我有一个“规则”,httpd.conf
如果有人试图访问安装了 wordpress 的任何域的部分,就会弹出一个窗口wp-admin
。通过此规则,我可以阻止引导程序访问 wp-admin 文件夹并阻止暴力攻击。
# BEGIN BLOCK-WP-ADMIN-ATTACK
<Files wp-login.php>
AuthType basic
AuthName "EN: Human Check - U: human P: letmein"
AuthBasicProvider file
AuthUserFile /home/wp-admin-attack-htpasswd-file
Require valid-user
ErrorDocument 401 "<center><h1>Warning!</h1>You failed to authenticate.<p><br />Extra security has been temporarily enabled due to an ongoing attack against Wordpress logins on this server.<br /> <b>If you are a real user, please refresh the page and enter the username and password that are provided on the pop-up.</b><p>If you are still having troubles, please contact your hosting provider.</center>"
</Files>
# END BLOCK-WP-ADMIN-ATTACK #
该规则正常运行,但现在我想“允许”一个域,因此该规则不适用于该域。
答案1
我认为你应该能够使用SetEnvIf
执行此操作。这尚未经过测试,但可能会为您指明正确的方向:
# set env ALLOWED if hostname is either example.com or
# the client ip is 192.168.0.1
SetEnvIf Host example\.com ALLOWED
SetEnvIf Remote_Addr 192.168.0.1 ALLOWED
# if ALLOWED is not set display the password prompt
<IfDefine !ALLOWED>
<Files wp-login.php>
AuthType basic
AuthName "EN: Human Check - U: human P: letmein"
AuthBasicProvider file
AuthUserFile /home/wp-admin-attack-htpasswd-file
Require valid-user
ErrorDocument 401 "<center><h1>Warning!</h1>You failed to authenticate.<p><br />Extra security has been temporarily enabled due to an ongoing attack against Wordpress logins on this server.<br /> <b>If you are a real user, please refresh the page and enter the username and password that are provided on the pop-up.</b><p>If you are still having troubles, please contact your hosting provider.</center>"
</Files>
</IfDefine>
答案2
我会坚持satisfy any
。这是一个可行的概念验证:
<Files wp-login.php>
Satisfy Any
Order deny,allow
Deny from all
Allow from example.org
AuthType basic
AuthName "EN: Human Check - U: human P: letmein"
AuthBasicProvider file
AuthUserFile /home/wp-admin-attack-htpasswd-file
Require valid-user
#ErrorDocument here
</Files>
答案3
您可以使用satisfy any
指令
<VirtualHost *:80>
# [ Server Domain ]
ServerName the.domaine.allowed
# [ Server Root ]
DocumentRoot /var/www/
# [ Pass Through Auth]
<Files wp-login.php>
satisfy any
</Files>
<VirtualHost>