Apacheã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã‚’ã¡ã‚ƒã‚“ã¨ç†è§£ã™ã‚‹ã€‚
Apacheã®è¨å®šã§
Order deny,allow
ã¨ã‹
Satisfy any
ã¨ã‹ã€ãªã‚“ã ã‹æ„味ã‚ã‹ã‚‰ã‚“人ã®ãŸã‚ã«ã€‚僕ã¯ãšã£ã¨ã‚ã‹ã£ã¦ãªã‹ã£ãŸã€‚
基本
Apacheã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã«ã¯ã€
- ホストã«ã‚ˆã‚‹åˆ¶å¾¡ (Order,Allow,Deny)
- ユーザèªè¨¼ã«ã‚ˆã‚‹åˆ¶å¾¡ (Auth*, Require)
ã®2通りãŒã‚る。
Satisfyã¯ã€2通りã‚るアクセス制御ã®ä¸¡æ–¹ã‚’満ãŸã™å¿…è¦ãŒã‚ã‚‹ã‹ã©ã†ã‹ã‚’決定ã™ã‚‹ã€‚デフォルトã¯Satisfy all。Satisfy anyãªã‚‰ã€ã©ã¡ã‚‰ã‹ç‰‡æ–¹æº€ãŸã›ã°ã‚ˆã„。
Order
Order deny,allow
ã¯ã€å…¨ã¦ã®ãƒ›ã‚¹ãƒˆã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯ã™ã‚‹ã€‚
Order allow,deny
ã¯ã€å…¨ã¦ã®ãƒ›ã‚¹ãƒˆã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’æ‹’å¦ã™ã‚‹ã€‚
Order deny,allow Allow from 127.0.0.1
ã¯ã€å…¨ã¦ã®ãƒ›ã‚¹ãƒˆã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯ã—ã¦ã—ã¾ã†ã€‚ã‚‚ã—ãƒãƒ¼ã‚«ãƒ«ã‹ã‚‰ã ã‘許å¯ã—ãŸã„ãªã‚‰ã€
Order deny,allow Deny from all Allow from 127.0.0.1
ã¨æ›¸ã‹ãªã‘ã‚Œã°ãªã‚‰ãªã„。逆㫠allow,deny ãªã‚‰ã€
Order allow,deny Allow from 127.0.0.1
ã§ãƒãƒ¼ã‚«ãƒ«ã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹ã ã‘を許å¯ã§ãる。調åã«ä¹—ã£ã¦
Order allow,deny Deny from all Allow from 127.0.0.1
ãªã©ã¨ã™ã‚‹ã¨ã€å…¨ã¦ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’æ‹’å¦ã—ã¦ã—ã¾ã†ã€‚
ã©ã†ã„ã†æ„味?
図ã«ã™ã‚‹ã¨ã“ã†ã„ã†å‡¦ç†ã‚’ã—ã¦ã„る。
擬似コードã®æ–¹ãŒã‚ã‹ã‚Šã‚„ã™ã„ã‹ã‚‚ã—ã‚Œãªã„。
<Location /> Order deny,allow </Location>
ã¯ã€
if (Location.match? /) { access = allow // デフォルト if (Host.match? none) { // denyæ¡ä»¶(ãªã—) access = deny if (Host.match? none) { // allowæ¡ä»¶(ãªã—) access = allow } } }
ã¨ã„ã†å‡¦ç†ã‚’ã—ã¦ã„る。デフォルトã®å˜åœ¨ã«æ³¨ç›®ã€‚Order deny,allowã®å ´åˆã€ã¾ãšãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§è¨±å¯ã•ã‚Œã‚‹ã€‚次ã«Deny fromã®æ¡ä»¶ã«åˆã†ã‹èª¿ã¹ã‚‰ã‚Œã€åˆè‡´ã—ãŸã‚‰æ‹’絶ã«å¤‰ã‚る。ã•ã‚‰ã«Allow fromã«åˆè‡´ã™ã‚‹ã¨è¨±å¯ã«æˆ»ã‚‹ã€‚
Order allow,denyã®å ´åˆã¯ã€é€†ã«æ‹’絶ãŒãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã«ãªã‚‹ã€‚
<Location /> Order allow,deny Allow from all Deny from spam.example.com </Location>
ã¯ã€
