使用 apache2 服务器配置匹配/拒绝对所有子目录的访问
如何拒绝对给定目录的所有子目录的访问? (同时允许手动修改目录树中单个项目的访问权限。)
我尝试使用
DocumentRoot /var/www
<Directory /var/www>
Allow from all
Deny from none
Order deny,allow
</Directory>
<Directory /var/www/*>
Deny from all
</Directory>
对 http://localhost/ 的查询成功显示 /var/www/index.html 和所有查询任何子目录都失败。
问题是:对 httproot 中的文件的任何查询都会失败 - 即请求 http://localhost/index.html 将导致 403 Forbidden。
为了看看这是否属实,我尝试了:
<Directory /var/www/i*>
Deny from all
</Directory>
这仅拒绝访问以“i”开头的文件/目录。
有没有办法改变这种行为并让
How can one deny access to all subdirectories of a given directory?
(While allowing to manually modify the access rights for single items in the directory tree.)
I tried to do it with the <Directory(Match)> directives. The server configuration (000-sites-enabled) looks like this:
DocumentRoot /var/www
<Directory /var/www>
Allow from all
Deny from none
Order deny,allow
</Directory>
<Directory /var/www/*>
Deny from all
</Directory>
A query to http://localhost/ successfully displays /var/www/index.html and all queries to any subdirectories fail.
The problem is: any query to a file in the httproot fails - i.e. requesting http://localhost/index.html will result into 403 Forbidden.
The <Directory(Match)> directives seem to actually match directories AND files!?
To see if this is true, i tried:
<Directory /var/www/i*>
Deny from all
</Directory>
This denies access only to files/directories starting with 'i'.
Is there a way to alter this behaviour and let <Directory> match only directories? Is there another way to accomplish that all the subdirectories are denied? (besides denying all of them manually or enabling all files manually)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
最后,解决方案非常简单:
注意目录模式后面的尾部斜杠
/,这将使其仅匹配目录,而不匹配文件!这与我们期望的
/var/www/的直接子目录。指定的子目录(树中的任何位置)仍然可以使用
这与
- 还匹配所有文件和文件树中的目录和
- 覆盖树中任何项目的所有
in the end, the solution turns out to be pretty simple:
Note the trailing slash
/after the directory pattern, which will make it match only directories, not files!This works exactly like we would expect from the
<Directory>-directive - in that it denies access only to the direct subdirectories of/var/www/.Specified subdirectories (anywhere in the tree) can still manually be re-enabled with
<Directory>directives.This is in contrast to
<DirectoryMatch>which will- also match all files & directories in the tree and
- override all
<Files>or<Directory>directives for any item in the tree.这对我来说是这样的。
EDIT
为了不拒绝子子目录(下面的评论),请将此 DirectoryMatch 添加到配置文件中的上述目录下面:
This did it for me.
EDIT
For not denying sub-subdirectories (comment below), add this DirectoryMatch below the one above in your configuration file:
使用这个:
您可能想添加选项等。
技巧是 如何合并指令。
Use this:
You might want to add Options etc.
The trick is how the directives are merged.
最好的方法是将所有不对公众开放的内容移至根树外的某个目录,例如 /home/my/app/
然后向该目录以及指向该目录的所有目录中的 Apache 用户授予读取权限,例如 /home 和 /my
这样,当发生某些根目录配置错误时,就不会存在某些内容泄漏的风险。
The best approach is to move all content not available to the public to a directory out of the root tree like to /home/my/app/
Then give read permission to the Apache user in that directory and in all directories that lead to that one, say, /home and /my
This way there is no risk of some of that content to leak when some root directory configuration error occurs.
您可以通过从配置文件内的
Options指令中删除Indexes选项来禁用所有子目录中的自动索引,因此对于默认配置,Options指令应该类似于:httpd.conf:(
没有设置“索引”选项。)
然后,将
index.html或index.php文件放入每个特定的子中您希望可供客户端访问的目录。如果您想在某个特定目录中启用自动索引,您可以在这些目录中添加
.htaccess文件,并将此行放入.htaccess文件中:请注意,
.htaccess会递归地影响其目录及其所有子目录,因此您应该通过添加来排除您不希望此选项的任何递归子目录。 .htaccess并通过以下方式禁用自动索引:Options -Indexes注意:要启用
.htaccess文件并在 apache 配置上生效,您应该在要放置 .htaccess 文件的目录上使用AllowOveride All。You can disable Auto Indexing in all sub-directories, by removing the
Indexesoption fromOptionsdirective inside configuration file, so for default configuration theOptionsdirective should looks something like:httpd.conf:
(no "Indexes" option set.)
And then, put
index.htmlorindex.phpfile inside each particular sub-directory you want to be available for client access.If you want to auto indexing be enable in some particular directory, you could add a
.htaccessfiles inside those directories and put this line inside the.htaccessfile:Note that
.htaccesswill effects on its directory and all of its sub-directories recursively, so you should exclude any recursive sub-directory that you don't want this option on it, by adding.htaccessand disabling auto index by:Options -IndexesNote: To
.htaccessfiles be enable and take affect on apache configurations, you shouldAllowOveride Allon the directory matches you want to place.htaccessfile.所以,我有两个想法可能有帮助(或没有帮助)。
首先,位置可以覆盖您的目录权限。所以请确保你没有这些。点击 localhost/ 就是点击您作为 root 设置的任何内容,这可能会覆盖您的安全性。这就是为什么如果直接指定文件,则无法访问它。因此,如果您不希望人们能够访问您的根目录,你不应该指定根。
至于您关于限制对子目录的访问的观点,我会查看另一篇文章。 ...也许没有帮助。也许更多关于您的用例的细节会有所帮助。
https://serverfault.com/questions/190447/ apache-2-htaccess-匹配当前目录的所有子目录
So, I have 2 thoughts that might be of help (or not).
The first is that locations can override your directory permissions. So make sure you don't have those. hitting localhost/ is hitting whatever you have set up as root, which is probably overriding your security. That's why if you specify the file directly, you cant' get to it. So, if you don't want people to be able to reach your root, you should not specify a root.
As for your point about restricting access to subdirectories, I would check out this other post. ... maybe not helpful. Perhaps more details into your use case would help.
https://serverfault.com/questions/190447/apache-2-htaccess-matching-all-sub-directories-of-current-directory