0

我已经使用 .htpasswd 文件在 Nginx 上成功设置了 auth_basic。但是,如果有人猜到了文件名,即使他们没有成功登录,他们仍然可以使用 wget 或简单地使用浏览器通过提供 URL 来下载文件。

如何防止有人在未登录的情况下下载文件?

这是我在 nginx 中的 default-ssl 配置文件:

root /var/www/html;
index index.html index.htm index.php;

ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

# /dir/dir w/basic auth
location ~ ^/(?P<mydir>.*)/$ {
    auth_basic              "Restricted";
    auth_basic_user_file    $document_root/$mydir/.htpasswd;
    autoindex on;
    allow all;
}
    # prevent listing of .htpasswd
    location ~ /\. {
            deny all;
    }
4

1 回答 1

0

I think cause you only secured the folder, but not the files, try removing the dollar sign to make it match all what's below the folder

location ~ ^/(?P<mydir>.*)/$ {}

to

location ~ ^/(?P<mydir>.*)/ {}
于 2013-07-03T19:36:03.453 回答