if (Location.match? /) { access = deny // デフォルト if (Host.match? all) { // allowæ¡ä»¶ access = allow if (Host.match? spam.exaple.com) { // denyæ¡ä»¶ access = deny } } }
ã¨ã„ã†å‡¦ç†ã«ãªã‚Šã€spam.example.com 以外ã®ãƒ›ã‚¹ãƒˆãŒè¨±å¯ã•ã‚Œã‚‹ã€‚
- Order (allow,)deny,allow
- Order (deny,)allow,deny
ã®ã‚ˆã†ã«å…ˆé ã«çœç•¥ãŒã‚ã‚‹ã¨è€ƒãˆã‚‹ã¨ã‚ã‹ã‚Šã‚„ã™ã„。よã見ã‹ã‘ã‚‹ã®ã¯ã€
Order deny,allow Deny from all Allow from xxx
ã¨ã„ã†ãƒ‘ターン。ã“ã‚Œã¯ã€Allowã«ãƒžãƒƒãƒã—ãŸãƒ›ã‚¹ãƒˆã ã‘を許å¯ã—ã¾ã™ã‚ˆã¨ã„ã†æ„味。
Order allow,deny Allow from xxx
ã¨åŒã˜ã ãŒã€å…¨ã¦ã‚’拒絶ã™ã‚‹(Deny from all)ã¨æ˜Žç¤ºçš„ã«æ›¸ã„ãŸæ–¹ãŒã‚ã‹ã‚Šã‚„ã™ã„。
ãªãŠã€ifæ–‡ãŒå…¥ã‚Œåã«ãªã£ã¦ã„ã‚‹ã¨è€ƒãˆã‚‹å¿…è¦ã¯ãªã„。Order deny,allow ã¯ã€
if (Location.match? /) { access = allow if (Host.match? none) access = deny if (Host.match? none) access = allow }
ã¨ã„ã†æ“¬ä¼¼ã‚³ãƒ¼ãƒ‰ã®æ–¹ãŒé©å½“ã‹ã‚‚ã—ã‚Œãªã„。ãŸã ã€è‡ªåˆ†ã¯å…¥ã‚Œåã«ãªã£ã¦ã„ã‚‹æ–¹ãŒç†è§£ã—ã‚„ã™ã‹ã£ãŸã€‚denyã§ãªã„ãªã‚‰ä¸‹ã®åˆ¤å®šã¯ä¸è¦ã ã—。
マージ
ã“ã“ã¾ã§æŒ™ã’ãŸä¾‹ã«ã¯ <Location /> ãŒ1ã¤ã—ã‹å‡ºã¦ã“ãªã‹ã£ãŸã€‚複数㮠Location セクションãŒã‚ã‚‹ã¨ã©ã†ãªã‚‹ã‹ã€‚
マニュアルã§ã¯ã€
ã§ãƒšãƒ¼ã‚¸ã‚’割ã„ã¦è§£èª¬ã—ã¦ã„る。
- Directory以外ã¯ã€è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã«ç¾ã‚ŒãŸé †ç•ªã«å‡¦ç†ã•ã‚Œã‚‹ã€‚
- Directoryã¯çŸã„æ–¹ã‹ã‚‰é•·ã„æ–¹ã«ä¸¦ã¹æ›¿ãˆã¦ã‹ã‚‰å‡¦ç†ã•ã‚Œã‚‹ã€‚
- 複数ã®DirectoryãŒåŒã˜ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã«é©ç”¨ã•ã‚Œã‚‹å ´åˆã¯ã€è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã®é †ã«å‡¦ç†ã•ã‚Œã‚‹ã€‚
ã¨ã„ã†ã“ã¨ãªã®ã ãŒã€ã€Œå‡¦ç†ã•ã‚Œã‚‹ã€ã®å†…容ãŒã‚ã‹ã‚‰ãªã„。
次ã®ã‚¹ã‚¯ãƒªãƒ—トを書ã„ã¦ã€è¨å®šã‚’変ãˆãªãŒã‚‰å®Ÿé¨“ã—ãŸã€‚ドã‚ュメントルート㫠index.html 㨠1 ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ãŒç½®ã„ã¦ã‚る。
#! /bin/sh /opt/local/apache2/bin/apachectl restart echo / curl -s -I http://default.local/ | head -n1 echo /1 curl -s -I http://default.local/1 | head -n1
ã¾ãšã€Locationã®ä¸ã«ä½•ã‚‚書ã‹ãªã‹ã£ãŸå ´åˆã€‚
<Location /> Order allow,deny Allow from all Deny from all </Location> <Location /1> </Location>
ã“れ㯠/ ã‚‚ /1 も拒絶ã•ã‚Œã‚‹ã€‚何も書ã‹ãªã„å ´åˆã€ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§ä¸Šæ›¸ãã•ã‚ŒãŸã‚Šã¯ã—ãªã„。
