我有以下 httpd.conf 文件,用于测试X-Forwarded-For标头 IP 白名单。请注意,该conf.d目录为空:
Include conf.modules.d/*.conf
ServerRoot "/etc/httpd"
Listen 80
Listen 443
User dev
Group dev
ServerAdmin root@localhost
ServerName my-httpd-server
<Directory />
AllowOverride none
Require all denied
</Directory>
<Files ".ht*">
Require all denied
</Files>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
Options -Indexes +FollowSymLinks
AllowOverride None
LogLevel debug
Order deny,allow
Deny from all
#Satisfy any
SetEnvIf X-Forwarded-For ^171.159.192.10 letmein
Allow from env=letmein
Satisfy any
</Directory>
IncludeOptional conf.d/*.conf
当我使用 cURL 来获取该服务器的本地页面时,无论 XFF 标头如何,它都可以正常工作:
curl -H 'X-Forwarded-For: 8.8.8.8' http://localhost
curl http://localhost
这些工作,但在错误日志中打印以下内容(这些请求应该不行):
[Mon Dec 17 10:24:53.346021 2018] [access_compat:error] [pid 12] [client 172.17.0.1:49010] AH01797: client denied by server configuration: /var/www/html/
[Mon Dec 17 10:24:53.346614 2018] [authz_core:debug] [pid 12] mod_authz_core.c(809): [client 172.17.0.1:49010] AH01626: authorization result of Require all granted: granted
[Mon Dec 17 10:24:53.347603 2018] [authz_core:debug] [pid 12] mod_authz_core.c(809): [client 172.17.0.1:49010] AH01626: authorization result of <RequireAny>: granted
来自白名单 IP 的以下请求有效,但没有日志记录噪音:
curl -H 'X-Forwarded-For: 171.159.192.10' http://localhost:8181/
是什么原因导致本应返回网页的请求失败?我收到消息称根据配置应该拒绝该请求?
答案1
我认为您需要将satisfy any位更改为satisfy all。这指的是如果用户满足身份验证或访问要求,则允许用户通过。由于我没有看到设置了 authtype,因此默认为允许AuthType none他们通过。 satisfy all意味着需要满足身份验证和访问要求。