<Directory> <Files> <FilesMatch> <Location>

最後更新: 2019-05-23

目錄

 

 


優先次序

 

  • <Location>                        <-- 最優先 (立即生效)
  • <Files>  <FilesMatch>     <-- 當 <Files> 與 <FilesMatch> 有矛盾時, 最尾出現的勝
  • <Directory>

 


Files 與 FilesMatch

 

Files:

(1) apply to matched filenames (支援"*", "?")

<Files *.ini>
    deny from all
</Files>


<Files "?at.*">
    # This would apply to cat.html, bat.html, hat.php and so on.
</Files>

(2) Some File need to keep secret ("~" => 用 Regular expressions)

<Files ~ "\.(htaccess|htpasswd|ini|bak|old|log|sh|sql)$">
    deny from all
</Files>

(3) 777 的 folder 一定唔比行 php, html, js

<Files ~ "\.(php|html|htm|js)$">
    deny from all
</Files>

FilesMatch:

apply to regular-expression matched filenames

<FilesMatch "\.(gif|jpe?g|png)$">
    # 直接用 regular expression
</FilesMatch>

應用

Block files start with "." (i.e. .gitignore)

<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

 


DirectoryMatch

 

 * "<Directory>" 是 full path 來 (i.e. /home/vhost/...), "<DirectoryMatch>" 係 regex

 * DirectoryMatch 不可以寫在 .htaccess

i.e.

Define RoundcubeRoot /usr/share/roundcubemail
<DirectoryMatch "^${RoundcubeRoot}/(config|temp|logs)">
    Require all denied
</DirectoryMatch>

# Block folders start with "." (i.e. .git/ .vscode/ .history/)

# "\/\." 亦即係中 "/."
<DirectoryMatch "\/\.">
  Require all denied
</DirectoryMatch>

* 注意: ".well-known" 亦會被 block

進階版

<DirectoryMatch "\/\.(?!well-known)">
  Require all denied
</DirectoryMatch>

在 .htaccess 實現 DirectoryMatch 保護

用 RedirectMatch

# For vscode IDE
RedirectMatch 404 /\.vscode
RedirectMatch 404 /\.history
RedirectMatch 404 /\.git
RedirectMatch 404 /\.gitignore

用 RewriteRule

RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|vendor|program\/(include|lib|localization|steps)) - [F]

Remark

nginx setting

location ~ /\. { deny all; }

 


Location 與 LocationMatch

 

# Location 只可以用在 Server 及 vhost config 內 !!

<Location "/private1">
    # requests to /private1, /private1/ and /private1/file.txt
</Location>

<Location /private2/>
    # 不同的 FS 位置可以相同的 URL !!
    # /private2other 不包含其內 !!
</Location>

<Location ~ "/(extra|special)/data">
    # "~" Regular expressions can also be used
    # "|" OR
    # ? matches any single character (不包括"/")
    # * matches any sequences of characters (不包括"/")
</Location>

welcome.conf

# 在 Centos 安裝 Apache 時, 會有 /etc/httpd/conf.d/welcome.conf

# 它那空目錄會出 403 並且不會 list dictionary

<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /error/noindex.html
</LocationMatch>

Override it in the appropriate virtual host

<LocationMatch "^/+$">
    Options +Indexes
</LocationMatch>

LocationMatch

與 Location 的分別:

 - argument as regular expression instead of a simple string.

 - regex version of <Location>

i.e.

# match URLs that contained the substring /extra/data or /special/data (not start with)
<LocationMatch "/(extra|special)/data">
    # ...
</LocationMatch>

named groups capture

Support from 2.4.8 onwards

named groups and backreferences are captured and written to the environment

with the corresponding name prefixed with "MATCH_" and in upper case.

In order to prevent confusion, numbered (unnamed) backreferences are ignored.

<LocationMatch "^/combined/(?<sitename>[^/]+)">
    Require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
</LocationMatch>

Remark

FileSystem 的 /home///foo 相當於 /home/foo, 但是在 URL-space 就未必一樣了

 

 


Files

 

<Files "test.txt">
    # 不論在那個目錄的 test.txt 都生效
</Files>

<Files "?at.*">
    # This would apply to cat.html, bat.html, hat.php and so on.
</Files>

<Files ~ "\.(gif|jpe?g|png)$">
    # regular expression
</Files>

 

 


Testing Code

 

<Directory /home/vhosts/datahunter.org/web/test/>
        Order Allow,Deny
        Allow from 127.0.0.1
</Directory>

<Location /test/>
       Order Allow,Deny
       Allow from ALL
</Location>

<FilesMatch "\.txt$">
        Order Allow,Deny
        Allow from 127.0.0.1
</FilesMatch>

<Files "test.txt">
        Order Allow,Deny
        Allow from 127.0.0.1
</Files>