[Apache-ProFTPd] Order, Allow, Deny ºñ±³ - ÀÛ¼ºÀÚ : ±èÄ¥ºÀ - ÀÛ¼ºÀÏ : 2003-11-22 - ³» ¿ë : ¾ÆÆÄÄ¡¿Í ProFTPd ÀÇ Order, Allow, Deny ºñ±³ - ¼ö ÁØ : Ãʺ¸¿ë - Å°¿öµå : Apache, ProFTPd, Order Allow, Deny *ÁÖ) ÀÌ ¹®¼­¿¡ ´ëÇÑ ÃֽŠ³»¿ëÀº ¾Æ·¡ URL¿¡¼­ È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù. http://www.linuxchannel.net/docs/order-apache-vs-proftpd.txt ------------------------------------------------------ 1. Apache Order allow,deny 2. ProFTPd Order allow,deny 3. ºñ±³ 4. Á¤¸® ------------------------------------------------------ 1. Apache Order allow,deny Order directive - Syntax : Order ordering - Default : Order Deny,Allow <---- Deny ¿¡ ¾ø´Â °ÍÀº ¸ðµÎ Allow µÊ - Context : directory, .htaccess - Override: Limit - Status : Base - Module : mod_access Allow directive - Syntax : Allow from all|host|env=variablename [host|env=variablename] ... - Context : directory, .htaccess - Override: Limit - Status : Base - Module : mod_access - List : ±¸ºÐ °ø¹é(' ') A (partial) domain-name Example: Allow from apache.org A full IP address Example: Allow from 10.1.2.3 A partial IP address Example: Allow from 10.1 A network/netmask pair Example: Allow from 10.1.0.0/255.255.0.0 A network/nnn CIDR specification Example: Allow from 10.1.0.0/16 Allow from 10.1.2.3 env=foo <-- Ʋ¸° °æ¿ì(X) Allow from env=foo 10.1.2.3 <-- ¸Â´Â °æ¿ì(O), env °¡ ¾Õ¿¡ ¿È ±âº»Á¤Ã¥ÀÌ Deny ¿¡ ¾ø´Â °ÍÀº ¸ðµÎ Allow µÇ°í, Deny,Allow »çÀÌ´Â ºó°ø¹é¾øÀÌ ÄÞ¸¶(,)·Î ºÐ¸®. - Order Deny,Allow Allow ¸¦ Æò°¡Çϱâ Àü¿¡ ¸ÕÀú Deny ¸¦ Æò°¡ÇÏ°í, ±× ´ÙÀ½ Allow ¿¡ override ÇÔ. ±×¸®°í ¿©±â¿¡ ¸ÅÄ¡µÇÁö ¾Ê´Â ³ª¸ÓÁö È£½ºÆ® ¸ðµÎ Allow µÊ. µû¶ó¼­ ÀÌ Order ÀÇ ±âº»Á¤Ã¥Àº ù¹ø° Deny Áö½ÃÀÚ¿¡¼­ °áÁ¤ÇÔ Áï ¼ø¼­´Â, 1. Deny ¸ÅÄ¡ ¿ì¼± °áÁ¤(±âº» Á¤Ã¥ °áÁ¤) 2. ±× ´ÙÀ½ Allow ¸ÅÄ¡¸¦ override ÇÔ 3. ³ª¸ÓÁö Æ÷ÇÔµÇÁö ¾ÊÀº È£½ºÆ®´Â ¸ðµÎ Allow µÊ - Order Allow,Deny Deny ¸¦ Æò°¡Çϱâ Àü¿¡ ¸ÕÀú Allow ¸¦ Æò°¡ÇÏ°í, ±× ´ÙÀ½ Deny ¿¡ override ÇÔ. ±×¸®°í ¿©±â¿¡ ¸ÅÄ¡µÇÁö ¾ÊÀº ³ª¸ÓÁö È£½ºÆ®´Â ¸ðµÎ Deny µÊ. ÀÌ Order ÀÇ ±âº»Á¤Ã¥Àº ù¹ø° Allow