问题
I have a WAMP stack installed in my PC. Yesterday, I was working with file system with PHP and noticed that I can access any directory in my hard disk even above the website document root directory. This is a clear security issue that I want to avoid.
Currently, I am using several virtual hosts in my WAMP stack along with custom domain using hosts file.
I am looking for some configuration that I can made in httpd.conf file or better if possible in .htaccess file that will limit the access of scripts in various sites to their document root. It will be better if the code doesn't require any changes when I add or remove virtual hosts.
回答1:
I think you are approaching this from the wrong perspective.
By default Apache should be told it has access to nothing on the drive by putting something like this in the httpd.conf file
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Then in each of your Virtual Hosts definintions you specify what directories that site has access to like so.
<VirtualHost *:80>
DocumentRoot "C:/websites/www/site1"
ServerName site1.dev
ServerAlias www.site1.dev
Options Indexes FollowSymLinks
<Directory "C:/websites/www/site1">
Order Deny,Allow
Deny from all
# This is my development version of site1.com and only allowed to be used on my internal network
Allow from 127.0.0.1 localhost ::1 192.168.2
</Directory>
ErrorLog "C:/websites/dev_logs/apache_error.log"
CustomLog "d:/websites/dev_logs/apache_access.log" combined
</VirtualHost>
Alternatively if you want to allow access from the internet change the Order and Allow like this
<VirtualHost *:80>
DocumentRoot "C:/websites/www/site1"
ServerName site1.com
ServerAlias www.site1.com
Options Indexes FollowSymLinks
<Directory "C:/websites/www/site1">
Order Allow,Deny
# This is the live site can be accessed from the internet
Allow from all
</Directory>
ErrorLog "C:/websites/live_logs/apache_error.log"
CustomLog "d:/websites/live_logs/apache_access.log" combined
</VirtualHost>
By using this mechanism you know that by default apache cannot access any folders on your system without specifically granting access from within the Virtual Hosts definition.
回答2:
People should not ever be able to access folders you haven't allowed in any virtual hosts in conjunction with the .htaccess files
If you have a virtual host, say ben.mydevelopment which routes to a certain folder, there will be no way to "go up", you cannot access folders "above" that one.
You can use the .htaccess file to deny access to certain folders by using
Deny from all
and placing it in the relevant folders. You cannot block a whole filesystem since apache shouldn't serve you entire filesystem to start with.
Can you list the folders that you've been able to gain access to and the ones on which apache are running (either through the main config or virtual hosts)?
(Note: Also, I wouldn't worry too much about people being able to access your data, most firewalls deny inbound connections over HTTP and almost all home routers refuse inbound connections and don't know which computer to connect them to, so unless you've intentionally tried to setup you're own live web server, then you should be fine)
来源:https://stackoverflow.com/questions/20950767/limit-wamp-file-system-access