当前位置: 文江博客话题详情

.htaccess mod-rewrite 与子文件夹身份验证冲突

发布于 2024-09-08 06:09:59 字数 741 浏览 0 评论 0原文

我有一个网站,它使用 .htaccess 将所有不存在的文件/文件夹请求重定向到索引文件:

RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d 
RewriteRule ^.*$ - [NC,L]
RewriteRule !admin/* index.php [NC,L]

有一个文件夹“admin/”,在 .htaccess 中有以下内容用于身份验证:

AuthType Basic
AuthName "admin"
AuthUserFile "/path/to/passwd"
require valid-user

在中添加 auth .htaccess 文件“admin/”导致请求被 mod-rewrite 捕获,而不是提供身份验证响应。我尝试了一些不同的方法来解决这个问题(包括: htaccess 重写和身份验证冲突),但无法进行任何购买。

谢谢。

编辑:如果我已经通过身份验证,则重写规则有效允许我访问“admin/”文件夹。所以看来是身份验证挑战在做一些奇怪的事情。

原文

I have a site which redirects all requests for files/folders which don't exist to an index file using .htaccess:

RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d 
RewriteRule ^.*$ - [NC,L]
RewriteRule !admin/* index.php [NC,L]

There is a folder "admin/" which has the following in .htaccess for auth:

AuthType Basic
AuthName "admin"
AuthUserFile "/path/to/passwd"
require valid-user

Adding the auth .htaccess file in "admin/" causes the request to be trapped by mod-rewrite instead of providing the authentication response. I've tried a few different things trying to work around this (including this: htaccess rewrite and auth conflict), but couldn't get any purchase.

Thanks.

EDIT: If I'm already authenticated, the rewrite rule works allowing me to access the "admin/" folder. So it seems that it's the authentication challenge that's doing something wonky.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

眉黛浅 2024-09-15 06:09:59

我有同样的问题,而且我还发现了这个相关问题:htaccess 重写和身份验证冲突

那里的答案之一让我了解了我的问题。 Apache 试图查找 401 错误的文档,但失败了。我添加了一个文档 /401.html 并将其与 Auth 语句一起添加到 .htaccess 文件中。

ErrorDocument 401 /401.html

现在,它对我有用!

I had this same question, and I also found this related question: htaccess rewrite and auth conflict

One of the answers there clued me into my problem. Apache was trying to find a document for the 401 error and failing. I added a document /401.html and added this to the .htaccess file with the Auth statements.

ErrorDocument 401 /401.html

Now, it works for me!

回复 原文
等数载,海棠开 2024-09-15 06:09:59

如果以上都不适合您的场景,也可以使用 php 脚本完成基本身份验证

<?php
session_start();
if (isset($_SESSION['newlogin'])) { 
unset($_SESSION['newlogin']);
unset($_SESSION['loggedout']);
};
$valid_passwords = array ("admin" => "mypass");
$valid_apasswords = array ("admin" => "mypass");
$valid_users = array_keys($valid_passwords);
$valid_admin = array_keys($valid_apasswords);

$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];

$avalidated = (in_array($user, $valid_admin)) && ($pass == $valid_apasswords[$user]);
$uvalidated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);
$validated = (($uvalidated == true) || ($avalidated == true)) ;

if (!$validated || isset($_SESSION['loggedout'])) {
        $_SESSION['newlogin'] = true;
        header('WWW-Authenticate: Basic realm="Login Area"');
        header('HTTP/1.0 401 Unauthorized');
        ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<div id="messagebox">Authorisation Required.</div>
</body>
</html>
        <?php
        exit;
};

?>

If none of above works for your scenario, Basic Authentication can also be done using php script

<?php
session_start();
if (isset($_SESSION['newlogin'])) { 
unset($_SESSION['newlogin']);
unset($_SESSION['loggedout']);
};
$valid_passwords = array ("admin" => "mypass");
$valid_apasswords = array ("admin" => "mypass");
$valid_users = array_keys($valid_passwords);
$valid_admin = array_keys($valid_apasswords);

$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];

