htaccess“订单"拒绝，允许，拒绝 [英] htaccess "order" Deny, Allow, Deny

问题描述

我想只允许一个国家/地区访问，但排除该国家/地区内的代理.

I would like to allow only one country access, but exclude proxies within this country.

这就是我所拥有的(为方便起见缩短了版本)

This is what I have (shortened version for convenience)

<Limit GET POST>
order deny,allow
deny from all
allow from 139.82.0.0/16
allow from 143.54.0.0/16
allow from 186.192.0.0/11
allow from 186.224.0.0/11
.
deny from 186.201.27.66
deny from 186.201.196.1
deny from 186.214.51.231
deny from 186.237.225.26
</Limit>

但我知道这行不通.我该怎么做?

But I know this wont work. How do I go about doing this?

推荐答案

更新:针对新的apache 2.4直接跳到最后.

Update : for the new apache 2.4 jump directly to the end.

Order 关键字及其与 的关系Deny 和 Allow 指令是一场真正的噩梦.了解我们如何最终得到这样的解决方案会非常有趣，至少可以说是一种非直观的解决方案.

The Order keyword and its relation with Deny and Allow Directives is a real nightmare. It would be quite interesting to understand how we ended up with such solution, a non-intuitive one to say the least.

• 第一个重点是 Order 关键字将对 Allow 和 Deny 指令的使用方式产生重大影响.
• 其次，Deny 和 Allow 指令不是按照它们的编写顺序应用的，它们必须被视为两个不同的块(一个用于 Deny 指令，一个用于 Allow).
• 第三，它们与防火墙规则完全不同:应用所有规则，过程在第一场比赛时不会停止.

• The first important point is that the Order keyword will have a big impact on how Allow and Deny directives are used.
• Secondly, Deny and Allow directives are not applied in the order they are written, they must be seen as two distinct blocks (one the for Deny directives, one for Allow).
• Thirdly, they are drastically not like firewall rules: all rules are applied, the process is not stopping at the first match.

您有两种主要模式:

Order Deny,Allow

• 这是一种默认允许模式.您可以选择指定 Deny 规则.
• 首先，Deny 规则拒绝一些请求.
• 如果有人被拒绝，您可以通过 Allow 将他们退回.
• This is an allow by default mode. You optionally specify Deny rules.
• Firstly, the Deny rules reject some requests.
• If someone gets rejected you can get them back with an Allow.

我会改写为:

Rule Deny
     list of Deny rules
Except
     list of Allow rules
Policy Allow (when no rule fired)

Order-Allow-Deny-mode，或Reject-everyone-except-this-list-or-maybe-not

Order Allow,Deny

• 这是一种默认拒绝模式.所以你通常指定 Allow 规则.
• 首先，某人的请求必须至少符合一个 Allow 规则.
• 如果某人匹配了 Allow，您仍然可以使用 Deny 拒绝他们.
• This is a deny by default mode. So you usually specify Allow rules.
• Firstly, someone's request must match at least one Allow rule.
• If someone matched an Allow, you can still reject them with a Deny.

以简化形式:

Rule Allow
     list of Allow rules
Except
     list of Deny rules
Policy Deny (when no rule fired)

回到你的案例

您需要允许国家网络的网络列表.在这个国家/地区，您希望排除一些代理的 IP 地址.

Back to your case

You need to allow a list of networks which are the country networks. And in this country you want to exclude some proxies' IP addresses.

您采用了allow-anyone-except-this-list-or-maybe-not 模式，因此默认情况下任何人都可以访问您的服务器，代理除外拒绝 列表中列出的 IP，但如果它们被拒绝，您仍然允许国家/地区网络.那太宽泛了.不好.

You have taken the allow-anyone-except-this-list-or-maybe-not mode, so by default anyone can access your server, except proxies' IPs listed in the Deny list, but if they get rejected you still allow the country networks. That's too broad. Not good.

通过转换为 order allow,deny，您将处于 reject-everyone-except-this-list-or-maybe-not 模式.因此，您将拒绝对所有人的访问，但允许国家/地区网络，然后您将拒绝代理.当然，您必须删除@Gerben 和@Michael Slade 所说的Deny from all(此答案仅解释了他们所写的内容).

By inverting to order allow,deny you will be in the reject-everyone-except-this-list-or-maybe-not mode. So you will reject access to everyone but allow the country networks and then you will reject the proxies. And of course you must remove the Deny from all as stated by @Gerben and @Michael Slade (this answer only explains what they wrote).

Deny from all 通常与 order deny,allow 一起看到，以删除 默认允许 访问并进行简单、可读的配置.例如，在此之后指定允许的 IP 列表.您不需要该规则，您的问题是 3 向访问模式(默认策略、例外、例外的例外)的完美案例.

The Deny from all is usually seen with order deny,allow to remove the allow by default access and make a simple, readable configuration. For example, specify a list of allowed IPs after that. You don't need that rule and your question is a perfect case of a 3-way access mode (default policy, exceptions, exceptions to exceptions).

但是设计这些设置的人肯定是疯了.

But the guys who designed these settings are certainly insane.

整个授权方案已在 Apache 2.4 中重构，带有 RequireAll, RequireAny 和 RequireNone 指令.例如，请参见这个复杂的逻辑示例.

The whole authorization scheme has been refactored in Apache 2.4 with RequireAll, RequireAny and RequireNone directives. See for example this complex logic example.

所以旧的奇怪的Order逻辑变成了遗物，引用新文档:

So the old strange Order logic becomes a relic, and to quote the new documentation:

控制授权的应用方式和顺序在过去有点神秘

Controling how and in what order authorization will be applied has been a bit of a mystery in the past

这篇关于htaccess“订单"拒绝，允许，拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！