/ HTTP/1.1 403 Forbidden /1 HTTP/1.1 403 Forbidden
次㫠Order ã ã‘ã‚’çœç•¥ã™ã‚‹ã¨ã©ã†ãªã‚‹ã‹ã€‚
<Location /> Order allow,deny Allow from all Deny from all </Location> <Location /1> Allow from all Deny from all </Location>
ã“れ㯠/ ã¯æ‹’絶ã•ã‚Œã€/1 ã¯è¨±å¯ã•ã‚Œã‚‹ã€‚
/ HTTP/1.1 403 Forbidden /1 HTTP/1.1 200 OK
/ ã‚‚ /1 ã‚‚åŒã˜ã‚ˆã†ã« Allow from all,Deny from all ã—ã¦ã„ã‚‹ã“ã¨ã«æ³¨æ„。/1ã ã‘ãŒè¨±å¯ã•ã‚Œã‚‹ã®ã¯ã€ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã® Order deny,allow ãŒé©ç”¨ã•ã‚Œã‚‹ãŸã‚。擬似コードã ã¨ã€
if (Location.match? /) { access = deny if (Host.match? all) { access = allow if (Host.match? all) { access = deny // å…¨ã¦ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒã¾ãšæ‹’絶ã•ã‚Œã‚‹ã€‚ } } } if (Location.match? /1) { access = allow // デフォルト㮠Order deny,allow if (Host.match? all) { access = deny if (Host.match? all) { access = allow // /1ã¯ã“ã‚ŒãŒé©ç”¨ã•ã‚Œã‚‹ã€‚ } } }
ã¨ãªã‚‹ã€‚Order,Allow,Deny ã¯3ã¤ã§1セット(mod_authz_host)ã§ã€ã©ã‚Œã‹1ã¤ã‚’書ãã¨ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆãŒæœ‰åŠ¹ã«ãªã‚‹ã‚ˆã†ã 。
Location ã¯è¨å®šãƒ•ã‚¡ã‚¤ãƒ«å†…ã®é †åºã«å½±éŸ¿ã‚’å—ã‘る。上ã®è¨å®šã®é †åºã ã‘を入れ替ãˆã‚‹ã¨çµæžœãŒå¤‰ã‚る。
<Location /1> Allow from all Deny from all </Location> <Location /> Order allow,deny Allow from all Deny from all </Location>
/ HTTP/1.1 403 Forbidden /1 HTTP/1.1 403 Forbidden
ã“ã‚Œã¯ifæ–‡ãŒå…¥ã‚Œæ›¿ã‚ã‚‹ãŸã‚。
if (Location.match? /1) { access = allow // Order deny,allow if (Host.match? all) { access = deny if (Host.match? all) { access = allow // /1を許å¯ã™ã‚‹ãŒã€ã€ } } } if (Location.match? /) { access = deny if (Host.match? all) { access = allow if (Host.match? all) { access = deny // çµå±€å…¨éƒ¨æ‹’å¦ã•ã‚Œã¦ã—ã¾ã†ã€‚ } } }
Satisfy Any
ユーザèªè¨¼ã¨ä½µç”¨ã™ã‚‹ã¨ã©ã†ãªã‚‹ã‹ã€‚
<Location /> Order deny,allow Deny from all Allow from 127.0.0.1 AuthType Basic AuthName "Staff Only" AuthUserFile /path/to/pass Require valid-user Satisfy any </Location> <Location /1> Order deny,allow Deny from all </Location>
/ HTTP/1.1 200 OK /1 HTTP/1.1 401 Authorization Required
