prevent Access to Apache server web folder on EC2 - apache

Hi I have built a web platform on EC2 with apache as my web server
I want to prevent access to my web folders
In case someone trying to do www.mywebsite.com/include or www.mywebsite.com/includes/images
I want him to be blocked
I understood I have to create Htacces file with some rule
I have tried that with no success.
If someone have good knowledge Ill to have a tutorial in case the answer won't be enough
Thanks
I all ready described above

You can use the directive Location or Directory, you can have more information on the Apache documentation: Documentation
Below is the block code for Apache 2.4.X
<Location /include>
Require all denied
</Location>
<Location /includes/images>
Require all denied
</Location>

Related

Apache as a proxy for multiple nginx servers

I'm starting from the bitnami jenkins stack. Everything is working perfectly with jenkins.
http://sample:8080/jenkins (works fine)
I'm trying to add additional directories to apache to proxy to nginx:
http://sample:8080/other_tool
I can get to the other_tool homepage, but references to that other tool break down because they are looking for http://sample:8080/relative_url rather than http://sample:8080/other_tool/relative_url
I can pull config settings from the necessary files as needed, but it is on an air-gapped network so wholesale posting would be a challenge
The apache conf looks like:
<Directory /other_tool>
ProxyPass http://localhost:9999
ProxyPassReverse http://localhost:9999
</Directory>
The nginx configuration is a standard "/" with root directory. I'm not as familiar with nginx so I can't recall the exact information off the top of my head. If needed I will provide it.
I could try to switch the jenkins hosting over to nginx, but I'm not sure that simplifies anything.
I can't open more ports on the machine. I can't use a subdomain as that would require additional DNS entries that I do not control.
Ideas or suggestions?

AH01630: client denied by server configuration but require all granted is set (Apache 2.4, CentOs)

I am using Apache 2.4 on CentOs to power my website. However, I always get a 403 forbidden error when trying to access the website through my browser. When I consulted the file error_log in the log directory of /etc/httpd, I repeatedly see the error:
AH01630: client denied by server configuration
I have read in the Internet as well as in multiple StackOverflow questions that you can solve this error with Require all granted in the html directory configuration of the httpd.conf file (/etc/httpd/conf/).
I have configurated this directory (through which I am hosting my website) like recommended above (it was already configurated). The error persists, so there must be another problem in the server configuration that denies access to my website. My httpd.conf file is not changed at all, it is the default file that gets downloaded when installing Apache 2.4. Does anybody know why this error occurs? Can somebody explain to me what else can cause this error? I have looked everywhere in the internet for this error (links below) but nothing could help me at this problem.
I have no .htaccess file in my website. Only an index.html file to test it.
Stack Overflow Question: "Apache2: 'AH01630: client denied by server configuration'"
Apache Wiki
Serverfault
I just deleted the whole HTTPD configuration and then reinstalled Apache. I had to enable PHP too by using these lines of code:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
Then Apache worked flawlessly.

.htaccess AuthUserFile has no effect or is being ignored

After hours of searching the web and trying dozens of unsuccessful solutions - here is my question.
I'm currently configuring a webserver on RHEL 6.4 and httpd 2.2.15 behind another RHEL 6.4 server using squid 3.1.10 and HTTPS only. I'm also using mod_rpaf to simplify logging and identification of visitors behind the proxy.
My problem is to configure a simple password protected folder. When I try to access the folder, the password dialog pops up with the configured AuthName. So I know that the .htaccess is being parsed. But the dialog does not accept the correct credentials and gives me an error 401.
I messed around with:
different permissions for .htaccess, .htpasswd and parent folders
different absolute locations for the .htpasswd
all activated Apache modules that are available on my system
different encryption algorithms for .htpasswd (crypt, md5, sha, salted sha...)
AllowOverride All on the protected and parent folder
But what I really do not understand that even if I put a wrong location for AuthUserFile there is no error message in Apaches error_log like the well known Permission denied: Could not open password file. Even on LogLevel debug Therefore I think that something is wrong with that Directive AuthUserFile.
I hope there is someone out there knowing better methods to identify the problem.
This is my simple .htaccess I'm using for testing:
AuthType Basic
AuthName "Test123"
#AuthUserFile /var/www/test/.htpasswd
AuthUserFile /notexisting
Require valid-user
Finally I got it to work!
I tracked the error down to the squid reverse proxy by using lynx on my webserver and successfully accessing the protected folder from there.
With my new focus on squid I started googling again. Already the first link took me to the correct answer: squid did not allow the apache to handle user authentication.
Resulution:
Add login=PASS to the cache_peer command in your squid.conf

