我们有一个 apache2 为 PHP 应用程序提供服务,并使用 kerberos 身份验证。我们在 PHP 应用程序中开发了一个 API,我们希望在没有 Kerberos 身份验证的情况下访问它。但我们无法将该 API 从 Apache 身份验证机制中排除。
我们以前没有 API 的 Apache 配置:
DocumentRoot /var/www/html/public
<Directory />
AllowOverride None
Order Allow,Deny
Allow from All
Header always append X-Frame-Options "DENY"
Header always append X-Content-Type-Options "nosniff"
AuthName "Login Kerberos"
Require valid-user
AuthType GSSAPI
AuthName "Kerberos Authentication"
GssapiCredStore keytab:/etc/krb5.keytab
GssapiAcceptorName HTTP
GssapiAllowedMech krb5
GssapiBasicAuth off
GssapiNegotiateOnce On
GssapiLocalName On
<LimitExcept GET POST-OPTIONS>
Require all denied
</LimitExcept>
FallbackResource /index.php
</Directory>
Header always set Strict-Transport-Security "max-age=600; includeSubDomains: preload"
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log proxy
无需授权即可提供 API
DocumentRoot /var/www/html/public
<Directory />
AllowOverride None
Order Allow,Deny
Allow from All
Header always append X-Frame-Options "DENY"
Header always append X-Content-Type-Options "nosniff"
AuthName "Login Kerberos"
Require valid-user
AuthType GSSAPI
AuthName "Kerberos Authentication"
GssapiCredStore keytab:/etc/krb5.keytab
GssapiAcceptorName HTTP
GssapiAllowedMech krb5
GssapiBasicAuth off
GssapiNegotiateOnce On
GssapiLocalName On
<LimitExcept GET POST-OPTIONS>
Require all denied
</LimitExcept>
FallbackResource /index.php
</Directory>
<Location /api/>
Allow from All
AuthType None
Require all granted
Satisfy any
FallbackResource /index.php
</Location>
Header always set Strict-Transport-Security "max-age=600; includeSubDomains: preload"
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log proxy
但它不起作用,在 Apache 日志中,我们可以看到 auth_gssapi 甚至在请求 /api 时也在等待身份验证数据
[Tue Jan 30 10:32:14.500425 2024] [auth_gssapi:info] [pid 25] [client] NO AUTH DATA Client did not send any authentication headers
[Tue Jan 30 10:32:14.506344 2024] [ssl:info] [pid 22] [client] AH01964: Connection to child 1 established (server)
我确实尝试使用 LocationMatch 过滤我们的 api 路径
<LocationMatch "^/(?!api)">
#AllowOverride None
Order Allow,Deny
Allow from All
Header always append X-Frame-Options "DENY"
Header always append X-Content-Type-Options "nosniff"
AuthName "Login Kerberos"
Require valid-user
AuthType GSSAPI
AuthName "Kerberos Authentication"
GssapiCredStore keytab:/etc/krb5.keytab
GssapiAcceptorName HTTP
GssapiAllowedMech krb5
GssapiBasicAuth off
GssapiNegotiateOnce On
GssapiLocalName On
<LimitExcept GET POST-OPTIONS>
Require all denied
</LimitExcept>
FallbackResource /index.php
</LocationMatch>
<Location /api>
SetEnvIf Request_URI "^/api" noauth
Allow from All
AuthType None
Require env noauth
Satisfy any
FallbackResources /index.php
</Location>
我也尝试将 gsspi 身份验证块放在 If 中
<Directory />
<If "! %{REQUEST_URI} =~ /api/">
AuthName "Login Kerberos"
Require valid-user
AuthType GSSAPI
AuthName "Kerberos Authentication"
GssapiCredStore keytab:/etc/krb5.keytab
GssapiAcceptorName HTTP
GssapiAllowedMech krb5
GssapiBasicAuth off
GssapiNegotiateOnce On
GssapiLocalName On
</If>
Order Allow,Deny
Allow from All
Header always append X-Frame-Options "DENY"
Header always append X-Content-Type-Options "nosniff"
<LimitExcept GET POST-OPTIONS>
Require all denied
</LimitExcept>
FallbackResource /index.php
</Directory>
但也没有运气。也许是我缺少 Apache 逻辑,关于如何禁用此特定路径的身份验证有什么想法吗?