修改後的.htaccess文件不會阻止壞的用戶代理與RewriteCond

Question

我發現這個修改.htaccess設置額外的安全性，但它似乎並沒有工作。那就是：

# Apache configuration file 
# httpd.apache.org/docs/2.2/mod/quickreference.html 

# Techniques in here adapted from all over, 
# including Kroc Camen: camendesign.com/.htaccess 

ServerSignature Off 

# you probably want www.example.com to forward to example.com -- shorter URLs are sexier. 
# no-www.org/faq.php?q=class_b 
RewriteEngine On 
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] 
RewriteRule ^(.*)$ http://%1/$1 [R=301,L] 

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR] 
RewriteCond %{THE_REQUEST}  ^.*(\\r|\\n|%0A|%0D).* [NC,OR] 

RewriteCond %{HTTP_REFERER} ^(.*)(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] 
RewriteCond %{HTTP_COOKIE}  ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] 
RewriteCond %{REQUEST_URI}  ^/(,|;|:|<|>|」>|」<|/|\\\.\.\\).{0,9999}.* [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} ^$ [OR] 
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] 

RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|」|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC] 


########## Begin – Rewrite rules to block out some common exploits 
## If you experience problems on your site block out the operations listed below 
## This attempts to block the most common type of exploit `attempts` to Joomla! 
## Block out any script trying to set a mosConfig value through the URL 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] 
# Block out any script trying to base64_encode crap to send via URL 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] 
# Block out any script that includes a <script> tag in URL 
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] 
# Block out any script trying to set a PHP GLOBALS variable via URL 
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] 
# Block out any script trying to modify a _REQUEST variable via URL 
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 
# Send all blocked request to homepage with 403 Forbidden error! 
########### End – Rewrite rules to block out some common exploits 

########## Block bad user agents 
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR] 
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR] 
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR] 
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR] 
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR] 
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR] 
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR] 
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR] 
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR] 
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR] 
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR] 
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR] 
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR] 
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR] 
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR] 
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR] 
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR] 
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR] 
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR] 
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR] 
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR] 
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR] 
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR] 
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Zeus 
RewriteRule .* - [F] 


# Force the latest IE version, in various cases when it may fall back to IE7 mode 
# github.com/rails/rails/commit/123eb25#commitcomment-118920 
# Use ChromeFrame if it's installed for a better experience for the poor IE folk 
<IfModule mod_setenvif.c> 
    <IfModule mod_headers.c> 
    BrowserMatch MSIE ie 
    Header set X-UA-Compatible "IE=Edge,chrome=1" env=ie 
    </IfModule> 
</IfModule> 


# hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ 
# Disabled. Uncomment to serve cross-domain ajax requests 
#<IfModule mod_headers.c> 
# Header set Access-Control-Allow-Origin "*" 
#</IfModule> 




# allow access from all domains for webfonts 
# alternatively you could only whitelist 
# your subdomains like "sub.domain.com" 

<FilesMatch "\.(ttf|otf|eot|woff|font.css)$"> 
    <IfModule mod_headers.c> 
    Header set Access-Control-Allow-Origin "*" 
    </IfModule> 
</FilesMatch> 


# video 
AddType video/ogg ogg ogv 
AddType video/mp4 mp4 
AddType video/webm webm 

# Proper svg serving. Required for svg webfonts on iPad 
# twitter.com/FontSquirrel/status/14855840545 
AddType image/svg+xml     svg svgz 

# webfonts 
AddType application/vnd.ms-fontobject eot 
AddType font/ttf      ttf 
AddType font/otf      otf 
AddType font/x-woff     woff 

AddType text/cache-manifest   manifest 

# allow concatenation from within specific js and css files 

# e.g. Inside of script.combined.js you could have 
# <!--#include file="jquery-1.4.2.js" --> 
# <!--#include file="jquery.idletimer.js" --> 
# and they would be included into this single file 

# this is not in use in the boilerplate as it stands. you may 
# choose to name your files in this way for this advantage 
# or concatenate and minify them manually. 
# Disabled by default. 

# <FilesMatch "\.combined\.(js|css)$"> 
#   Options +IncludesNOEXEC 
#   SetOutputFilter INCLUDES 
# </FilesMatch> 


# gzip compression. 
<IfModule mod_deflate.c> 

# html, xml, css, and js: 
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript text/javascript application/javascript application/json 

# webfonts and svg: 
    <FilesMatch "\.(ttf|otf|eot|svg)$" > 
    SetOutputFilter DEFLATE 
    </FilesMatch> 
</IfModule> 


# these are pretty far-future expires headers 
# they assume you control versioning with cachebusting query params like 
# <script src="application.js?20100608"> 
# additionally, consider that outdated proxies may miscache 
# www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/ 

# if you don't use filenames to version, lower the css and js to something like 
# "access plus 1 week" or so 

<IfModule mod_expires.c> 
    Header set cache-control: public 
    ExpiresActive on 

# Perhaps better to whitelist expires rules? Perhaps. 
    ExpiresDefault       "access plus 1 month" 

# cache.manifest needs re-reqeusts in FF 3.6 (thx Remy ~Introducing HTML5) 
    ExpiresByType text/cache-manifest  "access plus 0 seconds" 

# your document html 
    ExpiresByType text/html     "access" 

# rss feed 
    ExpiresByType application/rss+xml  "access plus 1 hour" 

# favicon (cannot be renamed) 
    ExpiresByType image/vnd.microsoft.icon "access plus 1 week" 

# media: images, video, audio 
    ExpiresByType image/png     "access plus 1 month" 
    ExpiresByType image/jpg     "access plus 1 month" 
    ExpiresByType image/jpeg    "access plus 1 month" 
    ExpiresByType video/ogg     "access plus 1 month" 
    ExpiresByType audio/ogg     "access plus 1 month" 
    ExpiresByType video/mp4     "access plus 1 month" 

# webfonts 
    ExpiresByType font/ttf     "access plus 1 month" 
    ExpiresByType font/woff     "access plus 1 month" 
    ExpiresByType image/svg+xml    "access plus 1 month" 

# css and javascript 
    ExpiresByType text/css     "access plus 1 month" 
    ExpiresByType application/javascript "access plus 1 month" 
    ExpiresByType text/javascript   "access plus 1 month" 
</IfModule> 




# Since we're sending far-future expires, we don't need ETags for 
# static content. 
# developer.yahoo.com/performance/rules.html#etags 
FileETag None 


# Allow cookies to be set from iframes (for IE only) 
# If needed, uncomment and specify a path or regex in the Location directive 

# <IfModule mod_headers.c> 
# <Location /> 
#  Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"" 
# </Location> 
# </IfModule> 

# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist (e.g. 「/blog/hello」) 
# webmasterworld.com/apache/3808792.htm 
Options -MultiViews 
# -Indexes will have Apache block users from browsing folders without a default document 
Options -Indexes 

# custom 404 page 
ErrorDocument 404 /intro.php 

# use utf-8 encoding for anything served text/plain or text/html 
AddDefaultCharset utf-8 
# force utf-8 for a number of file formats 
AddCharset utf-8 .html .css .js .xml .json .rss .php 

我用

echo $_SERVER['HTTP_USER_AGENT']; 

，並切換我的用戶代理，使其顯示ChinaClaw，一個壞的用戶代理。我以爲我會得到一個錯誤消息，並無法顯示該頁面？

Answer 1

請檢查您在RewriteCond中結合條件的方式。隱式連續條件與邏輯「與」組合，並且標誌將該組合轉換爲邏輯「或」組合。