Apache always get 403 permisson after changing DocumentRoot

I'm just a newbie for Apache. I just installed apache 2.2 on the FreeBSD box at my home office. The instruction on FreeBSD documentation is that I can change the DocumentRoot directive in order to use the customized directory data. Therefore, I replaced...
/usr/local/www/apache22/data
with
/usr/home/some_user/public_html
but something is not right. There's index.html file inside the directory, but it seems that apache could not read the directory/file.
Forbidden
You don't have permission to access / on this server.
The permission of
public_html
is
drwxr-xr-x
I wonder what could be wrong here. Also, in my case, I am not going to host more than one website for this FreeBSD box, so I didn't look at using VirtualHost at all. Is this a good practice just to change the DirectoryRoot directive?
Somewhere in the apache config is a line like:
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/usr/local/www/apache22/data">
You must change this path too, to make it work. This directive contains for example:
Order allow,deny
Allow from all
Which give initial user access to the directory.
one possibility that comes to mind is SELinux blocking web process from accessing that folder. If this is the case, you would see it in selinux log. You would have to check the context for your original web root with:
ls -Zl
and then apply it to your new web folder:
chcon whatevercontextyousaw public_html
Or, instead, if its not a production server that requires security (like a development machine behind a firewall), you might want to just turn selinux off.
Just one idea. Could be a number of other things.

Front-end Proxy does not reference resources correctly

I'm having quite a lot of difficulties with running a frontend proxy in front of play.
This post is also on the google group, I'll post the received suggestions on both.
I'm using apache and mod_proxy and the application is supposed to be running in a location "mywebsite.be/dev/app/". It is able to display the HTML.
But when I run the application, all the CSS/JS/images are missing, also all references are incorrect. I look up the source and it seems that Play did not replace the #{/pathname/to/resources} and other relative links to its correct url. In order to let everything work, all urls should be prefixed with "/dev/app". How can this be done?
I tried experimenting with the ctxPath, but that's not what I need, the application runs fine on its own, but apache2 has issues translating all those urls in the reverse proxy.
Can this be solved? I was thinking of somehow editing the #-operator in the templating system, but that can't be it, right?
greetings,
Jasper
Have you looked at this post? I think it is related.
Can not generate correct URLs for static resources with playframework when using Apache as a Proxy
Also, please keep an eye out for Play 1.2.2, as this intends to solve this problem, according to a post I have read in the Play groups.
One of my teammates came up with the answer. It's quite simple.
If you have your apache2 configuration, instead of pointing to the localhost root, you just point to the localhost:9000/dev/app:
ProxyPreserveHost On
RedirectMatch /dev/app /dev/app/
<Location /dev/app/>
AuthType Basic
AuthName "Test Omgeving"
AuthUserFile /var/trac/htpasswd
Require valid-user
ProxyPass http://127.0.0.1:9000/dev/app/
ProxyPassReverse http://127.0.0.1:9000/dev/app/
</Location>
This tricks apache2 in thinking that there is another subdirectory in your localhost server, but in fact, there isn't any, but now it references correctly, therefore translating all trafic to the corresponding resources.
Perhaps not the classy way to do things, but it works fine :)
Thanks for all the help. Hope this post helps other people with frontend proxies out there.
Greetings
i will recommend you use proxy balancer as it will help to balance your servers if you plan to use more than one instance of play server in future
<Proxy balancer://my-balancer>
Order deny,allow
Allow from all
BalancerMember url1:port route=instanceOne
BalancerMember url2:port route=instanceTwo
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass / balancer://my-balancer/
now it will pass your traffic to url1:port or url2:port and it will also fetch your images and other static urls