以绩效为导向的方式来保护PHP级别的文件? [英] Performance-oriented way to protect files on PHP level?
问题描述
我要寻找一些输入的东西我一直在思考了很长的时间。这是一个非常普遍的问题,也许有解决方案在那里我还没有想过呢。
I am looking for some input on something I have been thinking about for a long time. It is a very general problem, maybe there are solutions out there I haven't thought of yet.
我有一个基于PHP的CMS。
对于CMS中创建的每个页面,用户可以上传资产(要下载的文件,图片等)
I have a PHP-based CMS.
For each page created in the CMS, the user can upload assets (Files to download, Images, etc.)
这些资产都存储在一个目录下,姑且称之为/ MyProject的/资产,在每个页面的基础(1子目录= 1页,如/ MyProject的/资产/ page19283)
Those assets are stored in a directory, let's call it "/myproject/assets", on a per-page basis (1 subdirectory = 1 page, e.g. "/myproject/assets/page19283")
,用户可以取消发布(隐藏)在CMS页面。当一个页面被隐藏,并有人试图对其进行访问,因为他们已经记住了网址或他们来自谷歌什么的,他们得到了未找到的消息。
The user can "un-publish" (hide) pages in the CMS. When a page is hidden, and somebody tries to access it because they have memorized the URL or they come from Google or something, they get a "Not found" message.
不过,资产仍然可用。我要保护那些为好,这样,当用户未发布的网页,他们可以信任它完全消失。 (关于司法烦恼像法院的命令很重要,我们要的内容下来......这样的事情可能发生)。
However, the assets are still available. I want to protect those as well, so that when the user un-publishes a page, they can trust it is completely gone. (Very important on judicial troubles like court orders to take content down ... Things like that can happen).
最显而易见的方法是以所有资产存放在一个安全的目录(=不是由Web服务器访问),并使用PHP正门,通过审核后通过的文件。当一个项目需要水密这是这样,我现在走了,但我不喜欢它,因为PHP的跨preTER运行的每一个微小的图像,脚本和样式表的网站上。我想有一个更快的方法。
The most obvious way is to store all assets in a secure directory (= not accessible by the web server), and use a PHP "front gate" that passes the files through after checking. When a project needs to be watertight this is the way I currently go, but I don't like it because the PHP interpreter runs for every tiny image, script, and stylesheet on the site. I would like have a faster way.
的.htaccess 保护(拒绝所有或类似的)是不完美的,因为CMS应该是便携和能够在共享的环境中运行。我想它甚至在IIS和其他Web服务器上运行。
.htaccess protection (Deny from all or similar) is not perfect because the CMS is supposed to be portable and able to run in a shared environment. I would like it to even run on IIS and other web servers.
我能想到的,现在最好的办法是移动特定页面的资产目录到安全位置时,它是联合国发布的,并且将其移回时,它的出版。然而,管理员用户需要能够看到的网页,即使它是联合国发布的,所以我必须解决的事实,我必须从安全的目录服务这些资产。
The best way I can think of right now is moving the particular page's asset directory to a secure location when it is un-published, and move it back when it's published. However, the admin user needs to be able to see the page even when it's un-published, so I would have to work around the fact that I have to serve those assets from the secure directory.
有人能想出一个办法,可以直接阿帕奇访问文件(=没有通过PHP脚本传递),但使用PHP仍然控制访问?我不能。
Can anybody think of a way that allows direct Apache access to the files (=no passing through a PHP script) but still controlling access using PHP? I can't.
我还要考虑一个简单的.htaccess解决方案,很可能会在最的共享环境中运行。
I would also consider a simple .htaccess solution that is likely to run on most shared environments.
推荐答案
编辑:怎么样一个混合的管理界面?在非加太国家可以通过PHP的方法获得,基本上把所有的文件请求到PHP authing文件,但对于公众,你可以使用HTTP认证/ htaccess的确定结果的可用性。这给你的公共端的表现,但对非加太方的保护。
How about a hybrid for the administrative interface? In the ACP you could access via the PHP method to, basically, send all file requests to the PHP authing file, but for public, you can use HTTP AUTH/htaccess to determine the availability of the result. this gives you the performance on the public side, but the protection on the ACP side.
旧消息:
的.htaccess与大多数Apache和IIS&LT兼容; 7环境(使用不同的ISAPI模块)使用mod_rewrite类型的操作时。唯一的例外是IIS7 +,它使用的web.config文件中的新重写模块。不过,我愿意是,你可以有效地生成/改变这个实例,而不是使用.htaccess中的web.config文件。
.htaccess is compatible with most Apache and IIS<7 environments (using various ISAPI modules) when using mod_rewrite type operations. The only exception is IIS7 + the new Rewrite module which uses the web.config file. HOWEVER, I'd be willing to be that you could efficiently generate/alter the web.config file for this instance instead of using .htaccess.
鉴于这种情况,您可以设置使用重定向重写方法和重定向到您的自定义404页(即希望发送正确的404头)。这是不是100%合适,因为实际的资产应该是一个给予403头,但是......它的工作原理。
Given that, you could set up redirects using the rewrite method and redirect to your custom 404 Page (that hopefully sends the proper 404 header). It is not 100% appropriate because the actual asset should be the one giving a 403 header, but... it works.
这是路线我会去,除非你要正确地创建HTTP认证设置为每个服务器平台。另外,如果你这样做的权利,你可以让你的系统可扩展,允许其他类型的未来由您或您的用户(包括如果他们想这样做一个基于PHP选项)。
This is the route I would go unless you want to properly create HTTP AUTH setups for every server platform. Plus, if you do it right, you could make your system extendable to allow other types in the future by you or your users (including a php based option if they wanted to do it).
这篇关于以绩效为导向的方式来保护PHP级别的文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
