如何在使用htaccess模块时排除特定页面?如何排除特定的URL?

huangapple go评论64阅读模式
英文:

How to exclude certain pages when using an htaccess module? How to exclude certain URLs?

问题

<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; 
    style-src 'self' 'unsafe-inline'; frame-src 'self' *.youtube.com; img-src * data:; media-src * data:; 
    report-uri /logging"
</IfModule>
<IfModule mod_headers.c>
    <FilesMatch "^(order|paypal)">
        Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' *.youtube.com; img-src * data:; media-src * data:; report-uri /logging"
    </FilesMatch>
</IfModule>
<IfModule mod_headers.c>
    <FilesMatch "^(?!.*(order|paypal)).*$">
        Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' *.youtube.com; img-src * data:; media-src * data:; report-uri /logging"
    </FilesMatch>
</IfModule>

以上是您提供的代码的翻译部分。

英文:

With htaccess I am using:

&lt;IfModule mod_headers.c&gt;
 	Header set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-eval&#39;; 
    style-src &#39;self&#39; &#39;unsafe-inline&#39;; frame-src &#39;self&#39; *.youtube.com; img-src * data:; media-src * data:; 
    report-uri /logging&quot;
&lt;/IfModule&gt;

However, I need to exclude all pages that contain Paypal scripts because Paypal writes into the DOM and this gets blocked by the Content-Security-Policy.

Now with htaccess I try to exclude CSP using a condition, so Paypal is not blocked anymore.

How can I exclude URLs that start with /order and /paypal?

Examples of domains:

https://www.example.com/order/checkout
https://www.example.com/paypal
https://www.example.com/paypal/check

<br>

Can I use Files or FilesMatch inside the IfModule?

Maybe like this?

&lt;IfModule mod_headers.c&gt;
	&lt;FilesMatch &quot;\(order|paypal)&quot;&gt;
	 	Header set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-eval&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; frame-src &#39;self&#39; *.youtube.com; img-src * data:; media-src * data:; report-uri /logging&quot;
	&lt;/FilesMatch&gt;
&lt;/IfModule&gt;

But I need the oppsite, if NOT FilesMatch.

Meanwhile I found this negative lookahead regex to exclude e.g. "order": ^((?!order).)*$ - and for "order" and "paypal" this regex should work: ^((?!order)(?!paypal).)*$

I tried it but it does not seem to work:

&lt;IfModule mod_headers.c&gt;
 	&lt;FilesMatch &quot;^((?!order)(?!paypal).)*$&quot;&gt;
 	 	Header set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-eval&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; frame-src &#39;self&#39; *.youtube.com; img-src * data:; media-src * data:; report-uri /logging&quot;
 	&lt;/FilesMatch&gt;
 &lt;/IfModule&gt;

I also tried ^(?!.*(order|paypal)$).*$ without success. It shows as valid in Regex101 but does not seem to work with Apache's htaccess.

答案1

得分: 2

> URLs are "domain.com/order/..." or "domainc.om/paypal/..."

如评论中所述,FilesMatch 指令仅匹配文件名,不包括文件路径或URL。看起来您试图排除以 orderpaypal 路径段开头的URL(而不是文件)。

您可以使用Apache的 <If> 表达式来实现这一点。例如:

&lt;If &quot;%{REQUEST_URI} !~ m#^/(order|paypal)($|/)#&quot;&gt;
    Header set .....
&lt;/If&gt;

!~ 操作符是一个否定的正则表达式匹配。因此,只有当请求的URL不匹配正则表达式时,包含的 Header 指令才会生效。

然而,这是否成功应用仍可能取决于您在配置文件中可能有的其他指令。(例如,将请求重写到前端控制器?)

更新:

您还可以尝试匹配 THE_REQUEST,它包含请求头的第一行,并在请求被重写时不会更改。

THE_REQUEST 包含以下形式的字符串:

GET /order/checkout HTTP/1.1

例如:

&lt;If &quot;%{THE_REQUEST} !~ m#^[A-Z]{3,7}\s/(order|paypal)($|/)#&quot;&gt;
    Header set .....
&lt;/If&gt;
英文:

> URLs are "domain.com/order/..." or "domainc.om/paypal/..."

As mentioned in comments, the FilesMatch directive matches against filenames only - this does not include filepaths or URLs. It would seem you are trying to exclude URLs (not files) that start with the order or paypal path segment.

You can do this using an Apache &lt;If&gt; expression. For example:

&lt;If &quot;%{REQUEST_URI} !~ m#^/(order|paypal)($|/)#&quot;&gt;
    Header set .....
&lt;/If&gt;

The !~ operator is a negated regex match. So, the contained Header directive is applied only when the requested URL does not match the regex.

However, whether this is applied successfully or not can still be dependent on other directives you might have in the config file. (eg. Rewriting requests to a front-controller?)

UPDATE:

You can also try matching against THE_REQUEST instead, which contains the first line of the request headers and does not change when the request is rewritten.

THE_REQUEST contains a string of the form:

GET /order/checkout HTTP/1.1

For example:

&lt;If &quot;%{THE_REQUEST} !~ m#^[A-Z]{3,7}\s/(order|paypal)($|/)#&quot;&gt;
    Header set .....
&lt;/If&gt;

huangapple
  • 本文由 发表于 2023年6月5日 23:49:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/76408084.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定