Áö»çÀÚ¿¡¼­ °áÁ¤ÇÔ. (*** ÀÌÁ¡ÀÌ ProFTPd ¿Í ¼­·Î ´Ù¸§ ***) ex1) ±âº»Á¤Ã¥Àº Allow ÀÌ°í, ¿¹¿Ü·Î bad.com hacker.com Àº ±ÝÁö Order Allow,Deny <-- Order Mutual-failure ¿Í °°À½ Allow from all Deny from bad.com hacker.com <-- ¸®½ºÆ® ³ª¿­Àº ºó°ø¹éÀ¸·Î ±¸ºÐ ex2) ±âº»Á¤Ã¥Àº Deny ÀÌ°í, ¿¹¿Ü·Î myhost.com ¸¸ Á¢±ÙÀ» Çã¿ëÇÔ Order Deny,Allow Deny from all Allow from myhost.com ex3) Áß¿ä Order Allow,Deny Allow from apache.org Deny from foo.apache.org ÀÌ°ÍÀº foo.apache.org ¸¦ Á¦¿ÜÇÑ *.apache.org ¸¸ Çã¿ëÇÏ°í ³ª¸ÓÁö ¸ðµç È£½ºÆ®´Â Á¢±ÙÀ» ±ÝÁöÇÔ(foo.apache.org ´Â ´ç¿¬È÷ ±ÝÁö) ÀÌÀ¯´Â Order ¼ø¼­¿¡ ÀÇÇؼ­ Deny ¸¦ Æò°¡Çϱâ Àü¿¡ Allow ¸¦ Æò°¡ÇÏ°í, ±× ´ÙÀ½¿¡ Deny ¸ÅÄ¡¿¡ override Çϱ⠶§¹®À̸ç, ³ª¸ÓÁö ¸ÅÄ¡µÇÁö ¾Ê´Â ¸ðµç È£½ºÆ®´Â Deny µÊ. ex4) ÁÖÀÇ Order Deny,Allow Deny from all <--- ±âº»Á¤Ã¥ÀÌ ¸ðµÎ Deny ÀÓ Allow from aaa.foo.com Allow from bbb.foo.com ccc.foo.com Allow from ddd.com.com Deny from ccc.foo.com <--- *** ÀÌ È£½ºÆ®´Â Allow µÊ **** Allow ¸¦ Æò°¡Çϱâ Àü¿¡ Deny ¸¦ ¸ÕÀú Æò°¡Çϱ⠶§¹®¿¡ Æò°¡ ¼ø¼­´Â ´ÙÀ½°ú °°À½. Order Deny,Allow Deny from all <--- ±âº»Á¤Ã¥ÀÌ ¸ðµÎ Deny ÀÓ Deny from ccc.foo.com Allow from aaa.foo.com Allow from bbb.foo.com ccc.foo.com <--- Allow µÊ Allow from ddd.com.com 2. ProFTPd Order allow,deny Order directive - Syntax: Order [ Order allow,deny|deny,allow] - Default : Order allow,deny - Context : - Module : mod_core - Compatibility : 0.99.0pl6 and later Allow directive - Syntax : Allow [ ["from"] "all"|"none"|host|network[,host|network[,...]]] - Default : Allow from all - Context : - Module : mod_core - Compatibility : 0.99.0pl6 and later - List : ±¸ºÐ Äĸ¶(,) A (partial) domain-name Example: Allow from .proftpd.org <--- ¾ÆÆÄÄ¡¿Í ´Ù¸£°Ô ¾Õ¿¡ Á¡ Ãß°¡ A full IP address Example: Allow from 10.1.2.3 <--- ¾ÆÆÄÄ¡¿Í °°À½ A partial IP address Example: Allow from 10.1. <--- ¾ÆÆÄÄ¡¿Í ´Ù¸£°Ô µÚ¿¡ Á¡ Ãß°¡ A network/netmask pair <--- ¾øÀ½ A network/nnn CIDR specification Example: Allow from 10.1.0.0/16 <--- ¾ÆÆÄÄ¡¿Í °°À½ ProFTPd ÀÇ Order, Allow, Deny Áö½ÃÀÚ´Â Apache¿Í ºñ½ÁÇÑ ±¸¹®À» °®Áö¸¸ ±× °á°ú´Â ¾ÆÁÖ »óÀÌÇÔ. - Order deny,allow <-- ¿ì¼±±Ç deny µÒ allow ¸¦ Æò°¡Çϱâ Àü¿¡ deny ¸¦ ¸ÕÀú Æò°¡ÇÏ°í °áÁ¤ÇØ ¹ö¸²(overrid ÇÏÁö ¾ÊÀ½) ±×¸®°í allow ¸¦ Æò°¡ÇÏ°í(°°Àº °ÍÀÌ ÀÖÀ¸¸é deny °¡ ¿ì¼±), ³ª¸ÓÁö ¸ÅÄ¡µÇÁö ¾ÊÀº ¸ðµç È£½ºÆ®´Â deny µÊ(¾ÆÆÄÄ¡¿Í ¼­·Î ¹Ý´ëÀÓ) - Order allow,deny <-- ¿ì¼±±ÇÀ» allow µÒ deny ¸¦ Æò°¡Çϱâ Àü¿¡ allow ¸¦ ¸ÕÀú Æò°¡ÇÏ°í °áÁ¤ÇØ ¹ö¸²(overrid ÇÏÁö ¾ÊÀ½) ±×¸®°í deny ¸¦ Æò°¡ÇÏ°í(°°Àº °ÍÀÌ ÀÖÀ¸¸é allow °¡ ¿ì¼±), ³ª¸ÓÁö ¸ÅÄ¡µÇÁö ¾ÊÀº ¸ðµç È£½ºÆ®´Â allow µÊ(¾ÆÆÄÄ¡¿Í ¼­·Î ¹Ý´ëÀÓ) Áï °°Àº È£½ºÆ®°¡ allow ¿Í deny ¿¡ µÑ´Ù ÀÖÀ» °æ¿ì ±× ¿ì¼±±ÇÀº Order Áö½ÃÀÚ¿¡¼­ ¼³Á¤ÇÑ ¾ÕºÎºÐÀÇ keyword ¿¡ µû¸§. Order deny,allow Deny from 192.168.0.1 Allow from 192.168.0. deny °¡ ¿ì¼±À̹ǷΠ192.168.0.1 Àº deny µÊ.(Override µÇÁö ¾ÊÀ½) ¶ÇÇÑ ´ÙÀ½°ú °°ÀÌ Order ¼ø¼­¸¦ ±×´ë·Î µÎ°í, À§Ä¡¸¸ ¹Ù²Ù¾îµµ µ¿ÀÏÇÔ. Order deny,allow Allow from 192.168.0. Deny from 192.168.0.1 *Áß¿ä) ProFTPd ´Â Apache ¿Í °°ÀÌ Order ÀÇ ¼ø¼­´ë·Î Override µÇÁö ¾Ê°í, Order ¼ø¼­¿¡ ÀÇÇؼ­ ¸ÕÀú Á¢±ÙÀ» °áÁ¤ÇØ ¹ö¸². ex1) ƯÁ¤ È£½ºÆ®¸¸ Çã¿ëÇÔ Order allow,deny Allow from 192.168.0.100,192.168.1. Deny from all <--- all Àº ¸ÅÄ¡µÇÁö ¾ÊÀº ³ª¸ÓÁö¸¦ ÀǹÌÇÔ. 192.168.0.100 192.168.1.0/24 ¸¸ Çã¿ëÇÏ°í ³ª¸ÓÁö´Â ¸ðµÎ Á¢¼ÓÀ» ±ÝÁöÇÔ. Áï ƯÁ¤ È£½ºÆ®¸¸ Çã¿ë(Allow) Çϱ⠶§¹®¿¡ Order allow,deny ¼øÀ¸·Î ¼³Á¤ÇÏ¿© ¿ì¼±±ÇÀ» allow °¡ °®µµ·ÏÇÔ. ex2) ƯÁ¤ È£½ºÆ®¸¸ ±ÝÁöÇÔ Order deny,allow Deny from 192.168.0.100,192.168.1. Allow from all <--- all Àº ¸ÅÄ¡µÇÁö ¾ÊÀº ³Ê¸ÓÁö¸¦ ÀǹÌÇÔ. ex1) °ú ¼­·Î ¹Ý´ëÀÓ ex3) ºÎºÐ°ú Àüü Order allow,deny Allow from 128.44.26.,128.44.26. Allow from myhost.mydomain.edu,.trusted-domain.org Deny from all ProFTPd ´Â Override µÇÁö ¾Ê±â ¶§¹®¿¡ Á¦ÀÏ ¸¶Áö¸·¿¡ Deny from all ¼³Á¤ÀÌ ¿Â´Ù°í ÇÏ´õ¶ó°í ¸ÕÀú ¼³Á¤ÇÑ È£½ºÆ®(ex 128.44.26.1)´Â Allow µÇ°í, »óÀ§ ¼³Á¤¿¡¼­ Æ÷ÇÔµÇÁö ¾ÊÀº ³ª¸ÓÁö È£½ºÆ®´Â Á¦ÀÏ ¸¶Áö¸·¿¡ ¸ðµÎ Deny µÊ ex3) ¿ì¼±±Ç Order deny,allow Allow from 192.168.0. Deny from 192.168.0.152 Deny from all <--- all Àº ¸ÅÄ¡µÇÁö ¾ÊÀº ³Ê¸ÓÁö¸¦ ÀǹÌÇÔ. 192.168.0.152 È£½ºÆ®´Â ¾ÕºÎºÐ 'Allow from 192.168.0.