当前位置: 文江博客话题详情

如何使用 .htaccess 保护服务器目录

发布于 2024-08-14 22:50:27 字数 398 浏览 2 评论 0原文

我设计了一个网站,其中有一系列与我的系统交互的 PHP 脚本。例如,如果用户上传图像,则由脚本处理

image.php

,如果用户登录,则由脚本处理

login.php

所有这些脚本都存储在名为:scripts 的文件夹中,

但是,如何确保某人无法访问这些页面仍然确保它们可以被系统使用吗?我想确保PHP页面能够接受post值、获取值并且可以重定向到其他页面,但不能通过地址栏直接访问或下载?

我尝试使用 deny from allLimit GET, POST 来阻止使用 .htaccess 进行访问,但这阻止了系统工作,因为我根本无法访问这些文件。

原文

I have designed a website, and within it I have a range of PHP scripts which interact with my system. For example, if a user uploads an image, this is processed by the script

image.php

and if a user logs in this is processed by the script

login.php

All these scripts are stored in the folder called: scripts

How do I ensure someone cannot access these pages, however still ensure they can be used by the system? I want to ensure the PHP pages will accept post values, get values and can redirect to other pages, but not be directly accessed via the address bar or downloaded?

I attempted to block access using .htaccess using deny from all and Limit GET, POST but this prevented the system from working as I could not access those files at all.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

烟火散人牵绊 2024-08-21 22:50:27

使用 htaccess 阻止文件会使请求者(例如页面的访问者)无法访问这些文件。所以你需要一个代理文件来将访问者的请求传递给文件。为此,请查看 MVC 模式 和前端控制器模式

基本上,您需要做的就是将所有请求路由到单个入口点,例如index.php,并从那里决定调用哪个操作(您的脚本)来处理请求。然后,您可以将脚本和模板放在可公开访问的文件夹之外,或者,如果这是不可能的(在某些共享主机上),请像您已经做的那样使用 htaccess 保护文件夹(拒绝所有)。

要使用上传脚本,您需要一个类似 http://example.com/index.php?action=upload 的 URL。

一个超级简单的 FrontController 就这么简单

$scriptPath      = 'path/to/your/scripts/directory/';
$defaultAction   = 'action404.php';
$requestedAction = $_GET['action']; // you might want to sanitize this

switch($action) {
    case 'upload':
        $actionScript = 'image.php';
        break;
    case 'login':
        $actionScript = 'login.php';
        break;
    default:
        $actionScript = $defaultAction;
}
include $scriptPath . $actionScript;
exit;

然后,您的动作脚本将执行您需要对请求执行的所有操作,包括重定向、数据库访问、身份验证、上传内容、渲染模板等 - 任何您认为必要的操作。上面示例中的默认操作可能如下所示:

<?php // action404.php
    header('HTTP/1.1 404 File Not Found');
    fpassthru('path/to/template/directory/error404.html');

有许多实现PHP 中的 FrontController 模式。有些简单,有些复杂。 CodeIgniter 框架 使用轻量级的 MVC/FrontController 实现,如果您不熟悉的话,它可能不会太复杂。

就像 Atli 上面建议的那样,您可以使用 mod_rewrite 强制所有请求发送到 index.php,您也可以使用它来美化您的 URL。这是 MVC 框架的常见做法,并且已在此处和其他地方进行了广泛介绍。

Blocking files with htaccess makes the files inaccessible to the requestor, e.g. the visitor of the page. So you need a proxy file to pass the visitor's request to the files. For that, have a look at the MVC pattern and the Front Controller pattern.

Basically, what you will want to do is route all requests to a single point of entry, e.g. index.php and decide from there, which action(your scripts) is called to process the request. Then you could place your scripts and templates outside the publicly accessible folder or, if that is impossible (on some shared hosts), protect the folders with htaccess like you already did (DENY FROM ALL) then.

To use the upload script you'd have a URL like http://example.com/index.php?action=upload.

A supersimple FrontController is as easy as

$scriptPath      = 'path/to/your/scripts/directory/';
$defaultAction   = 'action404.php';
$requestedAction = $_GET['action']; // you might want to sanitize this

switch($action) {
    case 'upload':
        $actionScript = 'image.php';
        break;
    case 'login':
        $actionScript = 'login.php';
        break;
    default:
        $actionScript = $defaultAction;
}
include $scriptPath . $actionScript;
exit;

Your actionScript would then do everything you need to do with the request, including redirection, db access, authentication, uploading stuff, rendering templates, etc - whatever you deem necessary. The default action in the example above could look like this:

<?php // action404.php
    header('HTTP/1.1 404 File Not Found');
    fpassthru('path/to/template/directory/error404.html');

There is numerous implementations of the FrontController pattern in PHP. Some simple, some complex. The CodeIgniter framework uses a lightweight MVC/FrontController implementation that might not be too overwhelming if this is new to to you.

Like Atli above suggested, you could use mod_rewrite to force all requests to index.php and you could also use it to pretty up your URLs. This is common practice with MVC frameworks and has been covered extensively here and elsewhere.

