I have a simple REST api endpoint, which will respond to the requests from out side. Now I want to secure it. I only want my end point to respond to requests which comes from my server (host).
What would be the easiest way to do this?
Can we trust HTTP_REFERER?
Please help.
Thanks in advance
You can deny/allow IP's using .htaccess
<files api.php>
order deny,allow
deny from all
allow from 0.0.0.0 # Your Server IP
allow from 0.0.0.0 # Your Client IP
allow from 0.0.0.0 # Your Clients another IP
</files>
Hope this help
Can we trust HTTP_REFERER
No. Referrer is sent by client so can be anything and cannot be trusted. You can however try checking REMOTE_ADDR against allowed IP's or if you do not assign IPs per user, you can simply set up firewall using i.e. iptables, use .htaccess with proper Allow/Deny entries or any other software that controls the traffic before it reach your API. This will allow you to decouple this feature from main API
Related
I want to allow the connection from my LAN and in the case, that the external ip matches my ip (for when I use my domain to connect internal to my http server via browser)
I found this:
Require forward-dns bla.example.org
but I get an 403 Forbidden :/
My .htaccess looks like this:
Order Deny,Allow
Deny from all
Allow from 192.168.254.1/24
Require forward-dns mydomain.de
Thank you :C
Here is the answer I have worked out:
I use a scipt to enter the IP address in the hosts file.
Follow the instructions from:
https://www.the-art-of-web.com/system/apache-auth-ddns/
After that it works with the following command in .htaccess
Allow from yourDomain.de
Its not the best answer, but it will work.
I have a cloud-based apache2 web server, which serves multiple sites using various virtualhost conf files.
One of the websites is for my development only, and is currently configured to only allow my current IP address.
Order deny,allow
Deny from all
Allow from 1.2.4.5
However my IP changes once a week or so - so I'd prefer to use my dynamic DNS hostname. Alas this...
Allow from abc.ddns.net
... does not work. Can it be done?
It can work, but it requires your DNS to be setup perfectly. If you use allow from {hostname} then for each relevant URI path, Apache requests a reverse DNS lookup of the IP for the connection, and then if that returns the correct host name from your allow directive Apache then rechecks that that name resolves to the IP of the original connection.
This is all a relatively expensive set of operations and is normally not recommended. Allow from {ip address} would normally be preferred.
I am getting a lot of traffic from cloud server providers / bots,
how can I completely block this ISPs?
With a .htaccess?
Use the Deny directive. For example, Deny from 10.1.2.0/24.
I have apache server on ubuntu 12.04 with virtual hosts and router forwarded 80 port to one of them. The directory is configured http-authentication. I need to provide authentication for the requests only when a request comes in the "outside", that is, only when the request comes through the external ip, and if I call from inside the network (or from the server at localhost), no authentication is required.
Thanks in advance for your help. Sorry for bad english.
You can use the allow from directive in conjunction with your http authentication directives in your httpd.conf file (or .htaccess file) to specify a range of IP addreses for which http authentication will not be required. See .htaccess / .htpasswd bypass if at a certain IP address for more info. Just specify your range of inside ip addresses in the allow from directive.
I want to allow access to a file (secret.txt) only from my ip.
Below is the .htaccess I'm using.
It works great at my provider's server.
However, at my localhost this .htaccess does not allow me to access the file.
<Files "secret.txt">
order deny,allow
deny from all
allow from 1.2.3.4
</Files>
Where my external ip is "1.2.3.4"
I use Apache server locally.
How can I make things work at localhost also?
What Address are you using to access your local Apache server? If you're addressing it as localhost then you're probably not going all the way out of your machine via the network and back in again. This means that as far as your local Apache server is seeing you, you're coming from a loopback address.
Try putting 127.0.0.1 in instead of your external IP, and see if that works.
Try looking into your local server's access logs: does your local server see 1.2.3.4 when you are accessing the file from the computer that should be allowed? You may see a different IP address (due to NATs and whatnot).