I'm using a apache2 on ubuntu, in front of a tomcat8 webserver.
I want to restrict access to localhost/manager to only a specific ip address.
The server is in my internal network and has the ip 102.168.139.111. I want to be able to access the /manager endpoint only from my local machine 192.168.128.222, and from nowhere else.
But the following does not work and I'm always getting a 403 Permission denied. Why?
apache2.conf:
<Location /manager/*>
Order Allow,Deny
Deny from all
Allow from 192.168.128.197
</Location>
With:
/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
Sidenote: taking the <Location...> out will allow access to my local IP as expected. So the server configuration in general seems to be fine. Just restricting does not work.
It's probably an order of statements issue. The following works (on root path):
<Location />
Order Deny,Allow
Deny from all
Allow from 192.168.
</Location>
Related
First off, thank you for looking at my post. This pickle has me hitting my head against the wall.
Long story short, I've got an app that requires Apache 2.2 and has strict requirements for allowing certain IP addresses through.
My goal is for Apache to allow anyone to access one specific url within a subdirectory (for registration), and then prevent access to all other additional locations that follow that location stanza.
For example, I have the following configuration:
<Location /foo>
ProxyPass http://localhost:8080/foo retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
<RequireAny>
Require ip 66.66.66.66
</RequireAny>
</Location>
<Location /foo/register.htm>
ProxyPass http://localhost:8080/foo/register.htm retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
I'd like anyone on the web to be able to hit the http://localhost:8080/foo/register.htm location, but prevent access to any additional location within the /foo directory that isn't coming from the 66.66.66.66 ip address.
Some of the things I've tried include changing the position of the <Location /foo/register.htm> stanza (I've read you have to put it before the <Location /foo> stanza because of the ProxyPass), and I've played with REGEX entries <Location /foo^/(?!register.htm)>, but the damn <Location /foo> seems to always take precedence over the <Location /foo/register.htm> stanza and prevent access.
Any help will seriously be very appreciated. Thank you!
I have a webapp hidden behind Apache 2.4 which is set as a proxy
My configuration goes like this:
<Location /myapp>
Proxypass ajp://localhost:8009/myapp
Require all granted
</Location>
Recently, I was asked to prevent anyone but whitelisted IPs to access to myapp API which is accessible through /myapp/api/
I am failing to achieve proper configuration within Apache to make it so
Here is what I've tried so far :
<Location /myapp/api>
Proxypass ajp://localhost:8009/myapp/api
Require local
Require 1.2.3.4
</Location>
<Location /myapp>
Proxypass ajp://localhost:8009/myapp
Require all granted
</Location>
So what I need is for http://mysite/myapp/ to be accessible to anyone, but to restrict calls to http://mysite/myapp/api/* to a bunch of whitelised IP
Do you know how I may be able to achieve this?
Best Regards
Because of Overlapping Webspace, you should reverse the order of Location directives
<Location /myapp>
Proxypass ajp://localhost:8009/myapp
Require all granted
</Location>
<Location /myapp/api>
Proxypass ajp://localhost:8009/myapp/api
Require local
Require 1.2.3.4
</Location>
I need all requests on my server to be proxied to node on port 8000 except requests containing /api/ci in their path.
This is my current config, the issue with it is that it is routing everything to port 8000, including the /api/ci requests instead of allowing them to hit the backend directly. For some reason the /api/ci rule is not being applied and being proxied instead. The backend is built in PHP with the Codeigniter framework.
ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /api/ci/>
ProxyPass !
</Location>
<Location />
ProxyPass http://localhost:8000/
ProxyPassReverse http://localhost:8000/
</Location>
Do not add '/' at the end of your exception:
<Location /api/ci>
ProxyPass !
</Location>
You could also use a wildcard like:
<Location /api/ci/*>
ProxyPass !
</Location>
I want to make Tableau (which is on an internal network) accessible on the public network. One of the ways recommended by Tableau Support is a Reverse Proxy.
I have set up the required modules and have the reverse proxy functioning. The login page is available through these settings in httpd given below. However, once I log in and want to open Projects, Views etc. It routes to
http://actualsite.com/#/vieworproject
which should actually be http://actualsite.com/tableauaccess/#/vieworproject.
