英文:
Protect .env, .yalm, .json files for Laravel 8 Project Installed on cyberPanel VPS
问题
我在我的VPS服务器上安装了CyberPanel。在本地系统中,.htaccess文件正常工作。但是当我将Laravel 8项目迁移到我的VPS服务器时,.htaccess文件没有完全工作。我想要通过URL保护.env、.yalm、.json和其他文件免于直接访问。
以下是我的.htaccess文件的翻译:
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
RewriteEngine On
# 处理授权头部
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# 重定向末尾的斜杠,如果不是文件夹...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# 发送请求到前端控制器...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
<Files .env>
order allow,deny
Deny from all
</Files>
<Files *.json>
order allow,deny
Deny from all
</Files>
<Files *.lock>
order allow,deny
Deny from all
</Files>
<Files *.xml>
order allow,deny
Deny from all
</Files>
<Files *.yml>
order allow,deny
Deny from all
</Files>
请注意,这是您提供的.htaccess文件的中文翻译,没有其他内容。
英文:
I have cyberPanel installed on my VPS server. The .htaccess file is working fine in the local system. But when I moved the Laravel 8 Project to my VPS server the .htaccess file did not work fully. I want to protect .env, .yalm, .json, and other files from direct access using the URL.
Here is my .htaccess file
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
RewriteEngine On
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Send Requests To Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
<Files .env>
order allow,deny
Deny from all
</Files>
<Files *.json>
order allow,deny
Deny from all
</Files>
<Files *.lock>
order allow,deny
Deny from all
</Files>
<Files *.xml>
order allow,deny
Deny from all
</Files>
<Files *.yml>
order allow,deny
Deny from all
</Files>
答案1
得分: 1
基于提供的有限信息,没有明显的原因说明为什么这些文件没有被阻止。但是,如果 mod_rewrite 指令正在“正常”工作(如评论中所建议),那么您可以使用 mod_rewrite 来阻止这些请求。
例如,在 RewriteEngine On 指令之后,尝试以下操作:
# 阻止访问特定文件类型
RewriteRule \.(env|json|lock|xml|yml)$ - [F]
以上规则将为以所述扩展名之一结尾的任何 URL 提供 403 禁止访问(或者仅为文件 .env)。这与底层文件是否存在无关(不像 <Files> 指令)。
但是,如果您的站点位于提供静态内容的前端代理之后,这也不会起作用,因为对物理文件的直接请求会绕过应用程序服务器,并且不会处理上述规则。
更新:
除此之外:
<Files .env>
order allow,deny
Deny from all
</Files>
<Files *.json>
order allow,deny
Deny from all
</Files>
<Files *.lock>
order allow,deny
Deny from all
</Files>
<Files *.xml>
order allow,deny
Deny from all
</Files>
<Files *.yml>
order allow,deny
Deny from all
</Files>
您没有说明您使用的 Apache 版本,或者是否实际上是 LiteSpeed - 正如我在您的问题下方的评论中所提到的。
如果使用 Apache 2.4,那么 Order 和 Deny 指令已经被弃用,并已移到一个可选的扩展(mod_access_compact)中 - 默认情况下未安装。但是,在没有任何错误的情况下,我假设这不是这种情况?LiteSpeed 有抑制错误的倾向(尽管错误日志仍然应包含这些错误),这使得调试变得更加困难。
在 Apache 2.4 上,您应该使用相应的 Require 指令。
然而,这里也有很多不必要的重复。我建议将这些 <Files> 容器合并到单个 <FilesMatch> 容器中,并使用正则表达式。例如,在 Apache 2.4 上,上述内容可以等同于以下内容:
<FilesMatch "\.(env|json|lock|xml|yml)$">
Require all denied
</FilesMatch>
(尽管如此,LiteSpeed 更倾向于表现得更像 Apache 2.2,所以如果使用 LiteSpeed,您可能应该继续使用 Order 和 Deny 指令。)
您应该始终将“阻止”指令放在配置文件的顶部。(尽管将 <Files> 容器移到顶部在这种情况下不会产生任何影响。)
英文:
With the limited information given there is no obvious reason why these files are not blocked. However, if the mod_rewrite directives are working "fine" (as suggested in comments) then you could use mod_rewrite to block these requests instead.
For example, immediately after the RewriteEngine On directive try the following instead:
# Block access to certain file types
RewriteRule \.(env|json|lock|xml|yml)$ - [F]
The above would serve a 403 Forbidden for any URL that ends in one of the stated extensions (or simply the file .env). This is regardless of whether the underlying file exists or not (unlike the <Files> directive).
HOWEVER, if your site is behind a front-end proxy that serves your static content then this won't work either as any direct request for a physical file bypasses your application server and the above rule is never processed.
UPDATE:
Aside:
> <Files .env>
> order allow,deny
> Deny from all
> </Files>
> <Files *.json>
> order allow,deny
> Deny from all
> </Files>
> <Files *.lock>
> order allow,deny
> Deny from all
> </Files>
> <Files *.xml>
> order allow,deny
> Deny from all
> </Files>
> <Files *.yml>
> order allow,deny
> Deny from all
> </Files>
You've not stated what version of Apache you are on, or if indeed you are running LiteSpeed instead - as I queried in comments below your question.
If on Apache 2.4 then Order and Deny directives are formerly deprecated and have been moved to an optional extension (mod_access_compact) - this is not installed by default. However, in the absence of any error I assume this is not the case? LiteSpeed has a tendency to suppress any errors (although the error log should still contain these) - which makes debugging that much harder.
On Apache 2.4 you should be using the corresponding Require directive instead.
However, there is also a lot of unnecessary repetition here. I would instead combine these <Files> containers into a single <FilesMatch> container and use a regex instead. For example, the above would be the same as the following on Apache 2.4:
<FilesMatch "\.(env|json|lock|xml|yml)$">
Require all denied
</FilesMatch>
(Having said that, LiteSpeed tends to behave more like Apache 2.2 so you should probably stick with the Order and Deny directives if using LiteSpeed.)
You should always have "blocking" directives at the top of the config file. (Although moving the <Files> containers to the top will not make any difference in this case.)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论