简体   繁体   中英

Apache Location match ignored in favour of Directory match

I have a pre-existing PHP-based web application that is secured by an IP whitelist, and I am attempting to roll out a tool that will need to bypass that list, but I want to continue to secure it so that it only has access to a specific URL, over a specific method, and via a specific browser agent; I wrote the following configuration for my Apache 2.4 configuration file thinking it would do this:

<Location "/index.php/api/specific-end-point">
    SetEnvIf User-Agent "MyCustomBrowser" Approved
    <RequireAll>
        Require method POST
        Require env Approved
    </RequireAll>
</Location>

However all of my requests are returned with a 403 Forbidden error code. This code block appears to do very little, and having experimented with it, it will not even allow me to expose that path with just a single simple Require ip xxxx directive.

The IP address whitelist consists of a directory directive on the webroot similar to this:

<Directory "/var/www">
AllowOverride None
Require all granted
Deny from all
Allow from 192.168.1.1
Allow from 192.168.1.2
...
</Directory>

The applications file index.php exists within the /var/www/html directory which has the following configuration:

<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

I assume that one of those other configuration blocks is causing my 403 response but I don't know what I can do to the configuration to apply all of my security requirements, block everyone not in the whitelist generally, but allow my tool access to POST to my specific endpoint?

I built a lab environment to simulate the third-party application mentioned and have come to the conclusion that the IP whitelist functionality was put together in the HTTPD 2.2 syntax which is enabled by mod_access_compat .

I was able to resolve this by stripping that IP whitelisting from the <Directory "/var/www"> section and converting into the following HTTPD 2.4 syntax block:

<Location "/">
AllowOverride None
<RequireAny>
Require ip 192.168.1.1
Require ip 192.168.1.2
...
</RequireAny>
</Location>

With that in place, the code I originally posted in the question, the <Location "/index.php/api/specific-end-point"> block, looked to work successfully.

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM