我正在尝试通过取消设置/重置标题值来删除 /phpmyadmin 模块的限制。
在 Apache conf 文件中我有
<Directory />
Options -Indexes -FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin>
AllowOverride All
Options +Indexes
</Directory>
其次是 (这是我稍后想要覆盖的):
<IfModule mod_headers.c>
<IF "%{REQUEST_URI} !~ m#^/admin#">
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https:/$
img-src https://* data:; style-src 'self' 'unsafe-inline'; child-src https://*.facebook.com; base-uri 'none'; form-action 'self' https://c$
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header set Feature-Policy "sync-xhr 'self'; payment 'none';"
</IF>
</IfModule>
这是我的phpmyadmin.conf:
# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options SymLinksIfOwnerMatch
DirectoryIndex index.php
AllowOverride All
<IfModule mod_php5.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/p$
php_admin_value mbstring.func_overload 0
</IfModule>
<IfModule mod_php.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/p$
php_admin_value mbstring.func_overload 0
</IfModule>
</Directory>
# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
<IfModule mod_authz_core.c>
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
Require valid-user
</IfModule>
</Directory>
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
Require all denied
</Directory>
最后/usr/share/phpmyadmin/.htaccess:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user
<IfModule mod_headers.c>
Header unset Content-Security-Policy
Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline';$
</IfModule>
php_value upload_max_filesize 100M
php_value post_max_size 100M
php_value max_execution_time 200
php_value max_input_time 200
当我看到响应头时,浏览器中的结果如下:
Cache-Control: private, max-age=10800
Content-Encoding: gzip
Content-Security-Policy: default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://counter.top.ge https://connect.facebook.net; connect-src 'self'; img-src https://* data:; style-src 'self' 'unsafe-inline'; child-src https://*.facebook.com; base-uri 'none'; form-action 'self' https://cse.google.com; frame-ancestors 'none'; report-uri /csp-report.php;
Content-Type: text/javascript; charset=UTF-8
Date: Tue, 28 Apr 2020 19:30:27 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
您可以看到内容安全政策指令有两次,我需要的是第一个,但是默认的服务器范围的配置会覆盖它。
任何帮助,将不胜感激。