I have a webapp hidden behind Apache 2.4 which is set as a proxy
My configuration goes like this:
<Location /myapp>
Proxypass ajp://localhost:8009/myapp
Require all granted
</Location>
Recently, I was asked to prevent anyone but whitelisted IPs to access to myapp API which is accessible through /myapp/api/
I am failing to achieve proper configuration within Apache to make it so
Here is what I've tried so far :
<Location /myapp/api>
Proxypass ajp://localhost:8009/myapp/api
Require local
Require 1.2.3.4
</Location>
<Location /myapp>
Proxypass ajp://localhost:8009/myapp
Require all granted
</Location>
So what I need is for http://mysite/myapp/ to be accessible to anyone, but to restrict calls to http://mysite/myapp/api/* to a bunch of whitelised IP
Do you know how I may be able to achieve this?
Best Regards
Because of Overlapping Webspace, you should reverse the order of Location directives
<Location /myapp>
Proxypass ajp://localhost:8009/myapp
Require all granted
</Location>
<Location /myapp/api>
Proxypass ajp://localhost:8009/myapp/api
Require local
Require 1.2.3.4
</Location>
Related
I have apache2.4 set up and when visiting any apache served web sites basic authentication works great.
Now I have one more webserver running from an other service at port 8000 and I wanted to setup apache as a reverse proxy hoping that it can also impose and handle basic authentication there as well...but instead for asking for user and password it just serves the website unprotected.
my setup is:
<VirtualHost *:8000>
ProxyPreserveHost On
ProxyPass / http://192.168.0.101:8000/
ProxyPassReverse / http://192.168.0.101:8000/
<Location />
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
what am i doing wrong?
Update:
solution found by marked answer:
<VirtualHost *:8000>
ProxyPreserveHost On
<Location />
ProxyPass http://192.168.0.101:8000/
ProxyPassReverse http://192.168.0.101:8000/
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
Also make sure that apache is configured to listen to that port and also if the proxied server is local it is not running at the same port as listened one
The problem is that Apache doesn't 'link' Proxypass / http://example.com and <Location /> - even though they both try to work with /. This means that Proxypass is handling requests for '/' first, and the Location section is never being used.
You need to move the Proxy config inside the Location, dropping the path, e.g.:
<VirtualHost *:8000>
ProxyPreserveHost On
<Location />
ProxyPass http://192.168.0.101:8000/
ProxyPassReverse http://192.168.0.101:8000/
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
First off, thank you for looking at my post. This pickle has me hitting my head against the wall.
Long story short, I've got an app that requires Apache 2.2 and has strict requirements for allowing certain IP addresses through.
My goal is for Apache to allow anyone to access one specific url within a subdirectory (for registration), and then prevent access to all other additional locations that follow that location stanza.
For example, I have the following configuration:
<Location /foo>
ProxyPass http://localhost:8080/foo retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
<RequireAny>
Require ip 66.66.66.66
</RequireAny>
</Location>
<Location /foo/register.htm>
ProxyPass http://localhost:8080/foo/register.htm retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
I'd like anyone on the web to be able to hit the http://localhost:8080/foo/register.htm location, but prevent access to any additional location within the /foo directory that isn't coming from the 66.66.66.66 ip address.
Some of the things I've tried include changing the position of the <Location /foo/register.htm> stanza (I've read you have to put it before the <Location /foo> stanza because of the ProxyPass), and I've played with REGEX entries <Location /foo^/(?!register.htm)>, but the damn <Location /foo> seems to always take precedence over the <Location /foo/register.htm> stanza and prevent access.
Any help will seriously be very appreciated. Thank you!
I'm using a apache2 on ubuntu, in front of a tomcat8 webserver.
I want to restrict access to localhost/manager to only a specific ip address.
The server is in my internal network and has the ip 102.168.139.111. I want to be able to access the /manager endpoint only from my local machine 192.168.128.222, and from nowhere else.
But the following does not work and I'm always getting a 403 Permission denied. Why?
apache2.conf:
<Location /manager/*>
Order Allow,Deny
Deny from all
Allow from 192.168.128.197
</Location>
With:
/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
Sidenote: taking the <Location...> out will allow access to my local IP as expected. So the server configuration in general seems to be fine. Just restricting does not work.
It's probably an order of statements issue. The following works (on root path):
<Location />
Order Deny,Allow
Deny from all
Allow from 192.168.
</Location>
I've an Apache HTTP server that is used as a proxy (over https) for JBoss-deployed webapp. I've the following entry in a conf file:
<Location "/app">
ProxyPass http://localhost:8080/app
ProxyPassReverse http://localhost:8080/app
AuthType Basic
AuthName "Private Documentation Repository"
AuthUserFile <path-to-file>
Require valid-user
</Location>
As You can see, a valid user is required to access /app.
The question is: how to write a directive that will exclude one particular file from JBoss webapp, so that access to this file won't require a valid user e.g.:
<Location "/app/some-file.xyz">
ProxyPass http://localhost:8080/app/some-file.xyz
ProxyPassReverse http://localhost:8080/app/some-file.xyz
</Location>
I mean: when user requests anything (app/) but /app/some-file.xyz he/she will be prompted for the password, otherwise Apache will enable the user to download some-file.xyz. Any help would be greatly appreciated.
<Location "/app/*.xyz">
allow from all
satisfy any
ProxyPass http://localhost:8080/app/*.xyz
ProxyPassReverse http://localhost:8080/app/*.xyz
</Location>
I try to add an Apache login and pass authentication.
It works ... well, not as intended.
I have 2 server names, one ssh and a "normal" one.
This is how I've done it so far :
<Directory />
AllowOverride AuthConfig
order deny,allow
allow from XX.X.X.XXX 127.0.0.1
deny from all
AuthName "Login/Pass"
AuthType Basic
AuthUserFile /path/user.acl
AuthGroupFile /path/groups.acl
require group adminGroup
Satisfy any
</Directory>
I have 2 VirtualHost defined as follow (one SSH and the other one "normal") :
<VirtualHost 127.0.0.1:8080>
DocumentRoot //IP/path/XXXX
ServerName dev.admin.com:8080
RewriteEngine on
<IfModule mod_weblogic.c>
WebLogicHost 127.0.0.1
WebLogicPort 7509
WLCookieName CookieName
</IfModule>
<Location /weblogic>
SetHandler weblogic-handler
ErrorPage /page-non-trouvee
pathTrim /weblogic
</Location>
<Location /dynamic>
SetHandler weblogic-handler
ErrorPage /page-non-trouvee
pathTrim /dynamic
</Location>
</VirtualHost>
When I try to go to dev.admin.com:8080 it works fine, Apache asks for login and pass and recognized them.
But when I try to go to dev.admin.com:8080/weblogic/XXX it asks for a login and pass but don't recognize the ones declared.
I tried to use the <location /> and <location> tags in the 2 VirtualHosts ... same result.
I seems that it is because of the use of the weblogic-handler. For example, dev.admin.com:8080/weblogic works, dev.admin.com:8080/weblogic/XXX doesn't.
Thanks in advance for your help
I've found the problem. In fact, my Apache conf. relies on a weblogic-apache plugin which alter the authentification process in Apache by redirecting to the Weblogic server before that the authentification is validated.