Satisfy any ã®åŠ¹æžœã§ã€ãƒãƒ¼ã‚«ãƒ«ã‹ã‚‰èªè¨¼ãªã—㧠/ ã«ã‚¢ã‚¯ã‚»ã‚¹ã§ãる。ã“ã“ã¾ã§ã¯è‰¯ã„。 /1 ã®æ–¹ãŒå•é¡Œã€‚明示的ã«ã‚¢ã‚¯ã‚»ã‚¹ã‚’ç¦æ¢ã—ã¦ã„ã‚‹ã®ã«ã€ãªãœã‹èªè¨¼ã‚’求ã‚られる。èªè¨¼ãŒé€šã‚‹ã¨ã‚¢ã‚¯ã‚»ã‚¹ã§ãã¦ã—ã¾ã†ã€‚
ã“ã®æŒ™å‹•ã¯ã€æ¬¡ã®ã‚ˆã†ãªæ“¬ä¼¼ã‚³ãƒ¼ãƒ‰ã‚’考ãˆã‚‹ã¨ã€ç†è§£ã§ãる。
// デフォルトã¯ä½•ã‚‚制é™ã•ã‚Œãªã„。 access = allow; hostAccess = allow; authAccess = allow; // /ã®ãƒ›ã‚¹ãƒˆåˆ¶é™ã€‚ if (Location.match? /) { hostAccess = allow; if (Host.match? all) { hostAccess = deny; if (Host.match? 127.0.0.1) { hostAccess = allow; } } } // Basicèªè¨¼ã€‚ if (Location.match? /) { authAccess = deny; if (User.match? valid-user) { authAccess = allow; } } // /1ã®ãƒ›ã‚¹ãƒˆåˆ¶é™ã€‚ if (Location.match? /1) { hostAccess = allow; if (Host.match? all) { hostAccess = deny; if (Host.match? none) { hostAccess = allow; } } } // 最後ã«Satisfy anyã®åˆ¤å®šã‚’è¡Œã†ã€‚ if (Location.match? /) { access = deny; if (hostAccess || authAccess) { access = allow; } }
/1 㯠Location / ã«åˆè‡´ã™ã‚‹ã®ã§ã€Basicèªè¨¼ãŒé©ç”¨ã•ã‚Œã€ã•ã‚‰ã« Satisfy any ã‚‚é©ç”¨ã•ã‚Œã‚‹ã€‚
ã¨ã„ã†ã‚ã‘ã§ã€/1 ã«ã¯ Satisfy all を書ãã®ãŒæ£è§£ã€‚
<Location /> Order deny,allow Deny from all Allow from 127.0.0.1 AuthType Basic AuthName "Staff Only" AuthUserFile /path/to/pass Require valid-user Satisfy any </Location> <Location /1> Order deny,allow Deny from all Satisfy all </Location>
ã“ã‚Œã§ã€ãƒ›ã‚¹ãƒˆã®æ¡ä»¶ãŒå¿…é ˆã«ãªã‚Šã€/1 ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒå…¨ã¦æ‹’å¦ã•ã‚Œã‚‹ã€‚
/ HTTP/1.1 200 OK /1 HTTP/1.1 403 Forbidden
Directory
力尽ãã¾ã—ãŸã€‚çŸã„ã®ã‹ã‚‰é•·ã„ã®ã®é †ã«ä¸¦ã¹æ›¿ãˆã¦ã‹ã‚‰å‡¦ç†ã•ã‚Œã‚‹ã¨ã®ã“ã¨ã€‚
念ã®ãŸã‚書ãã¨ä¸Šã®ã‚ˆã†ãªä¾‹ã§ã¯ Location ã§ã¯ãªã Directory/Files を使ã†ã¹ã。
ã¾ã¨ã‚
ã“ã‚“ãªãƒãƒƒãƒ‰ãƒŽã‚¦ãƒã‚¦ã€æœ¬å½“ã¯ã©ã†ã§ã‚‚ã„ã„ã¨æ€ã†ã€‚Apache 3.0ã§ã¯ã€ã‹ã£ã“ã„ã„DSL(VCL)ã§æ›¸ã‘るよã†ã«ã™ã‚‹æ§‹æƒ³ãŒã‚るらã—ã„ã®ã§ãŒã‚“ã°ã£ã¦ã»ã—ã„。
- 【レポート】高速化プログラミングの参照実装としても活用される「Varnish」 (1) OSの機能をフル活用してHTTPサーバの動きを高速化するHTTPアクセラレータ | エンタープライズ | マイナビニュース
(2007å¹´ã ã‘ã©)
å¯èªæ€§ã¨è¤‡é›‘ã•ã®ä¸¡ç«‹ã«ã¯ DSL ãŒå‘ã„ã¦ã„る。è¨å®šã®ä¸ã«åˆ¶å¾¡æ§‹é€ ãŒå«ã¾ã‚Œã‚‹ã‚ˆã†ãªå ´åˆã¯ç‰¹ã« DSL ãŒã‚ˆã„。自分自身を説明ã—ãªã„ボã‚ャブラリã¯ç‹¬å–„ã§é‚ªæ‚ªã§ã™ã€‚