回复 原文
再见回来 2024-08-21 22:50:27

您无法真正阻止对文件的直接请求,同时仍然可以让其他请求访问它们。您能做的最好的事情就是掩盖它们的位置,并控制它们的访问方式。

您可以采取的一种方法是创建一个 PHP“switch”脚本,其中包含您的脚本,而不是让 Apache 直接请求它们。

例如,如果您有 scripts/image.php 规则目标 switch.php?file=image.php,有点像:

RewriteRule ([^\.]+\.(jpe?g|png|gif)$ switch.php?file=image.php&rw=1&meta=$1 [L,QSA]

您可以添加 deny from allscripts/.htaccess 文件,并在 switch.php 文件中执行此操作。

<?php
/** File: switch.php **/
$allowed_files = array(
    'login.php',
    'image.php'
);
$script_dir = 'scripts/';
if(isset($_POST['rw']) && in_array($_REQUEST['file'], $allowed_files)) {
    include $script_dir . $allowed_files[$_REQUEST['file']];
}
else {
    header('HTTP/1.1 404 File Not Found');
    include 'error404.html'; // Or something to that effect.
}
?>

$_POST['rw'] 有一个弱检查,查看规则是否来自 RewriteRule,旨在防止对文件的直接请求。如果您知道它的存在,那么很容易绕过它,但可以有效应对机器人等的随机请求。

这样,对 scripts/image.phpswitch.php?file=image.php 的直接请求将会失败,但对任何图像文件的请求都会触发 scripts/image.php 脚本。

You can't really prevent direct requests to the files, and still have them remain accessible to other requests. The best you can do is mask their location, and control how they are accessed.

One way you could go is to create a PHP "switch" script, which would include the scripts for you, rather than have Apache request them directly.

For example, if you had your scripts/image.php rule target switch.php?file=image.php instead, somewhat like:

RewriteRule ([^\.]+\.(jpe?g|png|gif)$ switch.php?file=image.php&rw=1&meta=$1 [L,QSA]

You could add deny from all to the scripts/.htaccess file and do this in your switch.php file.

<?php
/** File: switch.php **/
$allowed_files = array(
    'login.php',
    'image.php'
);
$script_dir = 'scripts/';
if(isset($_POST['rw']) && in_array($_REQUEST['file'], $allowed_files)) {
    include $script_dir . $allowed_files[$_REQUEST['file']];
}
else {
    header('HTTP/1.1 404 File Not Found');
    include 'error404.html'; // Or something to that effect.
}
?>

The $_POST['rw'] there is a weak check, to see if the rule came from a RewriteRule, meant to prevent direct requests to the file. Pretty easy to bypass if you know it is there, but effective against random requests by bots and such.

This way, direct requests to either scripts/image.php and switch.php?file=image.php would fail, but requests to any image file would trigger the scripts/image.php script.

回复 原文
海风掠过北极光 2024-08-21 22:50:27

您可以在 .htaccess 上设置拒绝所有文件,并包含某些可访问目录中的这些文件

You can set deny from all on .htaccess and include these files from some accessible directory

回复 原文
怂人 2024-08-21 22:50:27

我想确保PHP页面能够接受post值、获取值并且可以重定向到其他页面,但不能通过地址栏直接访问或下载?

只要 Apache 配置为将所有 .php 文件与 PHP 应用程序关联,就没有人可以下载 PHP 内容本身。因此,如果有人浏览“mysite.com/image.php”,PHP 将运行。用户将看不到您的 PHP 内容。

这应该已经在您的 httpd.conf 文件中完成,如下所示:

  • AddType application/x-httpd-php .php .phtml

现在,image.php 将需要某些 post 参数。如果没有像 Atli 上面建议的那样实现 MVC 架构,您可以优雅且安全地处理任何缺失的参数(如果未提供)。然后,用户可以直接访问该页面,但不能对其进行任何操作。

I want to ensure the PHP pages will accept post values, get values and can redirect to other pages, but not be directly accessed via the address bar or downloaded?

As long as Apache is configured to associate all .php files with the PHP application, no one can download the PHP content itself. So, if someone browsed to "mysite.com/image.php", PHP will run. The user will NOT see your PHP content.

This should already by done in your httpd.conf file as :

  • AddType application/x-httpd-php .php .phtml

Now, image.php will be expecting certain post parameters. Short of implementing an MVC architecture as Atli suggested above, you could gracefully and securely deal with any missing parameters if they aren't provided. Then, users can get to the page directly but not do anything with it.

回复 原文
刘备忘录 2024-08-21 22:50:27

许多应用程序只是将脚本之类的文件放在公共文件夹(例如 /public_html/ 或 /www/)中,而不是放在与公共文件夹相同的根文件夹中。

所以不
根/public_html/ 和
根/public_html/scripts/

但是
根/public_html/ 和
root/scripts/

公共文件夹上方的文件夹中的任何内容都无法被访问者访问,但是通过在 /public_html/index.php 中指定文件“../scripts/yourscript.php”,PHP 可以访问这些文件并且游客不能。 (文件夹 ../ 表示“在文件夹层次结构中向上一级”)

A lot of applications just put files like your scripts not in the public (like /public_html/ or /www/) folder but in the same root folder as your public folder.

so not
root/public_html/ and
root/public_html/scripts/

but
root/public_html/ and
root/scripts/

Anything in a folder above the public folder can't be accessed by visitors, but by specifying in for example /public_html/index.php the file '../scripts/yourscript.php' PHP can access these files and visitors can't. (the folder ../ means "go up one step in the folder hierarchy")

回复 原文
~没有更多了~

关于作者

可是我不能没有你

暂无简介

0 文章
0 评论
21 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

yangzhenyu123

文章 0 评论 0

lvzun

文章 0 评论 0

执笔绘流年

文章 0 评论 0

芯好空

文章 0 评论 0

始于初秋

文章 0 评论 0

谁与争疯

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文