Apache位置匹配忽略了目录匹配
我有一个先前存在的基于PHP的Web应用程序,该应用程序由IP白名单人确保,我正在尝试推出一个需要绕过该列表的工具,但我想继续保护它,以便它只能具有访问权限通过特定方法和特定的浏览器代理到特定的URL;我为Apache 2.4配置文件编写了以下配置,以为它可以做到这一点:
<Location "/index.php/api/specific-end-point">
SetEnvIf User-Agent "MyCustomBrowser" Approved
<RequireAll>
Require method POST
Require env Approved
</RequireAll>
</Location>
但是我的所有请求都使用403禁止错误代码返回。 这个代码块似乎很少做,并且在尝试了它之后,它甚至不允许我仅使用单个简单需要IP XXXX 指令来揭示该路径。
IP地址白名单由与此类似的WebRoot上的目录指令组成:
<Directory "/var/www">
AllowOverride None
Require all granted
Deny from all
Allow from 192.168.1.1
Allow from 192.168.1.2
...
</Directory>
应用程序文件 index.php 在/var/var/var/www/html 目录中存在,其中具有以下内容配置:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
我认为其他配置块之一正在引起我的403响应白名单一般,但是让我的工具访问可以发布到我的特定端点?
I have a pre-existing PHP-based web application that is secured by an IP whitelist, and I am attempting to roll out a tool that will need to bypass that list, but I want to continue to secure it so that it only has access to a specific URL, over a specific method, and via a specific browser agent; I wrote the following configuration for my Apache 2.4 configuration file thinking it would do this:
<Location "/index.php/api/specific-end-point">
SetEnvIf User-Agent "MyCustomBrowser" Approved
<RequireAll>
Require method POST
Require env Approved
</RequireAll>
</Location>
However all of my requests are returned with a 403 Forbidden error code.
This code block appears to do very little, and having experimented with it, it will not even allow me to expose that path with just a single simple Require ip x.x.x.x directive.
The IP address whitelist consists of a directory directive on the webroot similar to this:
<Directory "/var/www">
AllowOverride None
Require all granted
Deny from all
Allow from 192.168.1.1
Allow from 192.168.1.2
...
</Directory>
The applications file index.php exists within the /var/www/html directory which has the following configuration:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
I assume that one of those other configuration blocks is causing my 403 response but I don't know what I can do to the configuration to apply all of my security requirements, block everyone not in the whitelist generally, but allow my tool access to POST to my specific endpoint?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我构建了一个实验室环境,以模拟提到的第三方应用程序,并得出结论,即在httpd 2.2语法中放置了IP白名单的功能,该语法由 mod_access_compat 。
我能够通过从
&lt;目录“/var/www”&gt;部分中剥离该IP白名单来解决此问题,然后转换为以下httpd 2.4语法块:将其固定为代码i最初在问题中发布了
&lt; location“/index.php/api/specific-end-point">block,成功工作。I built a lab environment to simulate the third-party application mentioned and have come to the conclusion that the IP whitelist functionality was put together in the HTTPD 2.2 syntax which is enabled by mod_access_compat.
I was able to resolve this by stripping that IP whitelisting from the
<Directory "/var/www">section and converting into the following HTTPD 2.4 syntax block:With that in place, the code I originally posted in the question, the
<Location "/index.php/api/specific-end-point">block, looked to work successfully.