使用 apache2 服务器配置匹配/拒绝对所有子目录的访问

发布于 2024-10-21 03:29:20 字数 919 浏览 10 评论 0原文

如何拒绝对给定目录的所有子目录的访问? (同时允许手动修改目录树中单个项目的访问权限。)

我尝试使用 指令来完成此操作。服务器配置(000-sites-enabled)如下所示:

DocumentRoot /var/www
<Directory /var/www>
    Allow from all
    Deny from none
    Order deny,allow
</Directory>
<Directory /var/www/*>
    Deny from all
</Directory>

http://localhost/ 的查询成功显示 /var/www/index.html 和所有查询任何子目录都失败。

问题是:对 httproot 中的文件的任何查询都会失败 - 即请求 http://localhost/index.html 将导致 403 Forbidden

指令似乎实际上匹配目录和文件!?

为了看看这是否属实,我尝试了:

<Directory /var/www/i*>
    Deny from all
</Directory>

这仅拒绝访问以“i”开头的文件/目录。

有没有办法改变这种行为并让 仅匹配目录?还有另一种方法可以实现所有子目录都被拒绝吗? (除了手动拒绝所有这些或手动启用所有文件)

How can one deny access to all subdirectories of a given directory?
(While allowing to manually modify the access rights for single items in the directory tree.)

I tried to do it with the <Directory(Match)> directives. The server configuration (000-sites-enabled) looks like this:

DocumentRoot /var/www
<Directory /var/www>
    Allow from all
    Deny from none
    Order deny,allow
</Directory>
<Directory /var/www/*>
    Deny from all
</Directory>

A query to http://localhost/ successfully displays /var/www/index.html and all queries to any subdirectories fail.

The problem is: any query to a file in the httproot fails - i.e. requesting http://localhost/index.html will result into 403 Forbidden.

The <Directory(Match)> directives seem to actually match directories AND files!?

To see if this is true, i tried:

<Directory /var/www/i*>
    Deny from all
</Directory>

This denies access only to files/directories starting with 'i'.

Is there a way to alter this behaviour and let <Directory> match only directories? Is there another way to accomplish that all the subdirectories are denied? (besides denying all of them manually or enabling all files manually)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

泪冰清 2024-10-28 03:29:20

最后,解决方案非常简单:

<Directory /var/www/*/>
    Allow from None
    Order allow,deny
</Directory>

注意目录模式后面的尾部斜杠 / ,这将使其仅匹配目录,而不匹配文件!

这与我们期望的 指令完全一样 - 因为它仅拒绝访问 /var/www/ 的直接子目录。
指定的子目录(树中的任何位置)仍然可以使用 指令手动重新启用。

这与 形成对比,后者
- 还匹配所有文件和文件树中的目录和
- 覆盖树中任何项目的所有指令。

in the end, the solution turns out to be pretty simple:

<Directory /var/www/*/>
    Allow from None
    Order allow,deny
</Directory>

Note the trailing slash / after the directory pattern, which will make it match only directories, not files!

This works exactly like we would expect from the <Directory>-directive - in that it denies access only to the direct subdirectories of /var/www/.
Specified subdirectories (anywhere in the tree) can still manually be re-enabled with <Directory> directives.

This is in contrast to <DirectoryMatch> which will
- also match all files & directories in the tree and
- override all <Files> or <Directory> directives for any item in the tree.

痴者 2024-10-28 03:29:20

这对我来说是这样的。

<DirectoryMatch "^/var/www/(.+)/"> # don't put $ at the end
Order Allow,Deny
Deny From All
</DirectoryMatch>


EDIT

为了不拒绝子子目录(下面的评论),请将此 DirectoryMatch 添加到配置文件中的上述目录下面:

<DirectoryMatch "^/var/www/(.+?)/(.+)/"> # again no $, see comment
Order Deny,Allow
Allow From All
</DirectoryMatch>

This did it for me.

