防止直接访问网站某些目录的最佳方法是什么? [英] what is the best way to prevent certain directories of a web site from being directly accessed?
问题描述
哪种是防止直接访问网站某些目录的最佳方法?
1-创建并放置 .htaccess 我们要保护的每个目录中的文件,并在其中放置下一行:
Deny from all
2-创建并放置 index.php 我们要保护的每个目录中的文件,并仅在其中放置下一行代码(它将重定向到网站的首页):
<?php标头( Location:http://。$ _SERVER ['HTTP_HOST']); ?>
3-还有别的东西(什么?)
要确定您的文档根目录,您只需回显PHP $ _ SERVER ['DOCUMENT_ROOT'] 变量即可。因此,如果您的根目录是 / var / www / html ,则可以创建一个文件夹 / var / www / protected_folder 并Apache(或其他Web服务器)将永远不会提供服务(除非更改了http.conf文件以修改文档根文件夹)。
如果该文件夹必须位于文档根目录,然后使用 .htaccess 文件到 DENY 或重定向是一个很好的选择。
如TerryE所述,您还可以使用操作系统级别的文件权限来拒绝Apache用户对该文件夹的访问(将其他用户设置为所有者,然后将文件夹的权限设置为<$例如c $ c> 700 )。如果他们尝试访问该文件夹,则会收到您可能不想显示的403禁止错误(尽管您可以在 http.conf 中设置自定义403错误处理程序)或 htaccess )。具体取决于您要尝试执行的操作,您可能需要此方法,因为如果您愿意的话,它也可以阻止您访问脚本(即PHP include()等)。 ,因为默认情况下PHP在Web服务器用户下运行。这种方法的主要缺点是,在迁移过程中通常不会保留文件权限(如果未正确完成),并且在使用递归标志更改父文件夹权限时,有时会无意中重置文件权限(而不太可能有人无意中将文件夹移到文档根目录中。
Which is the best way to prevent certain directories of a web site from being directly accessed?
1- Creating and placing a .htaccess file in each directory we want to protect and place the next line in it:
Deny from all
2- Creating and placing a index.php file in each directory we want to protect and place only the next line of code in it (which will redirect to homepage of the website):
<?php header("Location: http://" . $_SERVER['HTTP_HOST']); ?>
3- Something else (what is it?)
As mentioned in the comments, the safest way is to place content or directories outside the web server's public document root. This will ensure that content will not be served even if an .htaccess file is deleted or if the server does not allow .htaccess overrides.
To determine your document root you can just echo the PHP $_SERVER['DOCUMENT_ROOT'] variable. So if your root is /var/www/html, you can create a folder /var/www/protected_folder and Apache (or other web server) will never serve it (unless the http.conf file is altered to modify the document root folder).
If the folder must be in the document root, then using an .htaccess file to either DENY or redirect is a good alternative.
As TerryE mentioned, you could also use OS-level file permissions to deny the Apache user access to the folder (set a different user as the owner and then set permission on the folder to 700, for example). If they try to access the folder they'll get a 403 Forbidden Error which you may not want to show (though you could set up a custom 403 error handler in http.conf or htaccess). Depending on specifically what you are trying to do you may want this approach, as it will also let you prevent access from scripts (i.e. PHP include() etc) if you want to, as PHP runs under the webserver user by default. The major downside of this approach is that file permissions are often not preserved during migrations (if they're not done correctly) and file permissions can sometimes be reset inadvertently when altering parent folder permissions with a recursive flag (whereas it's unlikely that someone would inadvertently move a folder into the document root).
这篇关于防止直接访问网站某些目录的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
