I've been trying to allow only cloudflares i.p ranges on my server but I keep getting 403 errors, 403 is what people bypassing cloudfare should see
I have tried
#cloudflare
order deny,allow
Deny from all
#ipv4
allow from 173.245.48.0/20
allow from 103.21.244.0/22
allow from 103.22.200.0/22
allow from 103.31.4.0/22
allow from 141.101.64.0/18
allow from 108.162.192.0/18
allow from 190.93.240.0/20
allow from 188.114.96.0/20
allow from 197.234.240.0/22
allow from 198.41.128.0/17
allow from 162.158.0.0/15
allow from 104.16.0.0/12
allow from 172.64.0.0/13
allow from 131.0.72.0/22
#ipv6
allow from 2400:cb00::/32
allow from 2606:4700::/32
allow from 2803:f800::/32
allow from 2405:b500::/32
allow from 2405:8100::/32
allow from 2a06:98c0::/29
allow from 2c0f:f248::/32
and I have tried
DenyAllButCloudFlare
I get the same issue, the above line gives me 500 error
for the life of me I cant figure it out, cloudflare support just referred me to there whitelist page which I have followed
I'm using Apache 2.4.2
edit: changed Apache version num :)
Try using the Require directive in Apache. Apache themselves mention:
The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.
Try changing it to, and make sure mod_authz_host is enabled:
#path to your website
<Directory "path/to/public_html/or/var/www/html">
#ipv4
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
#ipv6
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32
</Directory>
Have a look at https://httpd.apache.org/docs/2.4/howto/access.html for more info.
Be aware of this: Cloudflare themselves say: I think it should be better just using the normal Apache directives anyways
Cloudflare no longer updates and supports mod_cloudflare, starting with versions Debian 9 *and *Ubuntu 18.04 LTS of the Linux operating system. We now support mod_remoteip for customers using Apache web servers. Customers who are interested in building the mod_cloudflare package can download the codebase from GitHub.
See: https://support.cloudflare.com/hc/en-us/articles/200170916-Restoring-original-visitor-IPs-Option-1-Installing-mod-cloudflare
And mod_remoteip feels like it is insecure. So, I suggest you to stick with the Require ip directive.
Related
I want to allow the connection from my LAN and in the case, that the external ip matches my ip (for when I use my domain to connect internal to my http server via browser)
I found this:
Require forward-dns bla.example.org
but I get an 403 Forbidden :/
My .htaccess looks like this:
Order Deny,Allow
Deny from all
Allow from 192.168.254.1/24
Require forward-dns mydomain.de
Thank you :C
Here is the answer I have worked out:
I use a scipt to enter the IP address in the hosts file.
Follow the instructions from:
https://www.the-art-of-web.com/system/apache-auth-ddns/
After that it works with the following command in .htaccess
Allow from yourDomain.de
Its not the best answer, but it will work.
I run apache locally, on one of my homeservers. I am able to access the domain once or twice, but then it will time out. It simply wont allow me to access it from my ip (the same IP the site is hosted on). Others are able to type in the domain name, and access the server as much as they want. If i use a proxy, then i am also able to access it. The only times it messes up is when i try to access it without a vpn, or by using another computer that is on the network.
TL;DR cant access site from own network, other networks can access.
Could you tell us what operating system you use? It could also be that in the rules for that directory you are allowing access to it from any IP except localhost.
Example:
<Directory /var/www/html/>
Order Deny,Allow
Deny from 127.0.0.1
Allow from All
</Directory>
Such a configuration would deny everything from localhost and allow everything from any other IP.
I am trying to config my server phpmyadmin to access only from the localhost and not from the remote. Below is the configuration on server /etc/phpmyadmin/apache.conf
Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
So, while I access phpmyadmin from remote I am getting 403 forbidden which is good but when I access phpmyadmin from localhost (that is from server using remote desktop), I am still getting 403 while I think this should give access to phpmyadmin from localhost. Anything I am missing here?
