我们使用Apache-2.4提供的新认证和授权框架,并且需要关闭整个站点(位置/)以进行未经授权的访问,除了一个子目录(Location/foo),其中可以获得授权cookie。这似乎是AuthMerging是使用该指令,但事情不工作:Apache 2.4 - 如何关闭除一个子目录以外的整个站点?
<Location />
AuthType form
AuthFormProvider foo
Session On
SessionCookieName ti2f
Include conf/sessionpw.conf
AuthName TI
<RequireAll>
Require foo ipaddress
Require foo expiration
</RequireAll>
ErrorDocument 401 /foo/
</Location>
<Location /foo>
AuthMerging Or
Require all granted
DirectoryIndex index.php
</Location>
不幸的是,进入/富仍受阻 - 401未授权。随着LogLevel的手摇我可以看到mod_authz_core记录了以下消息:
authorization result of Require all granted: granted
authorization result of <RequireAny>: granted
authorization result of AuthMerging Any: granted
authorization result of Require all granted: granted
authorization result of <RequireAny>: granted
authorization result of AuthMerging Any: granted
authorization result of Require foo ipaddress: denied (no authenticated user yet)
authorization result of Require foo expiration: denied (no authenticated user yet)
authorization result of <RequireAll>: denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
与AuthMerging设置为“或者”为sublocation /富,为什么阿帕奇检查父位置的需要,指示不惜一切后,“要求所有批准“补助金?
谢谢,马克。这可能工作。但我仍然困惑,为什么我的方法不工作。如果AuthMerging设置为Or,Apache为什么应用更高位置的规则? –
事实上,它不会很简单地工作 - 请参阅我对自己问题的回答...没有authz规则的位置不是/ foo /,而是/php-fpm/foo/index.php –