*'¿¡ Æ÷ÇÔµÇÁö¸¸ Order ¼ø¼­°¡ deny °¡ ¿ì¼±À̹ǷΠ°á±¹ ÀÌ È£½ºÆ®´Â deny µÊ. Áï °°Àº È£½ºÆ®°¡ allow ¿Í deny ¿¡ µÑ´Ù ÀÖÀ» °æ¿ì ±× ¿ì¼±±ÇÀº Order Áö½ÃÀÚ¿¡¼­ ¼³Á¤ÇÑ ¾ÕºÎºÐÀÇ keyword ¿¡ µû¸§. Order deny,allow Deny from 192.168.0.152 Allow from 192.168.0. <--- override µÇÁö ¾ÊÀ½ Deny from all <--- all Àº ¸ÅÄ¡µÇÁö ¾ÊÀº ³Ê¸ÓÁö¸¦ ÀǹÌÇÔ. À§ÀÇ ¼³Á¤µµ °°Àº µ¿ÀÏÇÑ ¼³Á¤ÀÓ. 3. ºñ±³ 1) ¼³Á¤¹æÇâ - Apache : Order ¼ø¼­¿¡ ÀÇÇؼ­ ¼øÂ÷ÀûÀ¸·Î override µÊ. ¸ÅÄ¡µÇÁö ¾ÊÀº ³ª¸ÓÁö È£½ºÆ®´Â Order ÀÇ µÚÂÊ keyword ¿¡ µû¸§ - ProFTPd : Order ¼ø¼­¿¡ ÀÇÇؼ­ ¼øÂ÷ÀûÀ¸·Î ¸ÕÀú °áÁ¤ÇÔ. ¸ÅÄ¡µÇÁö ¾ÊÀº ³ª¸ÓÁö È£½ºÆ®´Â Order ÀÇ ¾ÕÂÊ keyword ¿¡ µû¸§ 2) override ºñ±³ - Apache : override µÊ(µÚ¿¡ ¿Â ³ðÀÌ À嶯) - ProFTPd : override µÇÁö ¾ÊÀ½(¸ÕÀú ¿Â ³ð(?)ÀÌ À嶯) 3) ±âº» Á¢±ÙÁ¤Ã¥ ºñ±³ - Apache : Àüü --> ºÎºÐÀ¸·Î override - ProFTPd : ºÎºÐ ¸ÕÀú ¼³Á¤ --> ³ª¸ÓÁö °áÁ¤ 4) ¸®½ºÆ® ³ª¿­ ºñ±³ - Apache : ºó°ø¹é(' ')À¸·Î ±¸ºÐ, ¿©·¯ÁÙ ÀÏ °æ¿ì `\'¿Í Áߺ¹ Áö½ÃÀÚ ¸ðµÎ °¡´É Allow from 1.2.3.4 1.2.3.5 \ 1.2.3.6 1.2.3.7 Allow from 10.10.10.1 - ProFTPd : Äĸ¶(,)·Î ±¸ºÐÇÏ°í ¿©·¯ÁÙÀÏ °æ¿ì´Â Áߺ¹ Áö½ÃÀÚ¸¸ °¡´É Allow from 1.2.3.4,1.2.3.5,1.2.3.6,1.2.3.7 Allow from 10.10.10.1 5) Partial IP ÁÖ¼Ò ºñ±³ - Apache : 192.168.0 192.168.1 <-- µÚ¿¡ Á¡ÀÌ ¾øÀ½ - ProFTPd : 192.168.0.,192.168.1. <-- µÚ¿¡ Á¡ÀÌ ÀÖÀ½ 6) Partial domain-name ºñ±³ - Apache : foo.com bar.com <-- ¾Õ¿¡ Á¡ÀÌ ¾øÀ½ - ProFTPd : .foo.com,.bar.com <-- ¾Õ¿¡ Á¡ÀÌ ÀÖÀ½ 4. Á¤¸® 1) ¼³Á¤ ¹æÇâ - Apache Order ¼ø¼­¿¡ ÀÇÇؼ­ Àüü¸¦ ¸ÕÀú ¼³Á¤ÇÏ°í ³ª¸ÓÁö ºÎºÐÀ» Override ÇÔ - ProFTPd Order ¼ø¼­¿¡ ÀÇÇؼ­ ºÎºÐÀ» ¸ÕÀú °áÁ¤ÇÏ°í ³ª¸ÓÁö Àüü¸¦ ¼³Á¤ÇÑ * ¼­·Î ¹Ý´ëÀÓ 2) ƯÁ¤ È£½ºÆ®¸¸ Çã¿ëÇÒ °æ¿ì : ±âº» Á¤Ã¥ÀÌ deny ÀÓ - Apache Order Deny,Allow Deny from all Allow from 192.168.0 192.168.1.111 - ProFTPd Order allow,deny Allow from 192.168.0.,192.168.1.111 Deny from all <-- ³ª¸ÓÁö¸¦ ÀǹÌÇÔ 3) ƯÁ¤ È£½ºÆ®¸¸ ¸·À» °æ¿ì : ±âº» Á¤Ã¥ÀÌ allow ÀÓ - Apache Order Allow,Deny Allow from all Deny from 192.168.0 192.168.1.111 - ProFTPd Order deny,allow Deny from 192.168.0.,192.168.1.111 Allow from all <-- ³ª¸ÓÁö¸¦ ÀǹÌÇÔ EOF