使用 .htaccess 文件保护网站目录安全吗?
我想知道使用 .htaccess 文件(使用公共 apache webroot 之外的 .htpasswd 文件)保护 Web 目录是否是保护目录(及其内容)的安全方法。
有人可以解释这种保护的注意事项吗?
I was wondering if protecting a web directory with an .htaccess file (with the .htpasswd file outside the public apache webroot) is a secure way to protect a directory (and its contents).
Could someone explain the Do's and Don'ts of this kind of protection?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果您使用标准 http 协议,身份验证将在不受保护的情况下通过网络传递。 这被认为不安全,因为有人可以嗅探密码。
如果你限制对 https 的访问,那是相当安全的。 这意味着安装并启用用于 ssl 加密 http 流量的 apache 模块(端口 433,浏览器地址行中的 https://),并在端口 80 上禁用此目录的标准 http 流量。用户名和密码将为 ssl加密的。 请务必选择一个好的密码(足够长且复杂,不可能被猜测或暴力破解)。
Apache 配置可能很棘手,因此要非常小心地保持简单并针对可能的错误进行测试。
如果您了解并控制它,那么将访问限制配置从 .htaccess 文件移至主 apache 配置文件可能是个好主意。 您也可以更轻松地将其保留在 .htacces 文件中。 而且“简单”可以更安全。 以您感觉简单、安全、易于维护和记住的方式进行操作。
这是一个简单的设置,可以增强安全性并防止意外发生:
如果您在受保护目录所在的计算机上配置了 php 和电子邮件,则可以编写一个简单的警报脚本。 只是一个 php 文件“alarm.php”,其中只有一行,其中包含 php 邮件功能,该功能会向您发送一封电子邮件,告诉您 htaccess 保护不起作用。
如果您的域和目录路径是“http://mybox.example.com/secretdir/alarm。 php”,您可以在另一台计算机上的浏览器中输入此内容,只要“打开”htaccess,您就应该收到该邮件。 如果它受到保护,您可以输入用户名和密码,您也会收到邮件。
要从中发出自动警报,您可以使用不同的 unix 框,尝试每 15 分钟左右获取此 url。 crontab 行:
*/15 * * * * user1 wget http://mybox.example .com/secretdir/alarm.php
user1是本机上允许运行wget的用户,并且必须安装wget。
您可以禁用 htaccess 保护作为测试,并且应该每 15 分钟收到一次邮件。
根据我的经验,这是一个常见的安全缺陷,当您在不知情的情况下更改某些内容时,您认为受保护的目录会失去保护,这样您就会收到警告您的电子邮件。
The authentication will be passed unprotected over the net if you use the standard http protocol. This is not regarded as safe, as someone could sniff the password.
If you restrict acces to https it is quite safe. This would mean to install and enable the apache module for ssl encrypted http traffic (port 433, https:// in the adress line of the browser) and disable the standard http traffic for this directory on port 80. Username and Password will be ssl encrypted. Be sure to select a good password (long and complex enough, not possible to guess or brute force).
Apache configuration can be tricky, so take a lot of care to keep it simple and test against possible mistakes.
It can be a good idea to move the access restriction configuration from the .htaccess file to the main apache configuration file if you have knowledge and control of it. Could also be easier for you to keep it in the .htacces file. And "easy" can be safer. Do it the way it feels simple and safe and easy to maintain and remember for you.
This is a simple setup to enhance security and protect against accidents:
If you have php and email configured on the machine where the protected directory is you can write a simple alarm script. Just a php file "alarm.php" with a single line with the php mail function that sends you an e-mail, telling you that htaccess protection does not work.
If your domain and directory path is "http://mybox.example.com/secretdir/alarm.php" you can enter this in a browser on a different machine and you should get that mail as long as htaccess is "opened". If it is protected you can enter the username and password and you will also get the mail.
To make an automated alarm out of this you could use a different unix box that tries to get this url every 15 minutes or so. The line for the crontab:
*/15 * * * * user1 wget http://mybox.example.com/secretdir/alarm.php
user1 is a user on this machine who is allowed to run wget, and wget must be installed.
You can disable the htaccess protection as a test and should get the mail every 15 minutes.
From my experience it is a common security flaw that a directory that you think is protected looses its protection when you change something and you are not aware, this way you get the email that warns you.
据我所知,htaccess 如果被拦截,很容易被黑客攻击(如果您正在运行网络嗅探器的网吧登录)。 据我所知,摘要式身份验证有助于解决这个问题。
As far as I know, htaccess is easy to hack if it's intercepted (f.e. You are logging in from a internet cafe with a network sniffer running). As far as I know, Digest authentication helps to get over that problem.
.htaccess 是在您无权访问主配置文件/没有 root 访问权限的情况下对 Apache HTTPD 提供的资源进行每个目录配置更改的非常标准的方法。
如果您有权访问主配置,那么将所有配置(包括身份验证)放置在一个中央位置(即使它被分成多个文件)会更容易,这样就不那么容易忽略它。 根据我的经验,我可以看出,您忘记
.htaccess文件只是时间问题。官方文档多次提到应尽可能避免使用
.htaccess文件。如果使用
.htaccess是您唯一的选择,请确保遵循与主要 HTTPD 配置一样的一般安全预防措施,即防止未经授权的用户读取它们,服务器可以读取文件,确保您获得目录列表禁用,始终确保密码以加密/散列格式存储等。有关详细信息,请检查 Apache
htaccess教程.htaccess is pretty standard way how to make per-directory configuration changes for resources served by Apache HTTPD in cases where you don't have access to main configuration file/not having root access.
If you have access to main configuration, it's much easier to have all configuration (including authentication) placed in one central location (even if it's split into multiple files), where it's not so easy to overlook it. From my experience I can tell, it's just a matter of time before you forget about your
.htaccessfiles.Official documentation is mentioning on several occasions that use of
.htaccessfiles should be avoided when possible.If use of
.htaccessis your only choice, make sure you follow general security precautions as with main HTTPD config, i.e. prevent unauthorized users from reading them, files are readable by server, make sure you got directory listing disabled, always make sure password are stored in encrypted/hashed format, etc.For more info, please, check Apache
htaccesstutorial.htaccess 文件非常方便,但是......这并不能保护您免受他人利用您的代码并读取他想要的任何文件的影响。 如果您的网站(即使是一个小脚本)被利用,.htaccess 或其他解决方案都无法保护您,因为黑客将获得执行该脚本的用户的权利(通常是 www-data)。
这在 CGI 中尤其令人痛苦,但其他脚本也遭到黑客攻击。
A .htaccess file is quite handy, but... this will not protect You from someone exploiting Your code and reading any file he wants to. If Your site (even one small script) will be exploited, nor .htaccess nor other solutions will protect You, as the hacker will gain rights of the user executing the script (usually www-data).
This is especially painfull in CGI, but other scripts are being hacked as well.