apache v2.4 remove old v2.2 'Deny from env=BlockCountry' directive - apache

I protect my HTTP(s) vhosts with geoIP
<Directory /srv/www/vhosts>
MaxMindDBEnable On
MaxMindDBFile DB /usr/local/share/maxminddb/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code
SetEnvIf MM_COUNTRY_CODE ^(RU|CN|HK|IN) BlockCountry
Deny from env=BlockCountry
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
1.) Am I correct that I mix v2.2 Deny from env=BlockCountry and v2.4 Require all granted directives here.
If yes I searched the web to replace the Deny from env=BlockCountry with an apache2.4 alternative but cannot find one. How can I get rid of the old Deny directicve ?
2.) Am I correct that my GeoIP code in my apache2.conf works with this version inconsistent directives just by some "luck" , because I never set the order which rule ( Require or Deny ) comes first like I would do in v2.2 apache order allow deny
3.) Require env BlockCountry works but than all the blocked Countries have access and all the other not ( I test always with VPN )
So I tried Require not env BlockCountry but this leads to an error when I restart apache web server

You could negate your rule.
Instead of
SetEnvIf MM_COUNTRY_CODE ^(RU|CN|HK|IN) BlockCountry
Deny from env=BlockCountry
set.
SetEnvIf MM_COUNTRY_CODE !^(RU|CN|HK|IN) AllowCountry
Require env AllowCountry

Related

Moving to new Apache 2.4 access control syntax

I am updating my original question as I was confusing "Require not host" for the hostname contained in a referrer string.
So what I need to make sure of now. In Apache 2.2 I was doing the following to allow/deny certain ip ranges, user-agents and domain names / referrers.
This is a very shortened example as I don't want to burden anyone with too much code. I've tested the Apache 2.4 code block which appears to work fine but is the the correct way now of doing things?
Is it necessary to specify whitelisted IP's and domains as I was doing before or is it only necessary just to blacklist due to the Require all granted ??
The old 2.2 method works 100% on Apache 2.4 as long as the mod_access_compat module is loaded but obviously getting things right for Apache 2.4 without using a compatibility module is first prize.
Apache 2.2:
<Directory /var/www/html>
Order Allow,Deny
Allow from all
Allow from env=good_bot
Allow from env=good_ref
Allow from 131.253.24.0/22
Allow from 131.253.46.0/23
deny from 104.197.51.76
deny from 108.167.189.81
deny from env=bad_bot
deny from env=spam_ref
</Directory>
Apache 2.4:
<Directory /var/www/html>
<RequireAny>
<RequireAll>
Require all granted
Require not ip 104.197.51.76
Require not ip 54.242.250.203
Require not env bad_bot
Require not env spam_ref
</RequireAll>
<RequireAny>
Require ip 131.253.24.0/22
Require ip 131.253.46.0/23
Require env good_ref
Require env good_bot
</RequireAny>
</RequireAny>
</Directory>
I can confirm that my apache 2.4 example is correct. I've tested it with a huge list of referrers, user-agents, blacklisted and whitelisted ip's and it appears to be perfect. I also confirmed by unloading the mod_access_compat module and reloading apache with a2dismod access_compat
So this is now the correct way to do things in Apache 2.4.
<Directory /var/www/html>
<RequireAny>
<RequireAll>
Require all granted
Require not ip 104.197.51.76
Require not ip 54.242.250.203
Require not env bad_bot
Require not env spam_ref
</RequireAll>
<RequireAny>
Require ip 131.253.24.0/22
Require ip 131.253.46.0/23
Require env good_ref
Require env good_bot
</RequireAny>
</RequireAny>
</Directory>

httpd-xampp.conf: How to allow access to an external IP besides localhost?

I haven't found the right answer that works for me in other questions.
This is how the httpd-xampp.conf looks like originally:
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
What should I do if I want to add another IP address besides the Require local?
For example, below Require local I have tried the following:
allow from xxx.xxx.xxx.xx
That is to say:
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
allow from xxx.xxx.xxx.xx
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
But it still blocks the access to that external IP.
How do I fix this?
How can I add more IP addresses to allow them access?
I am using XAMPP 5.6.3 under a Windows environment.
allow from all will not work along with Require local. Instead, try Require ip xxx.xxx.xxx.xx
For Example:
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
Require ip 10.0.0.1
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
I tried this and it works. Be careful though. This means that anyone in your LAN can access it. Deepak Naik's answer is safer.
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
# Require local
Require all granted
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
<Directory "C:/xampp/">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
</Directory>
This is what i added in the end of file \xampp\apache\conf\extra\httpd-xampp.conf file before tag
Add below code in to file d:\xampp\apache\conf\extra\httpd-xampp.conf:
<IfModule alias_module>
...
Alias / "d:/xampp/my/folder/"
<Directory "d:/xampp/my/folder">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
</Directory>
Above config can access from http://127.0.0.1/
Note: someone suggest that replace from Require local to Require all granted but not work for me
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
# Require local
Require all granted
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
For Ubuntu xampp,
Go to /opt/lampp/etc/extra/
and open httpd-xampp.conf file and add below lines to get remote access,
Order allow,deny
Require all granted
Allow from all
in /opt/lampp/phpmyadmin section.
And restart lampp using, /opt/lampp/lampp restart
<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
Deny from all
Allow from all
Allow from ::1 127.0.0.0/8
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
add to txt file > httpd-xampp.conf
<Directory "E:/xampp/phpMyAdmin/">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
In windows all you have to do is to go to windows search Allow an app through Windows Firewall.click on Allow another app select Apache and mark public and private both . Open cmd by pressing windows button+r write cmd than in cmd write ipconfig find out your ip . than open up your browser write down your ip http://172.16..x and you will be on the xampp startup page.if you want to access your local site simply put / infront of your ip e.g http://192.168.1.x/yousite. Now you are able to access your website in private network computers .
i hope this will resolve your problem
allow from all will not work along with Require local. Instead, try Require ip xxx.xxx.xxx.xx
For Example:
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
Require ip 10.0.0.1
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
Open for new app "HTTPD" (Apache server) in your Firewall
Take a look at this: https://www.youtube.com/watch?v=eqgUGF3NnuM

