Web.config阻止浏览器直接访问文件,但不能访问cURL?

时间:2019-12-02 20:38:19

标签: azure security iis azure-web-sites

我们有一个web.config,顶部是以下内容:

         <rule name="rule 1a" stopProcessing="true">
          <conditions>
            <add input="{REMOTE_HOST}" pattern="192.1.1.?[0-9]?[0-9]?[0-9]|192.2.2.?[0-9]?[0-9]?[0-9]" ignoreCase="false" negate="true" />
          </conditions>
            <match url="^wp-content/uploads/(.*)$"  />
            <action type="Rewrite" url="/dl-file.php?file={R:1}"  appendQueryString="true" />
         </rule>

这是通过以下方式阻止访问:通过身份验证页面重定向用户(请参见https://gist.github.com/hakre/1552239),以阻止用户直接从Web浏览器访问未在我们IP地址范围内指定的文件(对于我们的公司网络)(请参见:https://gist.github.com/hakre/1552239)他们不在我们的IP范围内。

这非常适合浏览器-从Firefox,Chrome甚至Lynx访问它。

但是,如果我们直接卷曲文件,则会绕过身份验证重定向!

如果直接获取文件,我会得到:

# wget https://AppService.azurewebsites.net/wp-content/uploads/2019/12/Raise-Incident.rtf
--2019-12-02 20:30:33--  https://AppService.azurewebsites.net/wp-content/uploads/2019/12/Raise-Incident.rtf
Resolving AppService.azurewebsites.net (AppService.azurewebsites.net)... 52.234.209.94
Connecting to AppService.azurewebsites.net (AppService.azurewebsites.net)|52.234.209.94|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: /ad_auth [following]
--2019-12-02 20:30:34--  https://AppService.azurewebsites.net/ad_auth
Reusing existing connection to AppService.azurewebsites.net:443.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://AppService.azurewebsites.net/ad_auth/ [following]
--2019-12-02 20:30:35--  https://AppService.azurewebsites.net/ad_auth/
Reusing existing connection to AppService.azurewebsites.net:443.
HTTP request sent, awaiting response... 302 Found
Location: https://login.microsoftonline.com/ourcompany.onmicrosoft.com/oauth2/authorize?client_id=21ba05c1-2963-4e70-8370-3bfe510135f2&redirect_uri=https%3A%2F%2FAppService.azurewebsites.net%2Fad_auth&scope=openid&response_mode=form_post&response_type=id_token&nonce=74151738f9 [following]
--2019-12-02 20:30:35--  https://login.microsoftonline.com/ourcompany.onmicrosoft.com/oauth2/authorize?client_id=21ba05c1-2963-4e70-8370-3bfe510135f2&redirect_uri=https%3A%2F%2FAppService.azurewebsites.net%2Fad_auth&scope=openid&response_mode=form_post&response_type=id_token&nonce=74151738f9
Resolving login.microsoftonline.com (login.microsoftonline.com)... 40.126.3.33, 40.126.3.32, 20.190.131.96, ...
Connecting to login.microsoftonline.com (login.microsoftonline.com)|40.126.3.33|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 170033 (166K) [text/html]
Saving to: ‘Raise-Incident.rtf’

Raise-Incident.rtf                 100%[=============================================================>] 166.05K  --.-KB/s    in 0.05s   

2019-12-02 20:30:36 (3.55 MB/s) - ‘Raise-Incident.rtf’ saved [170033/170033]

因此,看来我们实际上是通过代理身份验证页面进行重定向的,但是它绕过了它,直接进入了文件。

可以在{{3}}上找到身份验证页面

如何强制此方法在连接到服务器的所有客户端上正常运行,而不仅仅是浏览器?

0 个答案:

没有答案
相关问题
最新问题