保护服务器上的一个特定文件; .htaccess 有什么好的方法吗?
我有一个分类广告网站。
作为管理员,我需要能够按照自己的意愿删除分类广告...因此我创建了一个非常简单的删除功能,只需要分类广告的名称。
我计划仅在需要删除分类广告时将其放置在服务器上,因此除非我上传它并计划使用它,否则它不会在那里。然后当我完成后将其删除。
我还计划使用 htaccess 来密码保护它。
这是一个好的计划吗?
是否可以使用 htaccess 仅对服务器上的一个文件进行密码保护? 如果是这样,怎么办?
谢谢...
I have a classifieds website.
I as an administrator need to be able to remove classifieds as I wish... So I have created a very simple remove function which only requires the name of the classified.
I plan on placing it on the server ONLY when I need to remove classifieds, so it wont be there unless I upload it and plan on using it. Then remove it when I am done.
I also plan on using htaccess to password protect it.
Is this a good plan?
And is it possible to only password protect one file on the server with htaccess?
If so, how?
Thanks...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您需要创建一个名为 /admin 或 /remove 的子目录,我认为您不能使用它来保护单个文件。您不需要在需要时添加和删除文件,这似乎是搞砸授权方案的秘诀(意外删除 .htaccess 等)。
如果您选择强密码和良好的用户名(不是 admin 或administrator),应该没问题。
You need to create a sub-directory called /admin or /remove, I don't think you can use it secure a single file. You shouldn't need to add and remove the file when you need to, that seems like a recipe for screwing up your authorization scheme (accidentally deleting .htaccess etc).
If you choose a strong password and good username (not admin or administrator), you should be just fine.
您有两个选择:服务器配置中的
或
(它们不能放置在 .htaccess 中),或者.htaccess
文件Location
允许您通过 URL 进行限制,无论文件物理存储在服务器上的位置,该 URL 都会匹配,但如果您允许遵循符号链接,也可以绕过。Directory
的工作方式相同,但无论如何访问目录/文件,都按物理服务器端路径进行匹配。如果您只想限制一个文件,则可以使用Location
指定要匹配的绝对路径(包括文件)。使用 .htaccess,您本质上是在复制
Directory
指令,但无需反弹服务器来加载新配置,但代价是必须为每个请求解析 .htaccess 。最好不要单独依赖密码保护来保护管理脚本,因此我还添加了 IP 地址(顺序/拒绝/允许指令)过滤器。更好的安全性是将管理脚本放置在完全独立的域中(即使它仍然托管在同一台物理服务器上),这样有人在主站点上随机浏览 URL 将找不到管理部分。
You've got two choices:
<Location>
or<Directory>
in the server config (they can't be placed in .htaccess), or a.htaccess
fileLocation
allows you to restrict by URL, which will match regardless of where the files are physically stored on the server, but also can be bypassed if you allow symlinks to be followed.Directory
works the same way, but matches by physical server-side path, regardless of how the directory/file is accessed. WithLocation
, you can specify an absolute path, including a file, to match on, if you want to restrict just the one file.With .htaccess, you're essentially duplicating the
Directory
directives, but can do so without having to bounce the server to load the new configuration, at the cost of the .htaccess having to be parsed for every request.It's best to not rely on password protection alone to secure administrative scripts, so I've added the IP address (Order/Deny/Allow directives) filter as well. Better security yet is to place the admin scripts on a completely seperate domain (even if it's still hosted on the same physical server) so someone poking at random URLs on the main site won't find the adminstrative section.