![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2021-01-06
目錄
- mod_access
- Satisfy - Authentication / access directives
- Deny by URL Parameters
mod_access
此功能是由 mod_access 提供
Order Deny,Allow # 用來設定 Allow 與 Deny 的驗證設定
Allow from [all | host1 [host2]]
Deny from [all | host1 [host2]]
Format:
network:
Allow from 10.1.0.0/16
Example:
只 allow ip 192.168.123.21
<Directory "/var/www/phpmyadmin/">
Options -Indexes
Order Allow,Deny
Allow from 192.168.123.21
</Directory>Question: 在以下情況 192.168.123.10 去到 Web Server 嗎 ?
Order Allow,Deny
Deny from All
Allow from 192.168.123.10
Answer: 去唔到
# 設定 "Allow from" 與 "Deny from" 是沒有次序之分的. 它們的次序由 Order 控制.
# 當 Allow 與 Deny 有矛盾時, 會以 Order 最尾的為準
# 當沒有任何一條 rule 中時, 最尾的生效
Notes
當使用 "Require valid-user"時, 它與 IP ACL(Allow/Deny from) 係 AND 的關係
e.g. 以下設定係會直接 403, 不會問用戶 login
Order allow,deny #Allow from all Require valid-user
如果不使用 IP ACL, 可以設定 "Order Deny,Allow" 或加 "Allow from All"
這樣才會只檢查 "Require valid-user"
Satisfy - Authentication / access directives
- Satisfy Any: Allows the request if any requirement is met (authentication OR access)
- Satisfy All: Allows the request only if both requirements are met (authentication AND access) <-- Default
Example
* people from your LAN(192.168.0) to have full access, without being prompted for a password.
<Directory /home/www/private>
AuthUserFile /home/www/.htpasswd
AuthType Basic
AuthName MySite
Require valid-user
</Directory>
<Directory /home/www/private>
AuthUserFile /home/www/.htpasswd
AuthType Basic
AuthName MySite
Require valid-user
Order allow,deny
Allow from 192.168.0
Satisfy any
</Directory>在 private Folder 內的一個 noprotect Folder(沒有 IP 及 Login 限制):
<Directory /home/www/private/noprotect>
Order allow,deny
Allow from all
Satisfy any
</Directory>
IP 限制 & pw 保護:
<Directory /home/www/super-secret>
AuthUserFile /home/www/.htpasswd
AuthType Basic
AuthName MySite
Require valid-user
Order allow,deny
Allow from 172.16.0
Satisfy all
</Directory>Remark
用 "Require valid-user" 時不用加 "Order deny,allow" 及 "Deny from all", 否則唔 work
因為 Default: Satisfy all
Deny by URL Parameters
方法: check the query string "%{QUERY_STRING}"
In 2.4:
Check "%{QUERY_STRING}" with if
<If "%{QUERY_STRING} =~ /action=deny/">
Require all denied
</If>In 2.2:
Check "%{QUERY_STRING}" with mod_rewrite
RewriteEngine ON
RewriteCond %{QUERY_STRING} nocache [NC]
RewriteRule .* - [F]
