Moving to new Apache 2.4 access control syntax - apache

I am updating my original question as I was confusing "Require not host" for the hostname contained in a referrer string.
So what I need to make sure of now. In Apache 2.2 I was doing the following to allow/deny certain ip ranges, user-agents and domain names / referrers.
This is a very shortened example as I don't want to burden anyone with too much code. I've tested the Apache 2.4 code block which appears to work fine but is the the correct way now of doing things?
Is it necessary to specify whitelisted IP's and domains as I was doing before or is it only necessary just to blacklist due to the Require all granted ??
The old 2.2 method works 100% on Apache 2.4 as long as the mod_access_compat module is loaded but obviously getting things right for Apache 2.4 without using a compatibility module is first prize.
Apache 2.2:
<Directory /var/www/html>
Order Allow,Deny
Allow from all
Allow from env=good_bot
Allow from env=good_ref
Allow from 131.253.24.0/22
Allow from 131.253.46.0/23
deny from 104.197.51.76
deny from 108.167.189.81
deny from env=bad_bot
deny from env=spam_ref
</Directory>
Apache 2.4:
<Directory /var/www/html>
<RequireAny>
<RequireAll>
Require all granted
Require not ip 104.197.51.76
Require not ip 54.242.250.203
Require not env bad_bot
Require not env spam_ref
</RequireAll>
<RequireAny>
Require ip 131.253.24.0/22
Require ip 131.253.46.0/23
Require env good_ref
Require env good_bot
</RequireAny>
</RequireAny>
</Directory>

I can confirm that my apache 2.4 example is correct. I've tested it with a huge list of referrers, user-agents, blacklisted and whitelisted ip's and it appears to be perfect. I also confirmed by unloading the mod_access_compat module and reloading apache with a2dismod access_compat
So this is now the correct way to do things in Apache 2.4.
<Directory /var/www/html>
<RequireAny>
<RequireAll>
Require all granted
Require not ip 104.197.51.76
Require not ip 54.242.250.203
Require not env bad_bot
Require not env spam_ref
</RequireAll>
<RequireAny>
Require ip 131.253.24.0/22
Require ip 131.253.46.0/23
Require env good_ref
Require env good_bot
</RequireAny>
</RequireAny>
</Directory>

Related

Apache 2.4 IP Bans are all or nothing

for some reason, when I attempt to ban an IP, it does nothing whatsoever. Other ways I have tried end up banning all access to my server, such as using the old "Allow, deny" directives.
This is a snippet from my httpd.conf file
DocumentRoot "C:/xampp/htdocs"
<Directory "C:/xampp/htdocs">
Options FollowSymLinks Includes ExecCGI
AllowOverride All
<RequireAll>
Require all granted
Require not ip 71.111.245.13
</RequireAll>
</Directory>
I am using XAMPP on Windows 7 with Apache 2.4.53 and the server is forwarded to a domain name with a valid SSL cert as well.
My current solution is to verify the IP in a mySQL database of banned IPs through PHP and redirect banned users away from accessing content, which is working but, in anyone's opinion, is it better to use Apache to ban users?

apache v2.4 remove old v2.2 'Deny from env=BlockCountry' directive

I protect my HTTP(s) vhosts with geoIP
<Directory /srv/www/vhosts>
MaxMindDBEnable On
MaxMindDBFile DB /usr/local/share/maxminddb/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code
SetEnvIf MM_COUNTRY_CODE ^(RU|CN|HK|IN) BlockCountry
Deny from env=BlockCountry
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
1.) Am I correct that I mix v2.2 Deny from env=BlockCountry and v2.4 Require all granted directives here.
If yes I searched the web to replace the Deny from env=BlockCountry with an apache2.4 alternative but cannot find one. How can I get rid of the old Deny directicve ?
2.) Am I correct that my GeoIP code in my apache2.conf works with this version inconsistent directives just by some "luck" , because I never set the order which rule ( Require or Deny ) comes first like I would do in v2.2 apache order allow deny
3.) Require env BlockCountry works but than all the blocked Countries have access and all the other not ( I test always with VPN )
So I tried Require not env BlockCountry but this leads to an error when I restart apache web server
You could negate your rule.
Instead of
SetEnvIf MM_COUNTRY_CODE ^(RU|CN|HK|IN) BlockCountry
Deny from env=BlockCountry
set.
SetEnvIf MM_COUNTRY_CODE !^(RU|CN|HK|IN) AllowCountry
Require env AllowCountry

httpd-xampp.conf: How to allow access to an external IP besides localhost?

