忽略 Apache 位置匹配以支持目录匹配
[英]Apache Location match ignored in favour of Directory match
问题描述
I have a pre-existing PHP-based web application that is secured by an IP whitelist, and I am attempting to roll out a tool that will need to bypass that list, but I want to continue to secure it so that it only has access to a specific URL, over a specific method, and via a specific browser agent;
我有一个预先存在的基于 PHP 的 Web 应用程序,该应用程序受 IP 白名单保护,我正在尝试推出一个需要绕过该列表的工具,但我想继续保护它,以便它只能访问通过特定的方法和特定的浏览器代理到特定的 URL; I wrote the following configuration for my Apache 2.4 configuration file thinking it would do this:我为我的 Apache 2.4 配置文件编写了以下配置,认为它会这样做:
<Location "/index.php/api/specific-end-point">
SetEnvIf User-Agent "MyCustomBrowser" Approved
<RequireAll>
Require method POST
Require env Approved
</RequireAll>
</Location>
However all of my requests are returned with a 403 Forbidden error code.但是,我的所有请求都返回 403 Forbidden 错误代码。 This code block appears to do very little, and having experimented with it, it will not even allow me to expose that path with just a single simple Require ip xxxx directive.这个代码块似乎做的很少,并且已经尝试过它,它甚至不允许我只用一个简单的Require ip xxxx指令来公开该路径。
The IP address whitelist consists of a directory directive on the webroot similar to this: IP 地址白名单由 webroot 上的目录指令组成,类似于:
<Directory "/var/www">
AllowOverride None
Require all granted
Deny from all
Allow from 192.168.1.1
Allow from 192.168.1.2
...
</Directory>
The applications file index.php exists within the /var/www/html directory which has the following configuration:应用程序文件index.php存在于/var/www/html目录中,该目录具有以下配置:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
I assume that one of those other configuration blocks is causing my 403 response but I don't know what I can do to the configuration to apply all of my security requirements, block everyone not in the whitelist generally, but allow my tool access to POST to my specific endpoint?我假设其他配置块之一导致我的 403 响应,但我不知道我可以对配置做什么以应用我的所有安全要求,通常阻止不在白名单中的所有人,但允许我的工具访问 POST到我的特定端点?
1 个解决方案
解决方案1
0 2022-07-14 15:50:28
I built a lab environment to simulate the third-party application mentioned and have come to the conclusion that the IP whitelist functionality was put together in the HTTPD 2.2 syntax which is enabled by mod_access_compat .我建立了一个实验室环境来模拟提到的第三方应用程序,并得出结论,IP 白名单功能被放在了由mod_access_compat启用的 HTTPD 2.2 语法中。
I was able to resolve this by stripping that IP whitelisting from the <Directory "/var/www"> section and converting into the following HTTPD 2.4 syntax block:我可以通过从<Directory "/var/www">部分中删除 IP 白名单并转换为以下 HTTPD 2.4 语法块来解决此问题:
<Location "/">
AllowOverride None
<RequireAny>
Require ip 192.168.1.1
Require ip 192.168.1.2
...
</RequireAny>
</Location>
With that in place, the code I originally posted in the question, the <Location "/index.php/api/specific-end-point"> block, looked to work successfully.有了这些,我最初在问题中发布的代码<Location "/index.php/api/specific-end-point">块看起来可以成功运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.