Authentication

刪除一條路徑的 Lighttpd 密碼驗證

  • August 15, 2020

我有一個 lighttpd 伺服器,我想從中提供一些文件。不幸的是,伺服器目前設置為需要密碼身份驗證,我希望這些文件可以公開使用。

如何使特定子目錄中的文件不需要密碼?

更複雜的是,配置文件中的大部分內容都是由其他管理員設置的,所以我要非常小心,不要破壞任何現有的安全設置。

# config stuff that I am hesitant to change
ssl.engine = "enable" 
ssl.pemfile = "/etc/lighttpd/ssl/foo.pem"
ssl.ca-file = "/etc/pki/tls/certs/foo.cert"

auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/.passwd"
auth.debug = 2

$HTTP["url"] !~ "^(/portal/.*|/js/.*|/css/.*|/icons/.*|/favicon\.ico)" {
 auth.require = (
   "/" =>(
     "method" => "digest",
     "realm" => "Authorized users only",
     "require" => "valid-user"
   )
 )
}

$HTTP["url"] =~ "^/portal" {
 auth.require = (
   "/portal" => (
     "method" => "digest",
     "realm" => "portal users",
     "require" => "valid-user"
   )
 )
 url.redirect = ( "" => "/portal/")
}

$HTTP["remoteip"] !~ "1.2.3.4|5.6.7.8" {
   url.access-deny = ( "" )
}

# new directory that I want to make public
$HTTP["url"] =~ "^/public($|/)" {
   dir-listing.activate = "enable"
}

我嘗試/public/*為第一個$HTTP["url"] !~塊添加正則表達式,但這沒有用。ssl.engine我也嘗試在匹配的塊內禁用/public($|/),但這也不起作用。

如評論中所述,此設置對我來說非常有用:

server.modules += ( "mod_auth" )
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/passwd"

$HTTP["url"] !~ "^(/portal/.*|/js/.*|/css/.*|/icons/.*|/favicon\.ico|/public/.*)" {
 auth.require = (
   "/" =>(
     "method" => "digest",
     "realm" => "Authorized users only",
     "require" => "valid-user"
   )
 )
}

事實證明,您可以僅使用一個空列表選擇性地禁用它:

auth.require = ()

對於 OP 的例子:

# new directory that I want to make public
$HTTP["url"] =~ "^/public($|/)" {
   dir-listing.activate = "enable"
   auth.require = ()
}

將此塊放在文件的最後可確保它覆蓋所有其他指令,這可能是您想要的,也可能不是您想要的,具體取決於您的設置。我有一個具有不同身份驗證方案的多個虛擬主機的案例,但我想繞過所有這些,/.well-known/acme-challenge/以便能夠certbot --webroot獲得 Let’s Encrypt 證書。對於我的例子:

##### Let's Encrypt

$HTTP["url"] =~ "^/.well-known/acme-challenge/" {
 server.document-root = "/var/www/"
 auth.require = ()
}

引用自:https://serverfault.com/questions/679861