我一直在尝试使用 Apache2 2.2.22 阻止对 Ubuntu 13.04 上的 WordPress wp-admin 和 wp-includes 目录的访问。首先,我尝试使用 .htaccess 执行此操作,但由于某种原因,它不起作用,但在阅读Apache 文档他们建议不要这么做。所以我改用了他们的建议,将其放在<directory>conf 文件的部分中。你能看出我在这里做错了什么吗?
- 阻止访问目录的最佳方法是什么?
- 防止访问单个文件的最佳方法是什么?
- 如何让服务器强制执行规则,例如防止 .htaccess 访问以及防止访问 vserver.conf 下列出的版本控制目录?
以下是我的 vserver.conf 文件。
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/domain/
ServerName domain.com
ServerAlias www.domain.com
<Directory "/var/www/domain/">
# WordPress Permalink Configuration
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# wp-include rules remove if multisite
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# END WordPress
Options FollowSymLinks
Order allow,deny
allow from all
</Directory>
<Directory "/var/www/domain/wp-admin">
Order Deny,Allow
Deny from all
# whitelist server IP for use with SSH tunel
Allow from 192.168.0.1
# whitelist home IP address
Allow from 192.168.1.1
</Directory>
<Directory "/var/www/domain/wp-content/plugins/akismet">
Order Deny,Allow
Deny from all
<FilesMatch "^akismet\.(css|js)$">
Allow from all
</FilesMatch>
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error-domain.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access-domain.log combined
</VirtualHost>
另外,在 apache2.conf 中也有此规则阻止访问 .htaccess,但我仍然可以从浏览器访问该文件。
AccessFileName .htaccess
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy all
</Files>
conf.d/security 中有一条规则可以防止访问版本控制,从而生成 500 错误,而不是 404 或 403
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for git:
#
<DirectoryMatch "/\.git">
Require all denied
</DirectoryMatch>
可用的模组如下:
actions authn_alias authn_file authz_host cern_meta dav_fs disk_cache fcgid imagemap mem_cache php5_cgi proxy_ftp setenvif suexec
alias authn_anon authnz_ldap authz_owner cgi dav_lock dump_io file_cache include mime proxy proxy_http speling unique_id
asis authn_dbd authz_dbm authz_user cgid dbd env filter info mime_magic proxy_ajp proxy_scgi ssl userdir
auth_basic authn_dbm authz_default autoindex charset_lite deflate expires headers ldap negotiation proxy_balancer reqtimeout status usertrack
auth_digest authn_default authz_groupfile cache dav dir ext_filter ident log_forensic php5 proxy_connect rewrite substitute vhost_alias
并且启用了以下模式:
actions.conf alias.conf authz_host.load deflate.conf dir.conf env.load headers.load mime.load php5.load reqtimeout.load setenvif.conf status.conf
actions.load alias.load cgi.load deflate.load dir.load expires.load mime.conf php5.conf reqtimeout.conf rewrite.load setenvif.load status.load
如您所见,没有可用的 mod_access。
答案1
mod_access 是否启用? http://httpd.apache.org/docs/2.0/mod/mod_access.html
我首先想到的猜测是,不是。这很奇怪。我见过的大多数 apache 版本都带有编译好的 mod_access...
答案2
您可以通过指定来保护您的目录DirectoryIndex
<Directory somepath/wp-admin>
DirectoryIndex /pathtosomefilesay/404.html
</Directory>
404.html因此在上述情况下,每当您尝试访问多余的 wp-admin 目录时,它都会返回。您还可以指定允许哪些人访问。希望这能有所帮助