防止直接访问将在另一台服务器中加载的 php 文件
[英]Prevent direct access to a php file that would be loaded in another server
问题描述
I have this file style.php that would be used as the main css styling of several domains.
我有这个文件 style.php 将用作几个域的主要 css 样式。 This style.php file will on be available on 'website 1' while the remaining website will load it from website 1.此 style.php 文件将在“网站 1”上可用,而其余网站将从网站 1 加载它。
For website 1.对于网站 1。
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title> Website one </title>
<link rel="stylesheet" href="style.php">
</head>
<body>
</body>
For website 2.对于网站 2。
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title> Website one </title>
<link rel="stylesheet" href="https://website1.com/style.php">
</head>
<body>
</body>
For website 3.对于网站 3。
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title> Website one </title>
<link rel="stylesheet" href="https://website1.com/style.php">
</head>
<body>
</body>
So goes for several other websites.其他几个网站也是如此。
Now this is want to I want to do, I don't want a direct access to style.php o the website 1. For example, if a user visit https://website1.com/style.php , he shouldn't have access to it.现在这是我想做的事情,我不想直接访问网站 1 的 style.php。例如,如果用户访问https://website1.com/style.php ,他不应该可以访问它。
Here is the problem, when I use .htaccess to deny access to it, website 2, and 3 won't be able to load the css.这就是问题所在,当我使用 .htaccess 拒绝访问它时,网站 2 和 3 将无法加载 css。
Is there any possible tweak that I can make to the style.php so that when a user visits https://website1.com/style.php , he won't be able to access it but when it used as a styling sheet one website 2, and 3, it would load the css normally?我可以对 style.php 进行任何可能的调整,以便当用户访问https://website1.com/style.php时,他将无法访问它,但当它用作样式表时网站2和3,它会正常加载css吗?
1 个解决方案
解决方案1
2 已采纳 2022-06-19 12:35:24
The short answer is "no".最简洁的答案是不”。
The longer answer is that you have an incorrect mental model of what is currently happening.更长的答案是你对当前正在发生的事情有一个不正确的心理模型。 You are imagining that when you reference the stylesheet from website 2, the request is in some way "coming from" that website.您想象当您从网站 2 引用样式表时,请求以某种方式“来自”该网站。 What is actually happening is this:实际发生的是这样的:
- The user asks their browser to load website 2用户要求他们的浏览器加载网站 2
- The browser sends a request to the server of website 2浏览器向网站2的服务器发送请求
- The server returns some HTML to the browser, which includes the URL where the stylesheet should be loaded from on website 1服务器向浏览器返回一些 HTML,其中包括应该从网站 1 上加载样式表的 URL
- The browser decides it wants to load the stylesheet, so sends a request to the server of website 1浏览器决定要加载样式表,因此向网站 1 的服务器发送请求
- The server of website 1 returns the styles网站 1 的服务器返回样式
- The browser applies the styles to its display of website 2浏览器将样式应用于其网站 2 的显示
At no point do your two servers talk to each other;您的两台服务器在任何时候都不会相互通信; they are always receiving requests from, and sending responses to, the browser.他们总是从浏览器接收请求并向浏览器发送响应。 If the server refuses the request at step 5, the browser will never know what the stylesheet contained, so will just render the page without those styles.如果服务器在第 5 步拒绝请求,浏览器将永远不会知道样式表包含什么,因此只会呈现没有这些样式的页面。
With this in mind, we can re-cast the question:考虑到这一点,我们可以重新提出问题:
Can I determine why a browser is requesting a URL, to distinguish between a user typing the URL into the address bar from the stylesheet being used on one of my sites.
The answer is maybe : there is an HTTP header that browsers can send called "REFERER" (yes, that's a typo for "referrer", but one that happened so long ago it became standard), which gives the URL the request "came from" in some sense.答案可能是:浏览器可以发送一个名为“REFERER”的 HTTP 标头(是的,这是“referrer”的拼写错误,但很久以前它就成为标准了),它为 URL 提供了请求“来自“ 在某种意义上。 For a directly typed URL, it will always be blank;对于直接键入的 URL,它将始终为空; for a stylesheet URL, it will probably be the containing page.对于样式表 URL,它可能是包含页面。 You can access it in PHP as $_SERVER['HTTP_REFERER'] , or in an Apache configuration by putting RewriteCond %{HTTP_REFERER} some-pattern-to-match in front of a RewriteRule .您可以在 PHP 中以$_SERVER['HTTP_REFERER']形式访问它,或者在 Apache 配置中通过将RewriteCond %{HTTP_REFERER} some-pattern-to-match放在RewriteRule前面来访问它。
However , browsers have recently become stricter about passing referrer information between domains, for privacy reasons, so it may be blank in your case.但是,出于隐私原因,浏览器最近对在域之间传递引荐来源信息变得更加严格,因此在您的情况下它可能是空白的。
It's also really important to note that everything in the request is under full control of the user, and everything in the response is fully visible to the user .同样重要的是要注意请求中的所有内容都在用户的完全控制之下,并且响应中的所有内容对用户都是完全可见的。 It's trivial to send a request with a fake REFERER header once you figure out that's what's needed.一旦你发现这是需要的,发送带有假 REFERER 标头的请求是微不足道的。 It's even more trivial to look at the stylesheet while you're on the site that uses it - in most browsers, pressing F12 will pop up "developer tools" where you can see everything the server sent.在使用样式表的站点上查看样式表更加简单——在大多数浏览器中,按 F12 将弹出“开发人员工具”,您可以在其中查看服务器发送的所有内容。
So if you're hoping to keep the styles in some way "secret", you're out of luck;因此,如果您希望以某种方式“保密”这些样式,那您就不走运了。 the user needs to be able to see the styles for their browser to use them.用户需要能够看到浏览器的样式才能使用它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.