Thank you
My guess is you are using Apache 2.4.x. The syntax for access control changed between 2.2 and 2.4. The Order and Deny syntax you're using is for Apache 2.2, but won't work for 2.4. In 2.4 it would be something like:
<Directory /usr/share/phpmyadmin>
Require ip 127.0.0.1
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
Reference from Apache upgrade doc, and Access Control docs.
Logical mistake
You make one big mistake, every one of you.
PhpMyAdmin is NOT a server, it's just a client written as a PHP script and served by some HTTP server (Apache in this case).
That what you want(ed) and others suggested doing is trying to disable access for phpmyadmin vhost of the HTTP server, but it will be still possible to log in into the base with any other client from terminal's mysql command, to GUI client like MySQL Workbench or IDE's build in DB clients. Where's the logic?
Of course, you can join both techniques (HTTP securing and MySQL securing) however without the second your database will be still unsafe. PhpMyAdmin is just a client! It has even own mechanics for controlling access, but if someone will use any other client (mentioned above) your effort will be absolutely worthless).
Solution:
To maintain your case you should create a dedicated MySQL account with localhost access (I can bed, that at the moment of writing this post it is/was % which means global), then MySQL will control all incoming connections to check if they are from local machine or from the world.
Just don't forget to remove the account with global access (%) and flush the privileges after all changes.
Also, I always suggest creating exactly one user with all privileges to exactly one dedicated database (ofc, other than root). That way, even if you are only admin who works at the many databases, you minimize the risk of accidental changes in other databases. (Pro-tip, good password manager will be your friendly ghost-guard).
I'd suggest googling it and get overall knowledge over this topic, as it's quite crucial for DB security, however that'll be also enough if you'll implement simple solution from very first answer found. Using localhost restriction on MySQL, preferably with setting blocking of 3306 port on the firewall side, is a perfect solution to access your data with locally installed PhpMyAdmin script 100% securely(if that's possible at all).
Below cite answer from another post
GRANT ALL PRIVILEGES ON *.* TO db_user #'localhost' IDENTIFIED BY 'db_passwd';
GRANT ALL PRIVILEGES ON *.* TO db_user #'127.0.0.1' IDENTIFIED BY 'db_passwd';
[mysqld]
bind-address = 127.0.0.1
P.S. You dont need even to write SQL command for this, you can change it for each user with... PhpMyAdmin.
I think this should work, and make it so that you can only access it locally, it should be something like this mostly, but :
<Directory /usr/share/phpmyadmin>
Require local
#......otherthings (also, only copy the line Require local)
I have a cloud-based apache2 web server, which serves multiple sites using various virtualhost conf files.
One of the websites is for my development only, and is currently configured to only allow my current IP address.
Order deny,allow
Deny from all
Allow from 1.2.4.5
However my IP changes once a week or so - so I'd prefer to use my dynamic DNS hostname. Alas this...
Allow from abc.ddns.net
... does not work. Can it be done?
It can work, but it requires your DNS to be setup perfectly. If you use allow from {hostname} then for each relevant URI path, Apache requests a reverse DNS lookup of the IP for the connection, and then if that returns the correct host name from your allow directive Apache then rechecks that that name resolves to the IP of the original connection.
This is all a relatively expensive set of operations and is normally not recommended. Allow from {ip address} would normally be preferred.
someone trying to access pages like
//mysqladmin//scripts/setup.php
Is it some hack attempt or .. ?
If yes then how i can block its ip from accessing mine website ?
Via htaccess or something else ?
As an update to this old question for those who still land here:
Order Allow Deny are deprecated as of Apache 2.4 and Require should be used.
<RequireAll>
Require all granted
Require not ip 1.2.3.4
</RequireAll>
Ranges, netmasks, etc. can also be specified.
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html (Deprecated)
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
To block special IP addresses you can put the following in a .htaccess file located in your directory, you like to restrict:
order allow,deny
deny from 1.2.3.4
allow from all
Where 1.2.3.4 is the IP you like to block.
But note that IP adresses change users and also attackers change IP adresses.
So this will not secure your application and potentially block leagal visitors.
The better solution will be to make sure your script does not accept malicious paths.
Append a base path to the path you get from the user
Make sure the path you get from the user does not contain '../'