htaccess的"为了"拒绝,允许,拒绝 [英] htaccess "order" Deny, Allow, Deny
问题描述
我想只允许一个国家访问,但这个国家在排除代理。
I would like to allow only one country access, but exclude proxies within this country.
这是我(缩短的版本为方便)
This is what I have (shortened version for convenience)
<Limit GET POST>
order deny,allow
deny from all
allow from 139.82.0.0/16
allow from 143.54.0.0/16
allow from 186.192.0.0/11
allow from 186.224.0.0/11
.
deny from 186.201.27.66
deny from 186.201.196.1
deny from 186.214.51.231
deny from 186.237.225.26
</Limit>
但我知道这不会工作。我该如何去这样做?
But I know this wont work. How do I go about doing this?
推荐答案
更新:作为新的Apache 2.4,直接跳到结束
Update : for the new apache 2.4 jump directly to the end.
借助订单关键字和他的关系,与拒绝和允许指令是一个真正的噩梦。这将是非常有趣的,以了解我们结束了这样的配置方案,这是一种至少是非直观的。
The Order keyword and his relation with Deny and Allow Directives is a real nightmare. It would be quite interesting to understand how we ended up with such configuration solutions, which is a least non intuitive.
- 在第一重要的一点是,在订单关键字将对如何允许和拒绝指令的使用。
- 的第二点是,拒绝和允许指令没有在它们被写入的顺序应用,它必须被视为指示两个块(其中一个为拒绝,一个用于允许),其中所有的行被应用。
- 第三点是,它并不适用于像防火墙规则,一点都没有,尤其是,规则都读进程不停止在第一场比赛
- The first important point is that the Order keyword will have a big impact on how Allow and Deny directives are used.
- The second point is that Deny and Allow directives are not applied in the order they are written, it must be seen as two blocks of directives (one the for Deny, one for the Allow) where all lines are applied.
- The third point is that it does not apply like firewall rules, not at all, especially, rules are all read and the process is not stopping at the first match
现在,你必须主要模式:
Now you have to main modes:
Order Deny,Allow
- 这是一个允许默认模式。在这里您将得到optionnaly拒绝规则的列表。
- 然后在拒绝检查规则,拒绝根据论文的规则的要求。
- 如果有人被通过的拒绝规则之一拒绝你也许可以让他回来与允许规则。
- This is an allow by default mode. Where you will give optionnaly a list of Deny rules.
- Then the Deny rules are checked, to reject requests based on theses rules.
- If someone gets rejected by one of the Deny rules you can maybe get him back with an Allow rule.
我称之为
Policy Allow
Rule Deny
list of Deny rules
Exception
list of Allow rules
在订单 - 允许,拒绝模式或拒绝 - 每个人 - 除了-此列表,或者,也许,没有的
The Order-Allow-Deny-mode, or Reject-everyone-except-this-list-or-maybe-not
Order Allow,Deny
- 这是一个默认拒绝模式。在这里您将得到optionnaly允许规则的列表。
- 然后在允许规则检查,并且有人愿意访问必须至少有一个规则相匹配。
- 如果有人被允许通过的允许规则之一,您仍然可以拒绝他用的拒绝规则。
- This is a Deny by default mode. Where you will give optionnaly a list of Allow rules.
- Then the Allow rules are checked, And someone willing access must match at least one rule.
- If someone gets allowed by one of the Allow rules you can still reject him with a Deny rule.
在简化的形式:
Policy Deny
Rule Allow
list of Allow rules
Exception
list of Deny rules
返回你的情况
您需要让网络这是全国网络的列表。而在这个国家要排除一些代理IP。
Back to your case
You need to allow a list of networks which are the country networks. And in this country you want to exclude some proxies IP.
您已经采取了的允许,任何人 - 除了-此列表,或者,也许,没有的模式,所以默认的任何的可访问您的服务器,除了<强>代理IP 在拒绝列表中列出的(以及从所有拒绝删除访问的人这是默认设置),但如果他们得到的仍拒绝你的允许国家网络。这不是很好。
You have taken the Allow-anyone-except-this-list-or-maybe-not mode, so by default anyone can access your server, except proxies IP listed in the Deny list (and with the Deny from all you remove the access for anyone which was set by default) but if they get rejected you still allow the country Networks. That's not good.
颠倒顺序为了允许,拒绝您将在拒绝 - 每个人 - 除了-此列表,或者,也许,没有模式。
所以,你的拒绝任何人访问但是允许国内网络,然后为让人们你的拒绝代理IP 。当然,你必须删除所有拒绝通过@Gerben和@迈克尔斯莱德(这个答案就是为什么他们是对的只是一个exaplanation)。为说明
By inverting the Order to order allow,deny you will be in the Reject-everyone-except-this-list-or-maybe-not mode.
So you will reject access to everyone but allow the country networks and then for allowed people you will reject the proxies IP. And of course you must remove the Deny from all as stated by @Gerben and @Michael Slade (this answer is just an exaplanation of why they are right).
在所有通常看到的为了拒绝否认,允许删除的默认允许这种模式下的的和通过简单地使用IP的列表,以允许后(例如)使simplier版本(更可读)。你并不需要一个规则,你的情况是这3次访问模式(默认策略,例外的名单,例外的例外)的一个很好的例子。
The Deny from all is usually seen with order deny,allow to remove the allow by default of this mode and make a simplier version (more readable) by simply using a list of IP to allow after that (for example). You do not need that rule and your case is a perfect case of this 3-time access mode (default policy, list of exception, exceptions of exceptions).
但谁做论文配置令牌是肯定疯了,肯定的。球员
But the guys who made theses configurations tokens are certainly mad, for sure.
更新:这不是真的了与Apache 2.4
整个授权/要求部分已重构在Apache中的 2.4 与RequireAll , RequireAny 和<一HREF =http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#requirenone> RequireNone 指令。例如,见这复杂的逻辑例如。
The whole authorization/Requirements sections has been refactored in apache 2.4 with RequireAll, RequireAny and RequireNone directives. See for example this complex logic example.
所以这个奇怪的逻辑将很快成为过去,并引用新的文档:
so this strange logic will soon be the past, and to quote the new documentation:
Controling如何以及在什么样的顺序授权将被应用已经在过去一个有点神秘
Controling how and in what order authorization will be applied has been a bit of a mystery in the past
这篇关于htaccess的&QUOT;为了&QUOT;拒绝,允许,拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
