doucuo1642
2014-01-23 06:42
浏览 47
已采纳

.htaccess和web.config目录访问阻塞可靠吗?

I need to completely block the access of some directories of my PHP application.

This is how my application file system looks like:

www
├── core
│   ├── .htaccess
│   └── many .php files
│
├── logs
│   ├── .htaccess
│   └── many .log files
│
├── .htaccess
├── index.php
└── web.config

both www/core/.htaccess and www/logs/.htaccess look exactly the same:

deny from all

www/.htaccess is as described:

#   Friendly-url definitions
RewriteEngine On
RewriteCond %{REQUEST_URI} /+[^\.]+$ 
RewriteRule ^(.*[^/])$ %{REQUEST_URI}/ [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /index.php [L]

Also, my web.config for IIS servers:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <hiddenSegments>
                    <add segment="core"/>
                    <add segment="settings"/>
                    <add segment="logs"/>
                </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Is this enough?

I used to put in all my PHP include files a "index.php existence" verification before any other code to make sure it wouldn't be directly accessed. If the file were directly accessed, it'd return 404. But I want to get rid of those annoying verification lines.

Now, with all those .htaccess files, when I try to directly access a file in one of those folders my request is completely "ignored" and www/index.php is executed - much better than a 404-error.

But, is this enough? Can I fearless rely on .htaccess and remove all those index-verification repetitiveness? What about web.config for IIS?

PS: As the application is being made to run in all server configurations possible, I cannot guarantee the possibility of putting those directories outside www. Also, it is required to work in both Apache and IIS servers.

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • duanpo7282 2014-01-23 08:11
    已采纳

    It depends on whether "enough" is good enough for you. For the most part, the deny from all is good enough.

    Depending on the server setup, or your scripts, a possible to exploit in one of those things that could cause the htaccess file from being overwritten. So in apache, you can setup the rules in your server/vhost config instead of htaccess files.

    The best way is probably still moving the sensitive files out of your document root.

    已采纳该答案
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题