［每周讨论专题］－－第三期－－Apache安全认证

zhangweibo

提一些补充意见：

1。首先默认apache对以.ht开头的文件默认就是保护的，除非你的apache的版本太低
大家可看apache的默认配置有这么一段

#
# The following lines prevent .htaccess files from being viewed by
# Web clients.  Since .htaccess files often contain authorization
# information, access is disallowed for security reasons.  Comment
# these lines out if you want Web visitors to see the contents of
# .htaccess files.  If you change the AccessFileName directive above,
# be sure to make the corresponding changes here.
#
# Also, folks tend to use names such as .htpasswd for password
# files, so this will protect those as well.
#
<Files ~ "^\.ht">;
    Order allow,deny
    Deny from all
    Satisfy All
</Files>;

可以说apache还是想到了这个安全问题，所以大家不妨把密码文件都存为以.ht开头的文件，比武.htpasswd,责任默认都无法获取这个文件

2。另外用到用户验证可以不用All，可以只设置AuthConfig


3。不知哪位能讲讲用mysql或者其他数据库来验证apache，我觉得这个比较新鲜，呵呵

4。能不能讲讲怎么防止文件盗链，虽然网上有讲怎么设置，但我始终没成功过，不知是不是网上讲的都是错误的，还是自己错了