$avalidated = (in_array($user, $valid_admin)) && ($pass == $valid_apasswords[$user]);
$uvalidated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);
$validated = (($uvalidated == true) || ($avalidated == true)) ;

if (!$validated || isset($_SESSION['loggedout'])) {
        $_SESSION['newlogin'] = true;
        header('WWW-Authenticate: Basic realm="Login Area"');
        header('HTTP/1.0 401 Unauthorized');
        ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<div id="messagebox">Authorisation Required.</div>
</body>
</html>
        <?php
        exit;
};

?>
回复 原文
岁月无声 2024-09-15 06:09:59

当您说您尝试了其他帖子中的解决方案时,您的代码是什么样的?

像这样的事情:

RewriteCond %{REQUEST_URI} !/admin/

我不明白为什么这不起作用。

when you say you tried the solution from the other post, what did your code look like?

Something like this:

RewriteCond %{REQUEST_URI} !/admin/

I don't see why that wouldn't work.

回复 原文
假扮的天使 2024-09-15 06:09:59

让我建议重写规则的简化形式:

RewriteCond %{REQUEST_FILENAME} !-s
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule !^admin/ index.php [NC,L]

这结合了 Matthew 的建议,即根据 /admin/ 检查路径(在 .htaccess 文件中省略前导斜杠)。

使用 a 。

RewriteBase /

您可能还需要在第一个 RewriteCond 行之前

Let me suggest a simplified form for the rewriting rules:

RewriteCond %{REQUEST_FILENAME} !-s
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule !^admin/ index.php [NC,L]

This incorporates Matthew's suggestion of checking the path against /admin/ (in .htaccess files you omit the leading slash).

You might also need to use a

RewriteBase /

before the first RewriteCond line.

回复 原文
人海汹涌 2024-09-15 06:09:59

如果您在服务器上运行 mod_dir,当您的重写规则与诸如 mydomain/mypage/foldername 之类的文件夹冲突时,它会添加流行的正斜杠/,则 mod_dir 会在文件夹名称/的末尾打上正斜杠,因为它是一个真正的目录(如果您的规则指定)在 htaccess 中不遵循索引(选项 -Indexes)并且文件夹中没有任何内容,那么您的规则就可以了,如果文件夹中除了索引之外还有其他内容,那么预计您的 url 会发生这种情况:mydomain/mypage/ foldername/?request=mypage/foldername

由于这是 cPanel 的默认配置,因此问题不是您的错,而是配置中的巨大冲突,使黑客能够识别脚本请求和目录结构。

如果您无法在服务器的 http.conf 中禁用多视图,我没有任何解决方案,因为大多数 htacces 解决方案都会导致重定向循环。

这是 cPanel 未报告的冲突/错误,因此不要屏息以待解决方案,解决方法可能是将您的整个项目嵌套在单个文件夹中并在内部调用页面。

If you gots mod_dir running on the server which adds prevailing forwardslashes/ when your rewrite rule conflicts with a folder such as mydomain/mypage/foldername the mod_dir slaps a forwardslash on the end of foldername/ as it is a real dir, if your rules specify in the htaccess to not follow indexes (Options -Indexes) and there is nothing in the folder then your rules will be ok, if there is something in the folder other than an index then expect this to happen to your url: mydomain/mypage/foldername/?request=mypage/foldername

As this is the default configuration of cPanel the issue is not your fault, it is a massive conflict in teh configuration that enables hackers to identify script requests and directory structures.

I do not have any solution if you are unable to disable multiviews in the http.conf of the server as most htacces solutions result in a redirect loop.

This is an unreported conflict/bug to cPanel so dont hold your breath for a solution, a workarround could be to nest your wntire project in a single folder and call pages internally.

回复 原文
~没有更多了~

关于作者

傾旎

暂无简介

0 文章
0 评论
20 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

qq_otekVRB4

文章 0 评论 0

阿杰

文章 0 评论 0

姐不稀罕

文章 0 评论 0

qq_pphr7

文章 0 评论 0

━╋う一瞬間旳綻放

文章 0 评论 0

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文