stackoom
  简体   繁体   中英

Apache Location match ignored in favour of Directory match

 原文  2022-07-08 17:11:29       php/ apache/ rest/ security/ httpd.conf

Question

I have a pre-existing PHP-based web application that is secured by an IP whitelist, and I am attempting to roll out a tool that will need to bypass that list, but I want to continue to secure it so that it only has access to a specific URL, over a specific method, and via a specific browser agent; I wrote the following configuration for my Apache 2.4 configuration file thinking it would do this:

<Location "/index.php/api/specific-end-point">
    SetEnvIf User-Agent "MyCustomBrowser" Approved
    <RequireAll>
        Require method POST
        Require env Approved
    </RequireAll>
</Location>

However all of my requests are returned with a 403 Forbidden error code. This code block appears to do very little, and having experimented with it, it will not even allow me to expose that path with just a single simple Require ip xxxx directive.

The IP address whitelist consists of a directory directive on the webroot similar to this: 

<Directory "/var/www">
AllowOverride None
Require all granted
Deny from all
Allow from 192.168.1.1
Allow from 192.168.1.2
...
</Directory>

The applications file index.php exists within the /var/www/html directory which has the following configuration:

<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

I assume that one of those other configuration blocks is causing my 403 response but I don't know what I can do to the configuration to apply all of my security requirements, block everyone not in the whitelist generally, but allow my tool access to POST to my specific endpoint?

1 answers

solution1
 0  2022-07-14 15:50:28

I built a lab environment to simulate the third-party application mentioned and have come to the conclusion that the IP whitelist functionality was put together in the HTTPD 2.2 syntax which is enabled by mod_access_compat .

I was able to resolve this by stripping that IP whitelisting from the <Directory "/var/www"> section and converting into the following HTTPD 2.4 syntax block:

<Location "/">
AllowOverride None
<RequireAny>
Require ip 192.168.1.1
Require ip 192.168.1.2
...
</RequireAny>
</Location>

With that in place, the code I originally posted in the question, the <Location "/index.php/api/specific-end-point"> block, looked to work successfully.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Do not proxy a request if location or directory match Optional regex match is being ignored Match location between coordinates Match first letter of directory Avoid apache to match filename in uris Match files in directory with glob and regex remove files in directory not match array PHP Regex match file or directory How to preg_match a directory then return that directory php - preg_match: minimum char count ignored
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM