I run apache locally, on one of my homeservers. I am able to access the domain once or twice, but then it will time out. It simply wont allow me to access it from my ip (the same IP the site is hosted on). Others are able to type in the domain name, and access the server as much as they want. If i use a proxy, then i am also able to access it. The only times it messes up is when i try to access it without a vpn, or by using another computer that is on the network.
TL;DR cant access site from own network, other networks can access.
Could you tell us what operating system you use? It could also be that in the rules for that directory you are allowing access to it from any IP except localhost.
Example:
<Directory /var/www/html/>
Order Deny,Allow
Deny from 127.0.0.1
Allow from All
</Directory>
Such a configuration would deny everything from localhost and allow everything from any other IP.
Related
I've been trying to allow only cloudflares i.p ranges on my server but I keep getting 403 errors, 403 is what people bypassing cloudfare should see
I have tried
#cloudflare
order deny,allow
Deny from all
#ipv4
allow from 173.245.48.0/20
allow from 103.21.244.0/22
allow from 103.22.200.0/22
allow from 103.31.4.0/22
allow from 141.101.64.0/18
allow from 108.162.192.0/18
allow from 190.93.240.0/20
allow from 188.114.96.0/20
allow from 197.234.240.0/22
allow from 198.41.128.0/17
allow from 162.158.0.0/15
allow from 104.16.0.0/12
allow from 172.64.0.0/13
allow from 131.0.72.0/22
#ipv6
allow from 2400:cb00::/32
allow from 2606:4700::/32
allow from 2803:f800::/32
allow from 2405:b500::/32
allow from 2405:8100::/32
allow from 2a06:98c0::/29
allow from 2c0f:f248::/32
and I have tried
DenyAllButCloudFlare
I get the same issue, the above line gives me 500 error
for the life of me I cant figure it out, cloudflare support just referred me to there whitelist page which I have followed
I'm using Apache 2.4.2
edit: changed Apache version num :)
Try using the Require directive in Apache. Apache themselves mention:
The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.
Try changing it to, and make sure mod_authz_host is enabled:
#path to your website
<Directory "path/to/public_html/or/var/www/html">
#ipv4
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
#ipv6
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32
</Directory>
Have a look at https://httpd.apache.org/docs/2.4/howto/access.html for more info.
Be aware of this: Cloudflare themselves say: I think it should be better just using the normal Apache directives anyways
Cloudflare no longer updates and supports mod_cloudflare, starting with versions Debian 9 *and *Ubuntu 18.04 LTS of the Linux operating system. We now support mod_remoteip for customers using Apache web servers. Customers who are interested in building the mod_cloudflare package can download the codebase from GitHub.
See: https://support.cloudflare.com/hc/en-us/articles/200170916-Restoring-original-visitor-IPs-Option-1-Installing-mod-cloudflare
And mod_remoteip feels like it is insecure. So, I suggest you to stick with the Require ip directive.
I am trying to config my server phpmyadmin to access only from the localhost and not from the remote. Below is the configuration on server /etc/phpmyadmin/apache.conf
Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
So, while I access phpmyadmin from remote I am getting 403 forbidden which is good but when I access phpmyadmin from localhost (that is from server using remote desktop), I am still getting 403 while I think this should give access to phpmyadmin from localhost. Anything I am missing here?
Thank you
My guess is you are using Apache 2.4.x. The syntax for access control changed between 2.2 and 2.4. The Order and Deny syntax you're using is for Apache 2.2, but won't work for 2.4. In 2.4 it would be something like:
<Directory /usr/share/phpmyadmin>
Require ip 127.0.0.1
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
Reference from Apache upgrade doc, and Access Control docs.
Logical mistake
You make one big mistake, every one of you.
PhpMyAdmin is NOT a server, it's just a client written as a PHP script and served by some HTTP server (Apache in this case).
That what you want(ed) and others suggested doing is trying to disable access for phpmyadmin vhost of the HTTP server, but it will be still possible to log in into the base with any other client from terminal's mysql command, to GUI client like MySQL Workbench or IDE's build in DB clients. Where's the logic?
Of course, you can join both techniques (HTTP securing and MySQL securing) however without the second your database will be still unsafe. PhpMyAdmin is just a client! It has even own mechanics for controlling access, but if someone will use any other client (mentioned above) your effort will be absolutely worthless).
Solution:
To maintain your case you should create a dedicated MySQL account with localhost access (I can bed, that at the moment of writing this post it is/was % which means global), then MySQL will control all incoming connections to check if they are from local machine or from the world.
Just don't forget to remove the account with global access (%) and flush the privileges after all changes.
Also, I always suggest creating exactly one user with all privileges to exactly one dedicated database (ofc, other than root). That way, even if you are only admin who works at the many databases, you minimize the risk of accidental changes in other databases. (Pro-tip, good password manager will be your friendly ghost-guard).
I'd suggest googling it and get overall knowledge over this topic, as it's quite crucial for DB security, however that'll be also enough if you'll implement simple solution from very first answer found. Using localhost restriction on MySQL, preferably with setting blocking of 3306 port on the firewall side, is a perfect solution to access your data with locally installed PhpMyAdmin script 100% securely(if that's possible at all).
Below cite answer from another post
GRANT ALL PRIVILEGES ON *.* TO db_user #'localhost' IDENTIFIED BY 'db_passwd';
GRANT ALL PRIVILEGES ON *.* TO db_user #'127.0.0.1' IDENTIFIED BY 'db_passwd';
[mysqld]
bind-address = 127.0.0.1
P.S. You dont need even to write SQL command for this, you can change it for each user with... PhpMyAdmin.
I think this should work, and make it so that you can only access it locally, it should be something like this mostly, but :
<Directory /usr/share/phpmyadmin>
Require local
#......otherthings (also, only copy the line Require local)
I have on my laptop a WAMP server as my local server. On this server i am hosting a webpage just for local use.
I also have registered a free domain name for my server from dyndns.org. I'm using dynamic DNS by running a software from dyndns.org.
When i try to access my server and view the website which i am hosting on it using my browser, by typing localhost or my free domain name, it works just fine.
But the problem is that when a friend of mine sitting right next to me(on the same local network) tries to visit my webpage from his laptop, he gets an error message saying:
"You don't have permissions to access this server" .
I configure the httpd.conf file after i installed the WAMP server and changed only the DocumentRoot and the Directory to a folder of my choice inside the www folder.
Also i changed the ServerName to be my free domain name.
I don't think that the above are the problem. So , anyone has a clue of what might be wrong here ?
Did you try writing this:
<Directory yourdir>
Order Allow,Deny
Allow from all
</Directory>
Nope neither that worked. But after messing around with the httpd.conf file i found the solution. In the
< Directory yourdir >
Order Allow,Deny
Allow from all
# I had to put this line also
Require all granted
< /Directory>
someone trying to access pages like
//mysqladmin//scripts/setup.php
Is it some hack attempt or .. ?
If yes then how i can block its ip from accessing mine website ?
Via htaccess or something else ?
As an update to this old question for those who still land here:
Order Allow Deny are deprecated as of Apache 2.4 and Require should be used.
<RequireAll>
Require all granted
Require not ip 1.2.3.4
</RequireAll>
Ranges, netmasks, etc. can also be specified.
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html (Deprecated)
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
To block special IP addresses you can put the following in a .htaccess file located in your directory, you like to restrict:
order allow,deny
deny from 1.2.3.4
allow from all
Where 1.2.3.4 is the IP you like to block.
But note that IP adresses change users and also attackers change IP adresses.
So this will not secure your application and potentially block leagal visitors.
The better solution will be to make sure your script does not accept malicious paths.
Append a base path to the path you get from the user
Make sure the path you get from the user does not contain '../'
I want to allow access to a file (secret.txt) only from my ip.
Below is the .htaccess I'm using.
It works great at my provider's server.
However, at my localhost this .htaccess does not allow me to access the file.
<Files "secret.txt">
order deny,allow
deny from all
allow from 1.2.3.4
</Files>
Where my external ip is "1.2.3.4"
I use Apache server locally.
How can I make things work at localhost also?
What Address are you using to access your local Apache server? If you're addressing it as localhost then you're probably not going all the way out of your machine via the network and back in again. This means that as far as your local Apache server is seeing you, you're coming from a loopback address.
Try putting 127.0.0.1 in instead of your external IP, and see if that works.
Try looking into your local server's access logs: does your local server see 1.2.3.4 when you are accessing the file from the computer that should be allowed? You may see a different IP address (due to NATs and whatnot).