我在 apache 中先有这一行
<LocationMatch "\.\.;">
RewriteEngine On
RewriteRule .* / [L,R=403]
</LocationMatch>
我正在尝试避免这里提到的问题:https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/
问题是,一些类似这样的指令不再暴露这个问题:
<Location "/AXIS/">
ProxyPass ajp://127.0.0.1:8009/AXIS/
ProxyPassReverse ajp://127.0.0.1:8009/AXIS/
</Location>
但其他人确实表现出同样的问题,就像我的规则被忽略一样。一些例子:
<Location "/WS/">
RewriteEngine On
RewriteCond %{ENV:X_SESSIONREF} (.+)
RewriteRule . - [E=SREF:%1,NS]
RequestHeader set X_SESSIONREF "%{SREF}e" env=SREF
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU2:%1,NS]
RequestHeader set REMOTE_USER "%{RU2}e" env=RU2
ProxyPass ajp://127.0.0.1:8009/WS/
ProxyPassReverse ajp://127.0.0.1:8009/WS/
</Location>
<Location "/rest/">
RewriteEngine On
RewriteCond %{ENV:X_SESSIONREF} (.+)
RewriteRule . - [E=SREF:%1,NS]
RequestHeader set X_SESSIONREF "%{SREF}e" env=SREF
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU2:%1,NS]
RequestHeader set REMOTE_USER "%{RU2}e" env=RU2
RewriteCond %{ENV:X_SESSION} (.+)
RewriteRule . - [E=ASSESS:%1,NS]
RequestHeader set X_SESSION "%{ASSESS}e" env=ASSESS
ProxyPass ajp://127.0.0.1:8009/rest/
ProxyPassReverse ajp://127.0.0.1:8009/rest/
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 409 default
ErrorDocument 500 default
ErrorDocument 502 default
ErrorDocument 503 default
</Location>
答案1
如果 apache 配置文件中的指令被读取为像包含文件一样:这意味着最后一个选择(以“z”开头的文件)是加载的文件。
您能否尝试将现在避免的指令放在最后包含的配置文件的末尾?根据文档,它应该会重载第一次遇到的指令:
https://httpd.apache.org/docs/current/howto/htaccess.html#related