使用 PHP/Apache 限制对静态文件(html、css、img 等)的访问 [英] Using PHP/Apache to restrict access to static files (html, css, img, etc)
问题描述
假设您的服务器上的一个目录中有很多 html、css、js、img 等文件.通常,互联网上的任何用户都可以通过简单地输入完整的 URL 来访问这些文件,如下所示:http://example.com/static-files/sub/index.html
Lets say you have lots of html, css, js, img and etc files within a directory on your server. Normally, any user in internet-land could access those files by simply typing in the full URL like so: http://example.com/static-files/sub/index.html
现在,如果您只希望授权用户能够加载这些文件怎么办?在本例中,假设您的用户首先从这样的 URL 登录:http://example.com/login.php
Now, what if you only want authorized users to be able to load those files? For this example, lets say your users log in first from a URL like this: http://example.com/login.php
如何允许登录用户查看 index.html 文件(或静态文件"下的任何文件),但限制其他人查看该文件?
How would you allow the logged in user to view the index.html file (or any of the files under "static-files"), but restrict the file to everyone else?
到目前为止,我提出了两种可能的解决方案:
I have come up with two possible solutions thus far:
解决方案 1
在静态文件"下创建以下 .htaccess 文件:
Solution 1
Create the following .htaccess file under "static-files":
Options +FollowSymLinks
RewriteEngine on
RewriteRule ^(.*)$ ../authorize.php?file=$1 [NC]
然后在authorize.php...
And then in authorize.php...
if (isLoggedInUser()) readfile('static-files/'.$_REQUEST['file']);
else echo 'denied';
这个 authorize.php 文件过于简单,但你懂的.
This authorize.php file is grossly over simplified, but you get the idea.
解决方案 2
在静态文件"下创建以下 .htaccess 文件:
Solution 2
Create the following .htaccess file under "static-files":
Order Deny,Allow
Deny from all
Allow from 000.000.000.000
然后我的登录页面可以为每个登录的用户附加一个带有 IP 的 .htaccess 文件.显然,这还需要某种清理程序来清除旧的或不再使用的 IP.
And then my login page could append that .htaccess file with an IP for each user that logs in. Obviously this would also need to have some kind of cleanup routine to purge out old or no longer used IPs.
我担心随着他们访问的用户和文件数量的增加,我的第一个解决方案在服务器上可能会变得非常昂贵.我认为我的第二个解决方案会便宜得多,但由于 IP 欺骗等原因也不太安全.我还担心如果有很多同时用户,将这些 IP 地址写入 htaccess 文件可能会成为应用程序的瓶颈.
I worry that my first solution could get pretty expensive on the server as the number of users and files they are accessing increases. I think my second solution would be much less expensive, but is also less secure due to IP spoofing and etc. I also worry that writing these IP addresses to the htaccess file could become a bottleneck of the application if there are many simultaneous users.
这些解决方案中哪个听起来更好,为什么?或者,您能想出一个完全不同的解决方案,比这两者都更好吗?
Which of these solutions sounds better, and why? Alternatively, can you think of a completely different solution that would be better than either of these?
推荐答案
我会考虑使用 PHP 加载程序来处理身份验证,然后返回您需要的文件.例如,不要做 <img src='picture.jpg'/> 做类似 <img src='load_image.php?image=picture.jpg'/>.
I would consider using a PHP loader to handle authentication and then return the files you need. For example instead of doing <img src='picture.jpg' /> Do something like <img src='load_image.php?image=picture.jpg' />.
您的图像加载器可以验证会话、检查凭据等,然后决定是否将请求的文件返回给浏览器.这将允许您将所有安全文件存储在 Web 可访问的根目录之外,因此没有人会只是 WGET 它们或意外"浏览那里.
Your image loader can verify sessions, check credentials, etc. and then decide whether or not to return the requested file to the browser. This will allow you to store all of your secure files outside of the web accessible root so nobody is going to just WGET them or browse there 'accidentally'.
只需记住在 PHP 中返回正确的标头,并在 php 中执行类似 readfile() 的操作,这会将文件内容返回到浏览器.
Just remember to return the right headers in PHP and do something like readfile() in php and that will return the file contents to the browser.
我已经在几个大型安全网站上使用了这种设置,它的效果非常好.
I have used this very setup on several large scale secure website and it works like a charm.
我目前正在构建的系统使用这种方法来加载 Javascript、图像和视频,但我们对安全性并不十分担心.
The system I am currently building uses this method to load Javascript, Images, and Video but CSS we aren't very worried with securing.
这篇关于使用 PHP/Apache 限制对静态文件(html、css、img 等)的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
