</DirectoryMatch>

* 注意: ".well-known" 亦會被 block

進階版

<DirectoryMatch "\/\.(?!well-known)">
  Require all denied
</DirectoryMatch>

當多 Folder 時

<DirectoryMatch "\/\.">
    Require all denied
</DirectoryMatch>
<DirectoryMatch "\/\.well-known|\/\.thumbscatalog">
    Require all granted
</DirectoryMatch>

在 .htaccess 實現 DirectoryMatch 保護

用 RedirectMatch

# For vscode IDE
RedirectMatch 404 /\.vscode
RedirectMatch 404 /\.history
RedirectMatch 404 /\.git
RedirectMatch 404 /\.gitignore

用 RewriteRule

RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|vendor|program\/(include|lib|localization|steps)) - [F]

Remark

nginx setting

location ~ /\. { deny all; }

Location 與 LocationMatch

* "<Location>" 只可以用在 Server 及 vhost config 內 !!

<Location "/private1">
    # requests to /private1, /private1/ and /private1/file.txt
</Location>

<Location /private2/>
    # 不同的 FS 位置可以相同的 URL !!
    # /private2other 不包含其內 !!
</Location>

<Location ~ "/(extra|special)/data">
    # "~"    使用 regex
    # "|"    OR
    # "?"    matches any single character (不包括"/")
    # "*"    matches any sequences of characters (不包括"/")
</Location>

welcome.conf

# 在 Centos 安裝 Apache 時, 就會有 /etc/httpd/conf.d/welcome.conf

# 它的目的是當訪問空目錄時就會出 403 並且不會 list dictionary

<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /error/noindex.html
</LocationMatch>

Override it in the appropriate virtual host

<LocationMatch "^/+$">
    Options +Indexes
</LocationMatch>

LocationMatch

與 Location 的分別:

regex version of <Location>
argument as regular expression instead of a simple string

i.e.

# match URLs that contained the substring /extra/data or /special/data (not start with)
<LocationMatch "/(extra|special)/data">
    # ...
</LocationMatch>

named groups capture

Support from 2.4.8 onwards

named groups and backreferences are captured and written to the environment

with the corresponding name prefixed with "MATCH_" and in upper case.

In order to prevent confusion, numbered (unnamed) backreferences are ignored.

<LocationMatch "^/combined/(?<sitename>[^/]+)">
    Require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
</LocationMatch>