Ubuntu Apache2 安全目录问题

Ubuntu Apache2 安全目录问题

我一直在尝试使用 Apache2 2.2.22 阻止对 Ubuntu 13.04 上的 WordPress wp-admin 和 wp-includes 目录的访问。首先,我尝试使用 .htaccess 执行此操作,但由于某种原因,它不起作用,但在阅读Apache 文档他们建议不要这么做。所以我改用了他们的建议,将其放在<directory>conf 文件的部分中。你能看出我在这里做错了什么吗?

  • 阻止访问目录的最佳方法是什么?
  • 防止访问单个文件的最佳方法是什么?
  • 如何让服务器强制执行规则,例如防止 .htaccess 访问以及防止访问 vserver.conf 下列出的版本控制目录?

以下是我的 vserver.conf 文件。

<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/domain/
    ServerName domain.com
    ServerAlias www.domain.com
<Directory "/var/www/domain/">
    # WordPress Permalink Configuration
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # wp-include rules remove if multisite
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>
    # END WordPress

    Options FollowSymLinks
    Order allow,deny
    allow from all
</Directory>

<Directory "/var/www/domain/wp-admin">
    Order Deny,Allow
    Deny from all
    # whitelist server IP for use with SSH tunel
    Allow from 192.168.0.1
    # whitelist home IP address
    Allow from 192.168.1.1
</Directory>

<Directory "/var/www/domain/wp-content/plugins/akismet">
    Order Deny,Allow
    Deny from all

    <FilesMatch "^akismet\.(css|js)$">
    Allow from all
    </FilesMatch>
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error-domain.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access-domain.log combined
</VirtualHost>

另外,在 apache2.conf 中也有此规则阻止访问 .htaccess,但我仍然可以从浏览器访问该文件。

AccessFileName .htaccess

# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

conf.d/security 中有一条规则可以防止访问版本控制,从而生成 500 错误,而不是 404 或 403

# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for git:
#
<DirectoryMatch "/\.git">
Require all denied
</DirectoryMatch>

可用的模组如下:

actions          authn_alias      authn_file       authz_host       cern_meta        dav_fs           disk_cache       fcgid            imagemap         mem_cache        php5_cgi         proxy_ftp        setenvif         suexec
alias            authn_anon       authnz_ldap      authz_owner      cgi              dav_lock         dump_io          file_cache       include          mime             proxy            proxy_http       speling          unique_id
asis             authn_dbd        authz_dbm        authz_user       cgid             dbd              env              filter           info             mime_magic       proxy_ajp        proxy_scgi       ssl              userdir
auth_basic       authn_dbm        authz_default    autoindex        charset_lite     deflate          expires          headers          ldap             negotiation      proxy_balancer   reqtimeout       status           usertrack
auth_digest      authn_default    authz_groupfile  cache            dav              dir              ext_filter       ident            log_forensic     php5             proxy_connect    rewrite          substitute       vhost_alias

并且启用了以下模式:

actions.conf  alias.conf  authz_host.load  deflate.conf  dir.conf  env.load  headers.load  mime.load  php5.load    reqtimeout.load  setenvif.conf  status.conf
actions.load  alias.load  cgi.load     deflate.load  dir.load  expires.load  mime.conf     php5.conf  reqtimeout.conf  rewrite.load     setenvif.load  status.load

如您所见,没有可用的 mod_access。

答案1

mod_access 是否启用? http://httpd.apache.org/docs/2.0/mod/mod_access.html

我首先想到的猜测是,不是。这很奇怪。我见过的大多数 apache 版本都带有编译好的 mod_access...

答案2

您可以通过指定来保护您的目录DirectoryIndex

<Directory somepath/wp-admin>
   DirectoryIndex /pathtosomefilesay/404.html
</Directory>

404.html因此在上述情况下,每当您尝试访问多余的 wp-admin 目录时,它都会返回。您还可以指定允许哪些人访问。希望这能有所帮助

相关内容