时间戳

首页 > 解决方案 > 从 HTTP 基本身份验证中排除特定 URL - mod_rewrite 导致问题

apache - 从 HTTP 基本身份验证中排除特定 URL - mod_rewrite 导致问题

问题描述

我们在我们的某个子域上有“HTTP Basic Auth”,但希望允许一切访问该子域上的特定 URL 而无需进行身份验证(对于点击我们的 webhook URL 的第 3 方)。

所以我尝试使用SetEnvIf Request_URI ^/webhook/ allowto allow with Allow from env=allow(下面的完整文件),但似乎因为我们有一些 mod_rewrite 规则将所有这些 URL 重写为 PHP 入口点,所以 Request_URI 一旦到达这一点,就永远不会真正 /webhook (猜测但不知道如何100%确认这一点。

无论 URL 是什么,它仍然要求基本的身份验证用户/通行证。

请注意,.htaccess 文件在我们所有的域/子域上都是相同的,而 VirtualHost 可以仅针对该子域进行配置。

带有“HTTP Basic Auth”配置部分的完整 VirtualHost 配置:

<VirtualHost *:80>
  RewriteEngine on
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]

  DocumentRoot /var/www/sub.ourdomain.co.uk/blah/www

  ServerAdmin x@ourdomain.co.uk
  ServerName sub.ourdomain.co.uk
  ServerAlias www.sub.ourdomain.co.uk

  ErrorDocument 400 /error.php
  ErrorDocument 401 /error.php
  ErrorDocument 403 /403.html
  ErrorDocument 404 /error.php
  ErrorDocument 405 /error.php
  ErrorDocument 408 /error.php
  ErrorDocument 410 /error.php
  ErrorDocument 411 /error.php
  ErrorDocument 412 /error.php
  ErrorDocument 413 /error.php
  ErrorDocument 414 /error.php
  ErrorDocument 415 /error.php
  ErrorDocument 500 /error.php
  ErrorDocument 501 /error.php
  ErrorDocument 502 /error.php
  ErrorDocument 503 /error.php
  ErrorDocument 506 /error.php

  ErrorLog /var/log/httpd/sub.ourdomain.co.uk.apache.log
  CustomLog /var/log/httpd/sub.ourdomain.co.uk.access.log combined

  <Directory "/var/www/sub.ourdomain.co.uk/blah/www">
    SetEnvIf Request_URI ^/webhook/ allow

    AuthType Basic
    AuthName "Restricted Content"
    AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk

    # Setup a deny/allow
    Order Deny,Allow
    # Deny from everyone
    Deny from all
    # except if either of these are satisfied
    Satisfy any
    # 1. a valid authenticated user
    Require valid-user
    # or 2. the "allow" var is set
    Allow from env=allow
  </Directory>
</VirtualHost>

.htaccess mod_rewrite 规则:

RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts)

RewriteRule ^(.*)$ /boot.php

RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php

编辑 1 - 基于我也尝试过的评论:SetEnv allow trueSetEnv allow 1消除它是否是 URL 的疑问并且它仍然要求基本身份验证密码,因此它可能与 URL 无关。

编辑 2 - 添加整个 .htaccess 以确保我没有遗漏其他内容:

php_value max_input_vars 4000

RewriteEngine on

# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)

RewriteRule ^(.*)$ /boot.php

RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php

AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType font/woff .woff

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/css text/javascript application/x-javascript application/javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json font/woff font/otf font/eot font/ttf
</IfModule>

<ifModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 1 seconds"
  ExpiresByType text/html "access plus 1 seconds"
  ExpiresByType image/gif "access plus 2592000 seconds"
  ExpiresByType image/jpeg "access plus 2592000 seconds"
  ExpiresByType image/png "access plus 2592000 seconds"
  ExpiresByType text/css "access plus 604800 seconds"
  ExpiresByType font/ttf "access plus 604800 seconds"
  ExpiresByType font/eot "access plus 604800 seconds"
  ExpiresByType font/otf "access plus 604800 seconds"
  ExpiresByType font/woff "access plus 604800 seconds"
  ExpiresByType text/javascript "access plus 604800 seconds"
  ExpiresByType application/x-javascript "access plus 604800 seconds"
</ifModule>

<ifModule mod_headers.c>
  <filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf)$">
    Header set Cache-Control "max-age=2592000, public, proxy-revalidate"
  </filesMatch>
  <filesMatch "\\.(js|css|ttf|eot|otf|woff)$">
    Header set Cache-Control "max-age=604800, public, proxy-revalidate"
  </filesMatch>
  <filesMatch "\\.(xml|txt)$">
    Header set Cache-Control "max-age=216000, public, must-revalidate"
  </filesMatch>
</ifModule>

编辑 3 - 抱歉,应该提到我们现在停留在 Apache 2.2 上。

标签: apache.htaccessmod-rewritebasic-authentication

解决方案

使用 Apache 2.4+,您可以使用<If>表达式来禁用身份验证或使用allow from all指令来使用THE_REQUEST变量的 URI。THE_REQUEST表示发送到 Apache 的原始请求,它不会在单个请求的上下文中更新:

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
Require valid-user
Satisfy any
Order   deny,allow
Deny from  all

<If "%{THE_REQUEST} =~ /webhook/">
Satisfy any
Allow from all
</If>

# your current mod_rewrite rules can appear below this line:
DirectoryIndex boot.php
RewriteEngine on

# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]

更新:这是一个使用指令在 Apache 2.2 上工作的解决方案<FilesMatch>

DirectoryIndex boot.php
RewriteEngine on

# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]

SetEnvIfNoCase Request_URI ^/webhook/ allow

<FilesMatch "^(?!boot\.php$).*$">
   AuthType Basic
   AuthName "Restricted Content"
   AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
   Require valid-user
   Order   Deny,Allow
   Deny from  all
   Allow from env=allow
   Satisfy any
</FilesMatch>

推荐阅读