<DirectoryMatch "^/var/www/(.+)/"> # don't put $ at the end
Order Allow,Deny
Deny From All
</DirectoryMatch>


EDIT

For not denying sub-subdirectories (comment below), add this DirectoryMatch below the one above in your configuration file:

<DirectoryMatch "^/var/www/(.+?)/(.+)/"> # again no $, see comment
Order Deny,Allow
Allow From All
</DirectoryMatch>

深府石板幽径 2024-10-28 03:29:20

使用这个:

<Directory /var/www/public>
    allow from all
</Directory>


<DirectoryMatch "^/var/www/public/(.+)/">
   deny from all
</DirectoryMatch>

您可能想添加选项等。

技巧是 如何合并指令

Use this:

<Directory /var/www/public>
    allow from all
</Directory>


<DirectoryMatch "^/var/www/public/(.+)/">
   deny from all
</DirectoryMatch>

You might want to add Options etc.

The trick is how the directives are merged.

九八野马 2024-10-28 03:29:20

最好的方法是将所有不对公众开放的内容移至根树外的某个目录,例如 /home/my/app/

<Directory /home/my/app>
    Order Allow,Deny
    Deny from all
</Directory>

然后向该目录以及指向该目录的所有目录中的 Apache 用户授予读取权限,例如 /home 和 /my

这样,当发生某些根目录配置错误时,就不会存在某些内容泄漏的风险。

The best approach is to move all content not available to the public to a directory out of the root tree like to /home/my/app/

<Directory /home/my/app>
    Order Allow,Deny
    Deny from all
</Directory>

Then give read permission to the Apache user in that directory and in all directories that lead to that one, say, /home and /my

This way there is no risk of some of that content to leak when some root directory configuration error occurs.

甲如呢乙后呢 2024-10-28 03:29:20

您可以通过从配置文件内的 Options 指令中删除 Indexes 选项来禁用所有子目录中的自动索引,因此对于默认配置,Options指令应该类似于:

httpd.conf:(

...
Options FollowSymLinks
...

没有设置“索引”选项。)

然后,将 index.htmlindex.php 文件放入每个特定的子中您希望可供客户端访问的目录。
如果您想在某个特定目录中启用自动索引,您可以在这些目录中添加 .htaccess 文件,并将此行放入 .htaccess 文件中:

Options Indexes

请注意,.htaccess 会递归地影响其目录及其所有子目录,因此您应该通过添加 来排除您不希望此选项的任何递归子目录。 .htaccess 并通过以下方式禁用自动索引:

Options -Indexes

注意:要启用 .htaccess 文件并在 apache 配置上生效,您应该在要放置 .htaccess 文件的目录上使用 AllowOveride All

You can disable Auto Indexing in all sub-directories, by removing the Indexes option from Options directive inside configuration file, so for default configuration the Options directive should looks something like:

httpd.conf:

...
Options FollowSymLinks
...

(no "Indexes" option set.)

And then, put index.html or index.php file inside each particular sub-directory you want to be available for client access.
If you want to auto indexing be enable in some particular directory, you could add a .htaccess files inside those directories and put this line inside the .htaccess file:

Options Indexes

Note that .htaccess will effects on its directory and all of its sub-directories recursively, so you should exclude any recursive sub-directory that you don't want this option on it, by adding .htaccess and disabling auto index by:

Options -Indexes

Note: To .htaccess files be enable and take affect on apache configurations, you should AllowOveride All on the directory matches you want to place .htaccess file.

妄司 2024-10-28 03:29:20

所以,我有两个想法可能有帮助(或没有帮助)。

首先,位置可以覆盖您的目录权限。所以请确保你没有这些。点击 localhost/ 就是点击您作为 root 设置的任何内容,这可能会覆盖您的安全性。这就是为什么如果直接指定文件,则无法访问它。因此,如果您不希望人们能够访问您的根目录,你不应该指定根

至于您关于限制对子目录的访问的观点,我会查看另一篇文章。 ...也许没有帮助。也许更多关于您的用例的细节会有所帮助。

https://serverfault.com/questions/190447/ apache-2-htaccess-匹配当前目录的所有子目录

So, I have 2 thoughts that might be of help (or not).

The first is that locations can override your directory permissions. So make sure you don't have those. hitting localhost/ is hitting whatever you have set up as root, which is probably overriding your security. That's why if you specify the file directly, you cant' get to it. So, if you don't want people to be able to reach your root, you should not specify a root.

As for your point about restricting access to subdirectories, I would check out this other post. ... maybe not helpful. Perhaps more details into your use case would help.

https://serverfault.com/questions/190447/apache-2-htaccess-matching-all-sub-directories-of-current-directory

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文