htaccess的,为了允许,拒绝,所有否认:迷茫?
在我的.htaccess,我有以下几点:
In my .htaccess, I have the following:
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
<Files .htaccess>
order allow,deny
deny from all
</Files>
现在,我只是傻还是什么不对?我看了网上和Apache文档中和不理解的限制获取后把删除等,但我把它的思维,无论它做跟它允许再经过允许它被否定了吗?它只是没有任何意义,我,我不知道我是否应该的.htaccess删除它,或者,如果错了改正呢?我想第三个手段拒绝访问.htaccess文件,但这个命令允许然后拒绝似乎是它第一次允许随即对此予以否认。
Now, am I just stupid or is something wrong? I looked online and in the Apache documentation and don't understand the limit get post put delete etc but I put it in thinking that whatever it's doing it is saying to allow then after allowing it is denying again? It just does not make sense to me and I am not sure if I should remove it from .htaccess, or correct it if wrong? I guess the third one means deny access to .htaccess file but this order allow then deny seems like it first allows then immediately denies.
这是使用的Apache配置指令的一个相当混乱的方式。
This is a quite confusing way of using Apache configuration directives.
技术上,第一位为相当于
Technically, the first bit is equivalent to
Allow From All
这是因为订单拒绝,允许使拒绝指令允许指令前评估。
在这种情况下,拒绝和允许相互冲突,但允许,是最后的评估将匹配任何用户,访问将被批准。
This is because Order Deny,Allow makes the Deny directive evaluated before the Allow Directives.
In this case, Deny and Allow conflict with each other, but Allow, being the last evaluated will match any user, and access will be granted.
现在,只是为了把事情说清楚,这种配置是坏的,应该避免不惜一切代价,因为它的边界不确定的行为。
Now, just to make things clear, this kind of configuration is BAD and should be avoided at all cost, because it borders undefined behaviour.
该限制部分定义哪些HTTP方法能够访问包含.htaccess文件的目录。
The Limit sections define which HTTP methods have access to the directory containing the .htaccess file.
下面,GET和POST方法允许访问和PUT和DELETE方法被拒绝访问。这里有一个链接解释什么不同的HTTP方法有:http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
Here, GET and POST methods are allowed access, and PUT and DELETE methods are denied access. Here's a link explaining what the various HTTP methods are: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
然而,它比通常没用,只要使用这些限制,因为你不具有自定义CGI脚本或Apache模块直接处理非标准方法(PUT和DELETE),因为在默认情况下,Apache不处理它们。
However, it's more than often useless to use these limitations as long as you don't have custom CGI scripts or Apache modules that directly handle the non-standard methods (PUT and DELETE), since by default, Apache does not handle them at all.
另外要注意的是,这还可以通过限制处理一些其他的方法都存在,即CONNECT,期权,PATCH,PROPFIND,PROPPATCH,MKCOL,复制,移动,锁定和解锁。
It must also be noted that a few other methods exist that can also be handled by Limit, namely CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK.
最后一点也是肯定没用的,因为任何正确配置Apache安装包含了下面这段配置(针对Apache 2.2和更早版本):
The last bit is also most certainly useless, since any correctly configured Apache installation contains the following piece of configuration (for Apache 2.2 and earlier):
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy all
</Files>
而禁止访问任何文件,通过.HT。
which forbids access to any file beginning by ".ht".
一个Apache 2.4的配置应该是这样的:
The equivalent Apache 2.4 configuration should look like:
<Files ~ "^\.ht">
Require all denied
</Files>