阿帕奇2.4 - 如何关闭整个网站除了一个子目录? [英] Apache 2.4 -- how to close entire site except one subdirectory?
问题描述
我们使用由Apache的2.4所提供的新的认证和授权的框架和需要关闭整个现场(位置/),以未经授权的访问,除了一个子目录(地点/富),那里可以得到授权cookie中。这似乎是AuthMerging是使用指令,但事情不工作:
We are using the new authentication and authorization framework offered by Apache-2.4 and need to close the entire site (Location /) to unauthorized access except for one subdirectory (Location /foo), where there authorizing cookie can be obtained. It would seem, that AuthMerging is the directive to use, but things do not work:
<Location />
AuthType form
AuthFormProvider foo
Session On
SessionCookieName ti2f
Include conf/sessionpw.conf
AuthName TI
<RequireAll>
Require foo ipaddress
Require foo expiration
</RequireAll>
ErrorDocument 401 /foo/
</Location>
<Location /foo>
AuthMerging Or
Require all granted
DirectoryIndex index.php
</Location>
不幸的是,进入/富仍然受阻 - 401未授权。随着LogLevel的手摇我可以看到mod_authz_core记录以下信息:
Unfortunately, access to /foo remains blocked -- 401 Unauthorized. With LogLevel cranked up I can see the following messages logged by mod_authz_core:
authorization result of Require all granted: granted
authorization result of <RequireAny>: granted
authorization result of AuthMerging Any: granted
authorization result of Require all granted: granted
authorization result of <RequireAny>: granted
authorization result of AuthMerging Any: granted
authorization result of Require foo ipaddress: denied (no authenticated user yet)
authorization result of Require foo expiration: denied (no authenticated user yet)
authorization result of <RequireAll>: denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
使用AuthMerging设置为或者供sublocation / foo,那么为什么阿帕奇检查父位置的需要,指示不惜一切之后要求所有授予助学金?
With AuthMerging set to "Or" for sublocation /foo, why is Apache examining the parent location's require-directives at all after "Require all granted" grants?
推荐答案
一些调试后,我能理出头绪。关于Apache授权核心奇怪的(而且,据报道,它Apache的2.2更惨)是规则,如果有的话,可以应用于每击多的时间。例如,在上述的情况下,这发生在相同请求三次 - 为/富/
After some debugging, I was able to figure things out. The odd thing about Apache's authorization core (and, reportedly, it was even worse in Apache-2.2) is that the rules, if any, may be applied multiple time per hit. For example, in the case above, this happened three times for the same request -- for "/foo/"
- 对于实际的/富/。这是根据对位置/ foo的规则处理/如预期理所当然的。
- 对于/foo/index.php。这是根据对位置/ foo的规则也处理/顺带理所当然的。这就解释了,为什么我看到记录每个命中两个这样的补助。
- 因为我们使用 PHP FPM 处理了PHP的文件,请求被通过的authz规则,通过再次 - 为/php-fpm/foo/index.php。这一次,它不得不通过顶层位置/,因为它永远不会发生给我们,我们需要有一个单独的位置/ PHP-FPM /以及...
- For the actual "/foo/". This was processed according to the rules for Location /foo/ and granted as expected.
- For "/foo/index.php". This was also processed according to the rules for Location /foo/ and granted incidentally. This explains, why I saw two such grants logged for each hit.
- Because we use PHP FPM to process PHP-files, the request was passed through the authz rules yet again -- as "/php-fpm/foo/index.php". This time it had to go through the top-level Location /, because it never occured to us, we need to have a separate Location /php-fpm/ as well...
无论当前Apache的行为是越野车或者仅仅是奇仍在争论,但我的解决办法是这样形容我的sublocation:
Whether the current Apache's behavior is buggy or merely odd is still being debated, but my solution was to describe my sublocation thus:
<LocationMatch ^(/php-fpm)?/foo/>
Require all granted
DirectoryIndex index.php
</LocationMatch>
AuthMerging不是在这种情况下,即使必要的。或者,我也可以只添加另一个地点 - 用于/ PHP-FPM /。无论哪种方式,一旦问题理解,溶液可...
AuthMerging is not even necessary in this case. Or I could also just add another Location -- for /php-fpm/. Either way, once the problem is understood, solutions are available...
这篇关于阿帕奇2.4 - 如何关闭整个网站除了一个子目录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