I haven't found the right answer that works for me in other questions.
This is how the httpd-xampp.conf looks like originally:
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
What should I do if I want to add another IP address besides the Require local?
For example, below Require local I have tried the following:
allow from xxx.xxx.xxx.xx
That is to say:
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
allow from xxx.xxx.xxx.xx
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
But it still blocks the access to that external IP.
How do I fix this?
How can I add more IP addresses to allow them access?
I am using XAMPP 5.6.3 under a Windows environment.
allow from all will not work along with Require local. Instead, try Require ip xxx.xxx.xxx.xx
For Example:
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
Require ip 10.0.0.1
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
I tried this and it works. Be careful though. This means that anyone in your LAN can access it. Deepak Naik's answer is safer.
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
# Require local
Require all granted
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
<Directory "C:/xampp/">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
</Directory>
This is what i added in the end of file \xampp\apache\conf\extra\httpd-xampp.conf file before tag
Add below code in to file d:\xampp\apache\conf\extra\httpd-xampp.conf:
<IfModule alias_module>
...
Alias / "d:/xampp/my/folder/"
<Directory "d:/xampp/my/folder">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
</Directory>
Above config can access from http://127.0.0.1/
Note: someone suggest that replace from Require local to Require all granted but not work for me
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
# Require local
Require all granted
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
For Ubuntu xampp,
Go to /opt/lampp/etc/extra/
and open httpd-xampp.conf file and add below lines to get remote access,
Order allow,deny
Require all granted
Allow from all
in /opt/lampp/phpmyadmin section.
And restart lampp using, /opt/lampp/lampp restart
<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
Deny from all
Allow from all
Allow from ::1 127.0.0.0/8
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
add to txt file > httpd-xampp.conf
<Directory "E:/xampp/phpMyAdmin/">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
In windows all you have to do is to go to windows search Allow an app through Windows Firewall.click on Allow another app select Apache and mark public and private both . Open cmd by pressing windows button+r write cmd than in cmd write ipconfig find out your ip . than open up your browser write down your ip http://172.16..x and you will be on the xampp startup page.if you want to access your local site simply put / infront of your ip e.g http://192.168.1.x/yousite. Now you are able to access your website in private network computers .
i hope this will resolve your problem
allow from all will not work along with Require local. Instead, try Require ip xxx.xxx.xxx.xx
For Example:
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
Require ip 10.0.0.1
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
Open for new app "HTTPD" (Apache server) in your Firewall
Take a look at this: https://www.youtube.com/watch?v=eqgUGF3NnuM

locking down Apache to localhost

Having recently moved from Win XP (x86) to Win 7 (x64), I have also had to reinstall Apache. I have installed the 64 bit versions of Apache (2.4.3) and PHP (2.4).
I installed it to c:\Apache24.
I have got it up and running, but now I need to lock it down to my local PC Only.
If I have:
<Directory "c:/Apache24/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
# New directive needed in Apache 2.4.3 apparently:
Require all granted
</Directory>
this works fine, but if I change it to:
<Directory "c:/Apache24/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from 127.0.0.1
# New directive needed in Apache 2.4.3 apparently:
Require all granted
</Directory>
(or 'Allow from Localhost' or 'Allow from 192.x.y.z')
I get an access denied error. How can I get round this?
Everything is installed using my login, which has full local admin rights.
Replace
Order allow,deny
Allow from all
Require all granted
by just
Require local
More: http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html
One approach is to add Listen to httpd.conf:
Listen 127.0.0.1:80
Remember to remove the other Listen directives, if there are any other.
Note that this will lock down the entire server so it only responds to requests from localhost. If you need to fine-tune permissions on a directory-by-directory basis, use the <Directory> syntax:
<Directory /var/www/secure>
Require local
</Directory>
The above is for Apache 2.4, where Order, Allow, and Deny are deprecated.

Apache: client denied by server configuration

I am getting
[Tue Apr 24 12:12:55 2012] [error] [client 127.0.0.1] client denied by server configuration: /labs/Projects/Nebula/bin/
My directory structure looks like (I am using Symfony 2, should be similar structure for other web frameworks)
I have vhosts setup like:
<VirtualHost nebula:80>
DocumentRoot "/labs/Projects/Nebula/web/"
ServerName nebula
ErrorLog "/var/log/httpd/nebula-errors.log"
</VirtualHost>
<Directory "/labs/Projects/Nebula/">
Options All
AllowOverride All
Order allow,deny
Allow from 127.0.0 192.168.1 ::1 localhost
</Directory>
I wonder whats the problem and how do I fix it?
Apache 2.4.3 (or maybe slightly earlier) added a new security feature that often results in this error. You would also see a log message of the form "client denied by server configuration". The feature is requiring an authorized user identity to access a directory. It is turned on by DEFAULT in the httpd.conf that ships with Apache. You can see the enabling of the feature with the directive
Require all denied
This basically says to deny access to all users. To fix this problem, either remove the denied directive (or much better) add the following directive to the directories you want to grant access to:
Require all granted
as in
<Directory "your directory here">
Order allow,deny
Allow from all
# New directive needed in Apache 2.4.3:
Require all granted
</Directory>
OK I am using the wrong syntax, I should be using
Allow from 127.0.0.1
Allow from ::1
...
In Apache 2.4 the old access authorisation syntax has been deprecated and replaced by a new system using Require.
What you want then is something like the following:
<Directory "/labs/Projects/Nebula/">
Options All
AllowOverride All
<RequireAny>
Require local
Require ip 192.168.1
</RequireAny>
</Directory>
This will allow connections that originate either from the local host or from ip addresses that start with "192.168.1".
There is also a new module available that makes Apache 2.4 recognise the old syntax if you don't want to update your configuration right away:
sudo a2enmod access_compat
I had this issue using Vesta CP and for me, the trick was remove .htaccess and try to access to any file again.
That resulted on regeneration of .htaccess file and then I was able to access to my files.
Can you try changing "Allow from 127.0.0 192.168.1 ::1 localhost" to "Allow from all".
If that fixes your problem, you need to be less restrict about where content can be requested from
Here's my symfony 1.4 virtual host file on debian, which works fine.
<Directory /var/www/sf_project/web/>
Options All Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
If you wan't to restrict access to a specific ip range, e.g. localhost use this:
Allow from 127.0.0.0/8
The mod_authz_host is responsible for filtering ip ranges. You can look up detailed things in there.
But maybe the problem could be related to some kind of misconfiguration in your "apache2.conf".
On what OS is the apache running?
if you are having the
Allow from All
in httpd.conf then make sure us have
index.php
like in the below line in httpd.conf
DirectoryIndex index.html index.php
In my case the key was:
AllowOverride All
in vhost definition.
I hope it helps someone.
This code worked for me..
<Location />
Allow from all
Order Deny,Allow
</Location>
Hope this helps others