How to use Require directive to limit file access in apache 2.4

I have a directory structure like the following for a website on Ubuntu 14.04, running apache 2.4.7:
/websites/mywebsite/index.htm
/websites/mywebsite/private.htm
/websites/myqwbsite/folder/privatefile.ext
/websites/mywebsite/folder/subfolder/publicfile.ext
In the Apache config for the site, I have
<Directory /websites/mywebsite/>
AllowOverride Limit
Require all granted
</Directory>
I want to use .htaccess files in the site folder such that the private.htm and privatefile.ext files are Require all denied but everything else is granted.
I tried the following two .htaccess files:
/websites/mywebsite/.htaccess:
<FilesMatch (private.*.htm)$>
Require all denied
</FilesMatch>
/websites/mywebsite/folder/.htaccess:
Require all denied
/websites/mywebsite/folder/subfolder/.htaccess:
Require all granted
However, apache gives a 500 - "Require not allowed here" for /websites/mywebsite/.htaccess
How can I make what I want happen with apache 2.4-compatible configuration (ie I do not want to load mod_access_compat and use the old style config)?
In the apache config for the site, you have to extend AllowOverride properties. Add: FileInfo and AuthConfig. Or set "AllowOverride All"
I had same problem, fixed with this config :
<Directory /websites/mywebsite/>
Options +FollowSymLinks +SymLinksIfOwnerMatch
AllowOverride FileInfo AuthConfig
</Directory>

locking down Apache to localhost

Having recently moved from Win XP (x86) to Win 7 (x64), I have also had to reinstall Apache. I have installed the 64 bit versions of Apache (2.4.3) and PHP (2.4).
I installed it to c:\Apache24.
I have got it up and running, but now I need to lock it down to my local PC Only.
If I have:
<Directory "c:/Apache24/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
# New directive needed in Apache 2.4.3 apparently:
Require all granted
</Directory>
this works fine, but if I change it to:
<Directory "c:/Apache24/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from 127.0.0.1
# New directive needed in Apache 2.4.3 apparently:
Require all granted
</Directory>
(or 'Allow from Localhost' or 'Allow from 192.x.y.z')
I get an access denied error. How can I get round this?
Everything is installed using my login, which has full local admin rights.
Replace
Order allow,deny
Allow from all
Require all granted
by just
Require local
More: http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html
One approach is to add Listen to httpd.conf:
Listen 127.0.0.1:80
Remember to remove the other Listen directives, if there are any other.
Note that this will lock down the entire server so it only responds to requests from localhost. If you need to fine-tune permissions on a directory-by-directory basis, use the <Directory> syntax:
<Directory /var/www/secure>
Require local
</Directory>
The above is for Apache 2.4, where Order, Allow, and Deny are deprecated.

how to access phpmyadmin remotely

Is it possible to access phpmyadmin from outside the network?
Where do I set it? I tried editing httpd.conf, and restarted all services from wampserver but it doesn't work
<Directory />
Options FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
Go to C:\wamp\alias and edit the file phpmyadmin
# to give access to phpmyadmin from outside
# replace the lines
#
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.1
#
# by
#
# Order Allow,Deny
# Allow from all
# Edit C:\wamp\alias\phpmyadmin.conf
# Below is v3.5.1 - the current version is 4.0.4.1
Alias /phpmyadmin "c:/wamp/apps/phpmyadmin3.5.1/"
# to give access to phpMyAdmin from outside
# replace the lines
#
# Require local
#
# by
#
# Require all granted
#
<Directory "c:/wamp/apps/phpmyadmin3.5.1/">
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Require all granted
</Directory>
Are you on Unix or Windows? If on Unix, check the owner/permissions for the directory that phpMyAdmin is installed under - that might have something to do with it.
It looks to me as if you're trying to access a private address from a remote network. You can't. You will have to configure a webserver on your machine and use a ddns (in case you don't have a fixed public ip) service on your server. You will probablly have to redirect port 80 incoming traffic on your router pointing to the webserver machine also.
just for reference of other users who will encounter this kind of issue I would like to remind everyone that aside from changing directories, you must also have to check your firewall settings.
It happened to me, I've changed everything (all config in xampp) but still cannot connect. I almost gave up and then I remembered firewall. After I changed my settings it all works fine.
just sharing
Did you try like this ? Maybe you shuld add directory name in your network ?
<Directory "/Documents and Settings/All Users/Documents/xampp/phpMyAdmin">
...
...
...
...
</Directory>
Put below code in file
D:\wamp\alias\phpmyadmin.conf
< Directory "D:/wamp/apps/phpmyadmin3.2.0.1/">
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order Deny,Allow
Allow from all
Allow from 127.0.0.1
< /Directory>