我有一个需要身份验证的 apache 服务器,但有一些调用需要允许所有人使用。
这些调用的开关基于查询字符串,例如:
/foo/api.php?Token=123&Task=DoStuff&Result=json
我教过使用 LocationMatch 这会起作用,所以我制定了这个配置:
<LocationMatch ^/foo/api.php\?.*(Task=DoStuff).*>
Order Allow,Deny
Allow from All
</LocationMatch>
但这并不能让我通过身份验证(这意味着我得到 401)。
如果我只是过滤 ^/foo/api.php
我就通过了身份验证,但这不够严格。
有人知道如何配置它来检查查询字符串中的任务参数吗?
对于身份验证,我们使用 kerberos,这是在整个站点上强制执行的 这是我们的路缘配置
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Directory /var/www/html>
Options FollowSymLinks
AllowOverride All
AuthType Kerberos
Require valid-user
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms FOO.LOCAL
KrbServiceName HTTP/server.foo.local@foo.LOCAL
Krb5KeyTab /etc/httpd/conf/http.keytab
Satisfy Any
Order deny,allow
Deny from all
Allow from 192.168.72.90
Allow from 192.168.72.91
Allow from 192.168.72.94
Allow from 192.168.72.95
Allow from 127.0.0.1
</Directory>
最佳答案
正如您可以阅读的那样 here :
The <Location>, <LocationMatch>, <Directory> and <DirectoryMatch> Apache directives allow us to apply authentication/authorization to specific patterns of resources with a high degree of specificity, but do not give us that control down to the query-string level.
因此,您必须使用 mod_rewrite实现您的目标。
例如:
RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]
<LocationMatch ^/foo/api.php>
Order allow,deny
Allow from env=no_auth_required
AuthType Basic
AuthName "Login Required"
AuthUserFile /var/www/foo/.htpasswd
require valid-user
Satisfy Any
</LocationMatch>
更新
您已经说过:
If I just filter ^/foo/api.php I get passed the authentication, but this isn't strict enough.
然后,尝试将以下行添加到您的配置中:
RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]
<LocationMatch ^/foo/api.php>
Order allow,deny
Allow from env=no_auth_required
</LocationMatch>
关于基于查询字符串的 Apache 权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14648078/