apache 中是否有任何方法可以根据您获得的 http 代码响应设置重写条件?将(302)重定向到我的身份验证提供程序的 oauth 代理(apache)前面的服务器;但是我不希望它代理 websocket 目录中的任何内容——我宁愿它 403 代替。这一切都是为了防止它不断尝试重新验证它未经授权的内容并为 OpenIDC 构建大量状态 cookie。
感谢您的考虑。
类似这样的:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^my\.server\.co$
RewriteCond %{HTTP_RESPONSE} 302
RewriteCond %{REQUEST_URI} ^/websocket
RewriteRule (.*) $1 [F,L,NC]
【问题讨论】:
标签: apache .htaccess mod-rewrite openid-connect mod-auth-openidc
你应该可以使用:
<Location /websocket>
OIDCUnAuthAction 401
</Location>
如配置原语中记录的here:
# (Optional)
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# "401" means that HTTP 401 Unauthorized is returned.
# "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already
# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
# When not defined the default "auth" is used.
#OIDCUnAuthAction [auth|pass|401]
(它会返回 401 状态码而不是 403)
【讨论】:
其他解决方案
RewriteEngine on
ErrorDocument 403 /%{REQUEST_URI}/403.shtml
ErrorDocument 404 /%{REQUEST_URI}/404.shtml
RewriteCond %{REQUEST_URI} /([0-9]{3}+).shtml$ [NC]
RewriteRule (.*) $1 [R=%1,L]
【讨论】: