apache 从HTTP Basic Auth中排除特定URL- mod_rewrite导致问题

nsc4cvqm  于 2023-10-23  发布在  Apache
关注(0)|答案(2)|浏览(131)

我们在我们的某个子域上有“HTTP基本认证”,但希望允许所有内容访问该子域上的特定URL而无需进行身份验证(对于第三方访问我们的webhook URL)。
所以我尝试使用SetEnvIf Request_URI ^/webhook/ allow来允许Allow from env=allow(完整文件如下),但似乎因为我们有一些mod_rewrite规则来重写所有这些URL到PHP入口点,Request_URI实际上从来没有/webhook一旦到达这一点(猜测,但不知道如何100%确认这一点。
它仍然要求一个基本的auth用户/通行证,而不管URL是什么。

请注意,.htaccess文件在我们所有的域/子域上都是相同的,而VirtualHost可以只为这个子域配置。
完整的VirtualHost配置,包含“HTTP Basic Auth”配置部分:

  1. <VirtualHost *:80>
  2.   RewriteEngine on
  3.   RewriteCond %{HTTP:X-Forwarded-Proto} !https
  4.   RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
  6.   DocumentRoot /var/www/sub.ourdomain.co.uk/blah/www
  8.   ServerAdmin [email protected]
  9.   ServerName sub.ourdomain.co.uk
  10.   ServerAlias www.sub.ourdomain.co.uk
  12.   ErrorDocument 400 /error.php
  13.   ErrorDocument 401 /error.php
  14.   ErrorDocument 403 /403.html
  15.   ErrorDocument 404 /error.php
  16.   ErrorDocument 405 /error.php
  17.   ErrorDocument 408 /error.php
  18.   ErrorDocument 410 /error.php
  19.   ErrorDocument 411 /error.php
  20.   ErrorDocument 412 /error.php
  21.   ErrorDocument 413 /error.php
  22.   ErrorDocument 414 /error.php
  23.   ErrorDocument 415 /error.php
  24.   ErrorDocument 500 /error.php
  25.   ErrorDocument 501 /error.php
  26.   ErrorDocument 502 /error.php
  27.   ErrorDocument 503 /error.php
  28.   ErrorDocument 506 /error.php
  30.   ErrorLog /var/log/httpd/sub.ourdomain.co.uk.apache.log
  31.   CustomLog /var/log/httpd/sub.ourdomain.co.uk.access.log combined
  33.   <Directory "/var/www/sub.ourdomain.co.uk/blah/www">
  34.     SetEnvIf Request_URI ^/webhook/ allow
  36.     AuthType Basic
  37.     AuthName "Restricted Content"
  38.     AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
  40.     # Setup a deny/allow
  41.     Order Deny,Allow
  42.     # Deny from everyone
  43.     Deny from all
  44.     # except if either of these are satisfied
  45.     Satisfy any
  46.     # 1. a valid authenticated user
  47.     Require valid-user
  48.     # or 2. the "allow" var is set
  49.     Allow from env=allow
  50.   </Directory>
  51. </VirtualHost>

.htaccess mod_rewrite规则:

  1. RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
  2. RewriteRule .* - [R=405,L]
  4. RewriteCond %{REQUEST_FILENAME} !-d
  5. RewriteCond %{REQUEST_FILENAME} !-f
  6. RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts)
  8. RewriteRule ^(.*)$ /boot.php
  10. RewriteCond %{REQUEST_URI} ^/$
  11. RewriteRule ^(.*)$ /boot.php

编辑1-基于我也尝试过的评论:SetEnv allow trueSetEnv allow 1来消除对它是否是URL的怀疑,它仍然要求基本的授权密码,所以它可能与URL无关。
编辑2-添加整个.htaccess以确保我没有遗漏其他东西:

