问题描述
我想了解一个简短的测试示例如何使用为了否认,允许
语句发生反应看什么,我现在已经读,直到
I'm trying to understand with a short test example how the order deny,allow
statements reacts looking to what I've read untill now.
我有以下网站的结构来进行测试:
I have the following site structure for testing :
将/index.htm
/.htaccess(1)
/subfolder/index.htm
/subfolder/.htaccess(2)
/index.htm
/.htaccess (1)
/subfolder/index.htm
/subfolder/.htaccess (2)
的.htaccess(1)
order deny,allow
allow from all
子文件夹/ htaccess的(2)
order deny,allow
deny from all
无论在2 .htaccess文件我用的允许,拒绝/拒绝,允许顺序(和所有4个可能的组合),我从来没有允许访问的子文件夹/ index.htm的。
No matter the order I use for allow,deny / deny,allow (and all 4 possible combinations) in the 2 .htaccess files, I'm never allowed to access the subfolder/index.htm.
据我了解,至少有一个组合,其中根允许从所有的一切
胜子文件夹拒绝
,所以我不明白为什么我不能成功的,这么简单的例子,这样做。
As far as I've understood, there is at least one combination where the root allow from all
wins on the subfolder deny from all
, so I don't understand why I can't succeed doing this on that so simple example.
你能解释为什么,并发生了什么?
Can you explain why and what's happening ?
推荐答案
规则为了否认,允许
和为了允许,拒绝
定义,其中责令<$ C $ C >从和允许
指令进行处理。所有允许和拒绝的规则进行处理,最后用相关规则重写任何previous规则。见mod_authz_host模块文档进行确认的订单指令部分。
The Order Directive
The rules order deny,allow
and order allow,deny
define in which order the deny from
and allow from
directives are processed. All allow and deny rules are processed, with the final relevant rule overriding any previous rules. See the Order Directive section of the mod_authz_host module documentation for confirmation.
请注意,所有的允许和拒绝指令进行处理,不像 典型的防火墙,只有第一个匹配被使用。在最后一场比赛 是有效的(也不像典型的防火墙)。此外,为了 在其中行显示在配置文件是不显著 - 所有允许线被处理为一组,所有的拒绝线 视为另一个,默认状态被认为是由它本身
例如,如果我们处理拒绝规则之前允许规则,我们就可以有效地创建允许的IP地址白名单。
For example, if we process the deny rules before the allow rules, we can effectively creating a whitelist of allowed IP addresses.
order deny,allow
deny from all
allow from 127.0.0.1
相反,在下面的例子中,我们处理的允许规则,否认之前的规则,拒绝IP地址黑名单。
Conversely, in the following example, we process the allow rules, before the deny rules, for a blacklist of denied IP addresses.
order allow,deny
allow from all
deny from 127.0.0.1
子目录将继承父目录的规则,除非他们宣布自己的规则。如果子目录使用或者顺序指令或程序允许/拒绝指令,从父规则不被继承。请参见错误52406 这是指的本文件的部分合并,以确认这种行为。
Subdirectories will inherit the rules of parent directories, unless they declare their own rules. If a subdirectory uses either an order directive or an allow/deny directive, the rules from the parent are not inherited. See Bug 52406 which refers to the Merging of configuration sections section of this document, for confirmation of this behavior.
有关模块不执行任何合并的逻辑,如 mod_access_compat,在后面的章节中的行为取决于是否 后面的章节已经从模块中的任何指令。该 配置是继承直到进行了更改,在该点处 配置被替换,而不是合并。
您也可以做这个简单的测试,以确认这种行为。
Simple Test
You can also do this simple test to confirm this behavior.
把下面的行中的父目录的.htaccess
。
Put the following lines in the parent directory .htaccess
.
order deny,allow
deny from all
和任何子目录下面几行或全部的.htaccess
。
And any or all of the following lines in the child directory .htaccess
.
order deny,allow
deny from 0.0.0.0
您会看到孩子目录现在公开访问,即使父目录包含所有拒绝
和孩子目录没有允许从
指令。
You will see the the child directory is now publicly accessible, even though the parent directory contains deny from all
and the child directory has no allow from
directives.
根据文档和实验,它似乎是不可能的父目录覆盖孩子主任的指示以任何方式。
Based on the documentation and experimentation, it seems that it is impossible for a parent directory to override a child director's directives in any way.
这篇关于的.htaccess:了解使用拒绝,允许和允许,拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!