Here is the httpd configuration:
ProxyPass /tableauaccess/ http://tableauserverexample.com/
ProxyPassReverse /tableauaccess/ http://tableauserverexample.com/
<Location /tableauaccess/>
Order deny,allow
Allow from all
ProxyHTMLURLMap / /tableauaccess/
</Location>
This doesnt solve the main issue with #. I tried
ProxyPass /#/ http://tableauserverexample.com/#/
ProxyPassReverse /#/ http://tableauserverexample.com/#
But it doesnt help. Any suggestions?? Thanks!
We had this same issue recently. Your httpd.conf file is technically correct for mod_proxy, however the url you are attempting to use is not supported by Tableau. You cannot use:
http://actualsite.com/tableauaccess
But rather you must use the format:
http://tableauaccess.actualsite.com
We ended up setting up that sub-domain name and then using a VirtualHost block such as:
Listen 80
NameVirtualHost *:80
<VirtualHost *:80>
ServerName actualsite.com
DocumentRoot "/path/path2/pathx"
</VirtualHost>
<VirtualHost *:80>
ServerName tableauaccess.actualsite.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://tableauaccess.actualsite.com/
ProxyPassReverse / http://tableauaccess.actualsite.com/
<IfModule mod_cache.c>
CacheDisable *
</IfModule>
RequestHeader set X-Forwarded-Proto "http" #or "https", depending on preference
</VirtualHost>
Be sure to double-check your Tableau server to update the URL format.
Sources:
https://community.tableau.com/thread/198095
https://community.tableau.com/thread/218678
(I don't have enough reputation points to post all of my sources, but thanks to Tableau community, shanemadden at ServerFault, and the Apache documentation.)
edit: forgot trailing slashes
(I am x-posting this from serverfault because I didn't get any responses there and we have a lot apache pros over here)
I am using my apache as a reverse proxy for a few requests to a webserver running on an internal port to allow access via my regular virtual host. This is on an ubuntu 15 running apache 2.4 in vagrant.
Here's my virtualhost config:
<VirtualHost *:80>
DocumentRoot /vagrant/htdocs
ServerName test.vm
# proxy pass mailcatcher to internal webserver
<Location /mailcatcher>
ProxyPass http://localhost:1080
ProxyPassReverse http://localhost:1080
</Location>
<Location /assets>
ProxyPass http://localhost:1080/assets
</Location>
<Location /messages>
ProxyPass ws://localhost:1080/messages
ProxyPassReverse http://localhost:1080
</Location>
<Directory />
Require all granted
</Directory>
<Directory /vagrant/htdocs>
AllowOverride all
</Directory>
</VirtualHost>
For a while, this works fine. However, after a time, suddenly all requests to this virtualhost are proxied to the internal webserver. So if I call http://test.vm/cron/mails.php at first it will run mails.php as expected. However after a random amount of time or event, suddenly the aforementioned URL will start serving responses from Mailcatcher.
The message you were looking for does not exist, or doesn't have content of this type
This is a Mailcatcher error that you get when you request a message that no longer exists.
This service, Mailcatcher, is started with my VM and runs all the time. The weird thing is, I don't experience this issue when I am doing other stuff on the VM (there's a web app running on it). Only when I am actively debugging mails and using the Mailcatcher gui am a I suddenly sometimes experiencing this.
Waiting for a while or restarting apache "solves" this issue until it pops up the next time. Can anyone help me out on this? Did I set up my proxy wrong?
Thanks.
You can try these :
<VirtualHost *:80>
ServerName mailcatcher.domain.tld
ServerAdmin webmaster#domain.tld
<Location />
ProxyPass http://localhost:1080/
ProxyPassReverse http://localhost:1080/
</Location>
<Location /messages>
ProxyPass ws://localhost:1080/messages
ProxyPassReverse ws://localhost:1080/messages
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Notes :
Of course localhost is set in your /etc/hosts or should be change to your mailcatcher server.
It's better to dedicate a hostname to mailcatcher service. With mod_proxy is not easier to manage correctly sub directory path.