.htaccess mod-rewrite 与子文件夹身份验证冲突
我有一个网站,它使用 .htaccess 将所有不存在的文件/文件夹请求重定向到索引文件:
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule !admin/* index.php [NC,L]
有一个文件夹“admin/”,在 .htaccess 中有以下内容用于身份验证:
AuthType Basic
AuthName "admin"
AuthUserFile "/path/to/passwd"
require valid-user
在中添加 auth .htaccess 文件“admin/”导致请求被 mod-rewrite 捕获,而不是提供身份验证响应。我尝试了一些不同的方法来解决这个问题(包括: htaccess 重写和身份验证冲突),但无法进行任何购买。
谢谢。
编辑:如果我已经通过身份验证,则重写规则有效允许我访问“admin/”文件夹。所以看来是身份验证挑战在做一些奇怪的事情。
I have a site which redirects all requests for files/folders which don't exist to an index file using .htaccess:
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule !admin/* index.php [NC,L]
There is a folder "admin/" which has the following in .htaccess for auth:
AuthType Basic
AuthName "admin"
AuthUserFile "/path/to/passwd"
require valid-user
Adding the auth .htaccess file in "admin/" causes the request to be trapped by mod-rewrite instead of providing the authentication response. I've tried a few different things trying to work around this (including this: htaccess rewrite and auth conflict), but couldn't get any purchase.
Thanks.
EDIT: If I'm already authenticated, the rewrite rule works allowing me to access the "admin/" folder. So it seems that it's the authentication challenge that's doing something wonky.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
我有同样的问题,而且我还发现了这个相关问题:htaccess 重写和身份验证冲突
那里的答案之一让我了解了我的问题。 Apache 试图查找 401 错误的文档,但失败了。我添加了一个文档 /401.html 并将其与 Auth 语句一起添加到 .htaccess 文件中。
ErrorDocument 401 /401.html
现在,它对我有用!
I had this same question, and I also found this related question: htaccess rewrite and auth conflict
One of the answers there clued me into my problem. Apache was trying to find a document for the 401 error and failing. I added a document /401.html and added this to the .htaccess file with the Auth statements.
ErrorDocument 401 /401.html
Now, it works for me!
如果以上都不适合您的场景,也可以使用 php 脚本完成基本身份验证
If none of above works for your scenario, Basic Authentication can also be done using php script
当您说您尝试了其他帖子中的解决方案时,您的代码是什么样的?
像这样的事情:
我不明白为什么这不起作用。
when you say you tried the solution from the other post, what did your code look like?
Something like this:
I don't see why that wouldn't work.
让我建议重写规则的简化形式:
这结合了 Matthew 的建议,即根据
/admin/
检查路径(在.htaccess
文件中省略前导斜杠)。使用 a 。
您可能还需要在第一个
RewriteCond
行之前Let me suggest a simplified form for the rewriting rules:
This incorporates Matthew's suggestion of checking the path against
/admin/
(in.htaccess
files you omit the leading slash).You might also need to use a
before the first
RewriteCond
line.如果您在服务器上运行 mod_dir,当您的重写规则与诸如 mydomain/mypage/foldername 之类的文件夹冲突时,它会添加流行的正斜杠/,则 mod_dir 会在文件夹名称/的末尾打上正斜杠,因为它是一个真正的目录(如果您的规则指定)在 htaccess 中不遵循索引(选项 -Indexes)并且文件夹中没有任何内容,那么您的规则就可以了,如果文件夹中除了索引之外还有其他内容,那么预计您的 url 会发生这种情况:mydomain/mypage/ foldername/?request=mypage/foldername
由于这是 cPanel 的默认配置,因此问题不是您的错,而是配置中的巨大冲突,使黑客能够识别脚本请求和目录结构。
如果您无法在服务器的 http.conf 中禁用多视图,我没有任何解决方案,因为大多数 htacces 解决方案都会导致重定向循环。
这是 cPanel 未报告的冲突/错误,因此不要屏息以待解决方案,解决方法可能是将您的整个项目嵌套在单个文件夹中并在内部调用页面。
If you gots mod_dir running on the server which adds prevailing forwardslashes/ when your rewrite rule conflicts with a folder such as mydomain/mypage/foldername the mod_dir slaps a forwardslash on the end of foldername/ as it is a real dir, if your rules specify in the htaccess to not follow indexes (Options -Indexes) and there is nothing in the folder then your rules will be ok, if there is something in the folder other than an index then expect this to happen to your url: mydomain/mypage/foldername/?request=mypage/foldername
As this is the default configuration of cPanel the issue is not your fault, it is a massive conflict in teh configuration that enables hackers to identify script requests and directory structures.
I do not have any solution if you are unable to disable multiviews in the http.conf of the server as most htacces solutions result in a redirect loop.
This is an unreported conflict/bug to cPanel so dont hold your breath for a solution, a workarround could be to nest your wntire project in a single folder and call pages internally.