apache - 从 HTTP 基本身份验证中排除特定 URL - mod_rewrite 导致问题
问题描述
我们在我们的某个子域上有“HTTP Basic Auth”,但希望允许一切访问该子域上的特定 URL 而无需进行身份验证(对于点击我们的 webhook URL 的第 3 方)。
所以我尝试使用SetEnvIf Request_URI ^/webhook/ allow
to allow with Allow from env=allow
(下面的完整文件),但似乎因为我们有一些 mod_rewrite 规则将所有这些 URL 重写为 PHP 入口点,所以 Request_URI 一旦到达这一点,就永远不会真正 /webhook (猜测但不知道如何100%确认这一点。
无论 URL 是什么,它仍然要求基本的身份验证用户/通行证。
请注意,.htaccess 文件在我们所有的域/子域上都是相同的,而 VirtualHost 可以仅针对该子域进行配置。
带有“HTTP Basic Auth”配置部分的完整 VirtualHost 配置:
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
DocumentRoot /var/www/sub.ourdomain.co.uk/blah/www
ServerAdmin x@ourdomain.co.uk
ServerName sub.ourdomain.co.uk
ServerAlias www.sub.ourdomain.co.uk
ErrorDocument 400 /error.php
ErrorDocument 401 /error.php
ErrorDocument 403 /403.html
ErrorDocument 404 /error.php
ErrorDocument 405 /error.php
ErrorDocument 408 /error.php
ErrorDocument 410 /error.php
ErrorDocument 411 /error.php
ErrorDocument 412 /error.php
ErrorDocument 413 /error.php
ErrorDocument 414 /error.php
ErrorDocument 415 /error.php
ErrorDocument 500 /error.php
ErrorDocument 501 /error.php
ErrorDocument 502 /error.php
ErrorDocument 503 /error.php
ErrorDocument 506 /error.php
ErrorLog /var/log/httpd/sub.ourdomain.co.uk.apache.log
CustomLog /var/log/httpd/sub.ourdomain.co.uk.access.log combined
<Directory "/var/www/sub.ourdomain.co.uk/blah/www">
SetEnvIf Request_URI ^/webhook/ allow
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "allow" var is set
Allow from env=allow
</Directory>
</VirtualHost>
.htaccess mod_rewrite 规则:
RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts)
RewriteRule ^(.*)$ /boot.php
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php
编辑 1 - 基于我也尝试过的评论:SetEnv allow true
并SetEnv allow 1
消除它是否是 URL 的疑问并且它仍然要求基本身份验证密码,因此它可能与 URL 无关。
编辑 2 - 添加整个 .htaccess 以确保我没有遗漏其他内容:
php_value max_input_vars 4000
RewriteEngine on
# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^(.*)$ /boot.php
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php
AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType font/woff .woff
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/css text/javascript application/x-javascript application/javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json font/woff font/otf font/eot font/ttf
</IfModule>
<ifModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 1 seconds"
ExpiresByType image/gif "access plus 2592000 seconds"
ExpiresByType image/jpeg "access plus 2592000 seconds"
ExpiresByType image/png "access plus 2592000 seconds"
ExpiresByType text/css "access plus 604800 seconds"
ExpiresByType font/ttf "access plus 604800 seconds"
ExpiresByType font/eot "access plus 604800 seconds"
ExpiresByType font/otf "access plus 604800 seconds"
ExpiresByType font/woff "access plus 604800 seconds"
ExpiresByType text/javascript "access plus 604800 seconds"
ExpiresByType application/x-javascript "access plus 604800 seconds"
</ifModule>
<ifModule mod_headers.c>
<filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=2592000, public, proxy-revalidate"
</filesMatch>
<filesMatch "\\.(js|css|ttf|eot|otf|woff)$">
Header set Cache-Control "max-age=604800, public, proxy-revalidate"
</filesMatch>
<filesMatch "\\.(xml|txt)$">
Header set Cache-Control "max-age=216000, public, must-revalidate"
</filesMatch>
</ifModule>
编辑 3 - 抱歉,应该提到我们现在停留在 Apache 2.2 上。
解决方案
使用 Apache 2.4+,您可以使用<If>
表达式来禁用身份验证或使用allow from all
指令来使用THE_REQUEST
变量的 URI。THE_REQUEST
表示发送到 Apache 的原始请求,它不会在单个请求的上下文中更新:
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
Require valid-user
Satisfy any
Order deny,allow
Deny from all
<If "%{THE_REQUEST} =~ /webhook/">
Satisfy any
Allow from all
</If>
# your current mod_rewrite rules can appear below this line:
DirectoryIndex boot.php
RewriteEngine on
# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]
更新:这是一个使用指令在 Apache 2.2 上工作的解决方案<FilesMatch>
:
DirectoryIndex boot.php
RewriteEngine on
# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]
SetEnvIfNoCase Request_URI ^/webhook/ allow
<FilesMatch "^(?!boot\.php$).*$">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
Require valid-user
Order Deny,Allow
Deny from all
Allow from env=allow
Satisfy any
</FilesMatch>