我已经使用 apache 在 Ubuntu 22.04 上配置了一个 webdav 服务器。这是我在 sites-enabled 文件夹中的配置文件,其工作原理如下:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin %%EMAIL%%
ServerName %%DOMAIN%%
DocumentRoot %%PATH%%
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /webdav /var/www/webdav
<Directory /var/www/webdav>
DAV On
AuthType Digest
AuthName "webdav"
AuthUserFile /usr/local/apache/var/users.password
Require valid-user
SetHandler None
Options None
AllowOverride None
</Directory>
SSLCertificateFile /etc/letsencrypt/live/%%DOMAIN%%/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/%%DOMAIN%%/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
问题在于它允许为实例添加 php 文件,并且可以通过在 webdav 中调用或编辑这些文件来执行它们。这显然是一个安全问题。
我尝试添加:
<FilesMatch "\.(php|jsp|cgi|pl|py)$">
Order Allow,Deny
Deny from all
</FilesMatch>
无论是在 Directory 标签内部还是外部,但是,在重新启动 apache 甚至整个服务器后,我在尝试连接 cadaver 时收到 403 Forbidden :
cadaver %%URL%%
Authentication required for webdav on server `%%URL%%':
Username: %%USERNAME%%
Password: %%PASSWORD%%
Could not open collection:
403 Forbidden
dav:/webdav/?
而当我删除 FileMatch 标签时,我没有收到错误并且可以连接。
以下是重新启动 apache 并添加 FileMatch 标签时的 apache2 错误日志(如果我删除 FileMatch 标签也会出现此日志):
[Sun Sep 03 20:14:01.728312 2023] [mpm_prefork:notice] [pid 1259] AH00169: caught SIGTERM, shutting down
[Sun Sep 03 20:14:01.821721 2023] [mpm_prefork:notice] [pid 1465] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Sun Sep 03 20:14:01.821792 2023] [core:notice] [pid 1465] AH00094: Command line: '/usr/sbin/apache2'
以下是我尝试连接时的日志(如果删除 FilesMatch 标签,则没有这些日志):
[Sun Sep 03 20:15:40.271797 2023] [access_compat:error] [pid 1467] [client %%IP%%:44836] AH01797: client denied by server configuration: /var/www/webdav/index.cgi
[Sun Sep 03 20:15:40.271967 2023] [access_compat:error] [pid 1467] [client %%IP%%:44836] AH01797: client denied by server configuration: /var/www/webdav/index.pl
[Sun Sep 03 20:15:40.272037 2023] [access_compat:error] [pid 1467] [client %%IP%%:44836] AH01797: client denied by server configuration: /var/www/webdav/index.php