php secmod,Apache Module mod_ssl

说明

Allow access only when an arbitrarily complex

boolean expression is true

语法

SSLRequire expression

作用域

directory, .htaccess

覆盖项

AuthConfig

状态

扩展(E)

模块

mod_ssl

This directive specifies a general access requirement which has to be

fulfilled in order to allow access. It is a very powerful directive because the

requirement specification is an arbitrarily complex boolean expression

containing any number of access checks.

The implementation of SSLRequire is not thread safe.

Using SSLRequire inside .htaccess files

on a threaded MPM may cause random crashes.

The expression must match the following syntax (given as a BNF

grammar notation):

expr ::= "true" | "false"

| "!" expr

| expr "&&" expr

| expr "||" expr

| "(" expr ")"

| comp

comp ::= word "==" word | word "eq" word

| word "!=" word | word "ne" word

| word "

| word "<=" word | word "le" word

| word ">" word | word "gt" word

| word ">=" word | word "ge" word

| word "in" "{" wordlist "}"

| word "in" "OID(" word ")"

| word "=~" regex

| word "!~" regex

wordlist ::= word

| wordlist "," word

word ::= digit

| cstring

| variable

| function

digit ::= [0-9]+

cstring ::= "..."

variable ::= "%{" varname "}"

function ::= funcname "(" funcargs ")"

while for varname any variable from Table 3 can be used. Finally for

funcname the following functions are available:

file(filename)

This function takes one string argument and expands to the contents of the

file. This is especially useful for matching this contents against a

regular expression, etc.

Notice that expression is first parsed into an internal machine

representation and then evaluated in a second step. Actually, in Global and

Per-Server Class context expression is parsed at startup time and

at runtime only the machine representation is executed. For Per-Directory

context this is different: here expression has to be parsed and

immediately executed for every request.

示例

SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \

and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \

or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

OID() function expects to find zero or more instances

of the given OID in the client certificate, and compares the left-hand side

string against the value of matching OID attributes. Every matching OID is

checked, until a match is found.

Standard CGI/1.0 and Apache variables:

HTTP_USER_AGENT PATH_INFO AUTH_TYPE

HTTP_REFERER QUERY_STRING SERVER_SOFTWARE

HTTP_COOKIE REMOTE_HOST API_VERSION

HTTP_FORWARDED REMOTE_IDENT TIME_YEAR

HTTP_HOST IS_SUBREQ TIME_MON

HTTP_PROXY_CONNECTION DOCUMENT_ROOT TIME_DAY

HTTP_ACCEPT SERVER_ADMIN TIME_HOUR

HTTP:headername SERVER_NAME TIME_MIN

THE_REQUEST SERVER_PORT TIME_SEC

REQUEST_METHOD SERVER_PROTOCOL TIME_WDAY

REQUEST_SCHEME REMOTE_ADDR TIME

REQUEST_URI REMOTE_USER ENV:variablename

REQUEST_FILENAME

SSL-related variables:

HTTPS SSL_CLIENT_M_VERSION SSL_SERVER_M_VERSION

SSL_CLIENT_M_SERIAL SSL_SERVER_M_SERIAL

SSL_PROTOCOL SSL_CLIENT_V_START SSL_SERVER_V_START

SSL_SESSION_ID SSL_CLIENT_V_END SSL_SERVER_V_END

SSL_CIPHER SSL_CLIENT_S_DN SSL_SERVER_S_DN

SSL_CIPHER_EXPORT SSL_CLIENT_S_DN_C SSL_SERVER_S_DN_C

SSL_CIPHER_ALGKEYSIZE SSL_CLIENT_S_DN_ST SSL_SERVER_S_DN_ST

SSL_CIPHER_USEKEYSIZE SSL_CLIENT_S_DN_L SSL_SERVER_S_DN_L

SSL_VERSION_LIBRARY SSL_CLIENT_S_DN_O SSL_SERVER_S_DN_O

SSL_VERSION_INTERFACE SSL_CLIENT_S_DN_OU SSL_SERVER_S_DN_OU

SSL_CLIENT_S_DN_CN SSL_SERVER_S_DN_CN

SSL_CLIENT_S_DN_T SSL_SERVER_S_DN_T

SSL_CLIENT_S_DN_I SSL_SERVER_S_DN_I

SSL_CLIENT_S_DN_G SSL_SERVER_S_DN_G

SSL_CLIENT_S_DN_S SSL_SERVER_S_DN_S

SSL_CLIENT_S_DN_D SSL_SERVER_S_DN_D

SSL_CLIENT_S_DN_UID SSL_SERVER_S_DN_UID

SSL_CLIENT_S_DN_Email SSL_SERVER_S_DN_Email

SSL_CLIENT_I_DN SSL_SERVER_I_DN

SSL_CLIENT_I_DN_C SSL_SERVER_I_DN_C

SSL_CLIENT_I_DN_ST SSL_SERVER_I_DN_ST

SSL_CLIENT_I_DN_L SSL_SERVER_I_DN_L

SSL_CLIENT_I_DN_O SSL_SERVER_I_DN_O

SSL_CLIENT_I_DN_OU SSL_SERVER_I_DN_OU

SSL_CLIENT_I_DN_CN SSL_SERVER_I_DN_CN

SSL_CLIENT_I_DN_T SSL_SERVER_I_DN_T

SSL_CLIENT_I_DN_I SSL_SERVER_I_DN_I

SSL_CLIENT_I_DN_G SSL_SERVER_I_DN_G

SSL_CLIENT_I_DN_S SSL_SERVER_I_DN_S

SSL_CLIENT_I_DN_D SSL_SERVER_I_DN_D

SSL_CLIENT_I_DN_UID SSL_SERVER_I_DN_UID

SSL_CLIENT_I_DN_Email SSL_SERVER_I_DN_Email

SSL_CLIENT_A_SIG SSL_SERVER_A_SIG

SSL_CLIENT_A_KEY SSL_SERVER_A_KEY

SSL_CLIENT_CERT SSL_SERVER_CERT

SSL_CLIENT_CERT_CHAIN_n

SSL_CLIENT_VERIFY