  1. php_value max_input_vars 4000
  3. RewriteEngine on
  5. # Disallow other HTTP verbs such as PUT and DELETE
  6. RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
  7. RewriteRule .* - [R=405,L]
  9. RewriteCond %{REQUEST_FILENAME} !-d
  10. RewriteCond %{REQUEST_FILENAME} !-f
  11. RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
  13. RewriteRule ^(.*)$ /boot.php
  15. RewriteCond %{REQUEST_URI} ^/$
  16. RewriteRule ^(.*)$ /boot.php
  18. AddType font/ttf .ttf
  19. AddType font/eot .eot
  20. AddType font/otf .otf
  21. AddType font/woff .woff
  23. <IfModule mod_deflate.c>
  24.     AddOutputFilterByType DEFLATE text/css text/javascript application/x-javascript application/javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json font/woff font/otf font/eot font/ttf
  25. </IfModule>
  27. <ifModule mod_expires.c>
  28.   ExpiresActive On
  29.   ExpiresDefault "access plus 1 seconds"
  30.   ExpiresByType text/html "access plus 1 seconds"
  31.   ExpiresByType image/gif "access plus 2592000 seconds"
  32.   ExpiresByType image/jpeg "access plus 2592000 seconds"
  33.   ExpiresByType image/png "access plus 2592000 seconds"
  34.   ExpiresByType text/css "access plus 604800 seconds"
  35.   ExpiresByType font/ttf "access plus 604800 seconds"
  36.   ExpiresByType font/eot "access plus 604800 seconds"
  37.   ExpiresByType font/otf "access plus 604800 seconds"
  38.   ExpiresByType font/woff "access plus 604800 seconds"
  39.   ExpiresByType text/javascript "access plus 604800 seconds"
  40.   ExpiresByType application/x-javascript "access plus 604800 seconds"
  41. </ifModule>
  43. <ifModule mod_headers.c>
  44.   <filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf)$">
  45.     Header set Cache-Control "max-age=2592000, public, proxy-revalidate"
  46.   </filesMatch>
  47.   <filesMatch "\\.(js|css|ttf|eot|otf|woff)$">
  48.     Header set Cache-Control "max-age=604800, public, proxy-revalidate"
  49.   </filesMatch>
  50.   <filesMatch "\\.(xml|txt)$">
  51.     Header set Cache-Control "max-age=216000, public, must-revalidate"
  52.   </filesMatch>
  53. </ifModule>

编辑3-对不起,应该提到我们现在被困在Apache 2.2上。

apache

2条答案

按热度按时间
webghufk

webghufk1#

使用Apache 2.4+,您可以使用<If>表达式来禁用auth,或者使用THE_REQUEST变量为URI使用allow from all指令。THE_REQUEST表示发送给Apache的原始请求,它不会在单个请求的上下文中更新:

  1. AuthType Basic
  2. AuthName "Restricted Content"
  3. AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
  4. Require valid-user
  5. Satisfy any
  6. Order   deny,allow
  7. Deny from  all
  9. <If "%{THE_REQUEST} =~ /webhook/">
  10. Satisfy any
  11. Allow from all
  12. </If>
  14. # your current mod_rewrite rules can appear below this line:
  15. DirectoryIndex boot.php
  16. RewriteEngine on
  18. # Disallow other HTTP verbs such as PUT and DELETE
  19. RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
  20. RewriteRule ^ - [R=405,L]
  22. RewriteCond %{REQUEST_FILENAME} !-d
  23. RewriteCond %{REQUEST_FILENAME} !-f
  24. RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
  25. RewriteRule ^ boot.php [L]

更新:这里有一个解决方案,适用于使用<FilesMatch>指令的Apache 2.2

  1. DirectoryIndex boot.php
  2. RewriteEngine on
  4. # Disallow other HTTP verbs such as PUT and DELETE
  5. RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
  6. RewriteRule ^ - [R=405,L]
  8. RewriteCond %{REQUEST_FILENAME} !-d
  9. RewriteCond %{REQUEST_FILENAME} !-f
  10. RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
  11. RewriteRule ^ boot.php [L]
  13. SetEnvIfNoCase Request_URI ^/webhook/ allow
  15. <FilesMatch "^(?!boot\.php$).*$">
  16.    AuthType Basic
  17.    AuthName "Restricted Content"
  18.    AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
  19.    Require valid-user
  20.    Order   Deny,Allow
  21.    Deny from  all
  22.    Allow from env=allow
  23.    Satisfy any
  24. </FilesMatch>
展开查看全部
赞(0)分享  回复(0)举报  2023-10-23
fcipmucu

fcipmucu2#

注意@anubhava的回复-它包含一个安全问题!
<If "%{THE_REQUEST} =~ /webhook/">只检查请求是否 * 包含 * 字符串“/webhook/"。因此,通过将?uselessParameter=/webhook/添加到您的请求中,您可以访问所有应受密码保护的私有资源!
您可以使用^字符匹配THE_REQUEST变量的开头。但这意味着你的正则表达式还必须包含HTTP动词。

  1. <If "%{THE_REQUEST} =~ ^GET /webhook/">

遗憾的是,似乎没有Apache参数包含实际的URI或实际的路径--至少我找不到。

赞(0)分享  回复(0)举报  2023-10-23
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com