Just having trouble setting an access control in Apache. So I want to deny access to a specific ip address for a section in my website. So when this ip address access my site, they shouldn't be able to see the "test" section of the website.
This is what I have done inside the httpd.conf file
<Directory /test>
Order Allow,Deny
Allow from all
Deny from 10.13.89.47
</Directory>
Please can someone tell me what I am doing wrong ?
Thanks
Based on the information you have provided, you document root is '/' (very dangerous) or you've not understood how the 'Directory' tag works. I would expect the tag to look something more like.....
<Directory /srv/www/htdocs/test>
I have used something else to get it working.
<Location/test>
Order Allow,Deny
Allow from all
Deny from 10.13.89.47
</Location>
Related
P.S.: Sorry me and please be lenient with my English.
I have the situation when some IP must blocked and better way for this on my mind - htaccess. It cause I have many entry points. It easy and works fine...
I do:
<Files *>
Order allow,deny
deny from aaa.aaa.aaa.aaa/aa
deny from bbb.bbb.bbb.bbb/bb
Allow from all
</Files>
BUT! There one more things. I have a few devices which should be allowed access even if they go through the denied IP.
I can't install some module for Apache. So I need some simply way for decide it.
Can someone give me some ways or some tricks for it?
You need some way of identifying those devices, then you can add an environment variable to set up an exception and use access control by environment variable. For example, if you can do it by user-agent:
SetEnvIf User-Agent SpecialUA UAException=1
<Files *>
Order allow,deny
Allow from UAException=1
Deny from aaa.aaa.aaa.aaa/aa
Deny from bbb.bbb.bbb.bbb/bb
Allow from all
</Files>
See also SetEnvIf. I am linking to Apache 2.2 docs since you are using the old syntax which has been updated in 2.4.
I have a apache machine which is serving a .js file. That file should be the only file that need to seen.
I have configured to do so in my apache like this :
<Location /var/www/test/test.js>
Order allow,deny
Allow from all
</Location>
The site address is test.in which points to test.js file in /var/www/test directory. That is working fine. But I wish when the user tries to hit test.in/someurl (which is not available) or some other url than test.in need to give an message with 401 error.
How do I do that? Thanks in advance.
You misused <Location> - the argument should be URI not the directory path... You should use <Directory> to get the expected behavior.
I would do something like this (you should finetune it, it shows just the principle):
# first deny access to everything
<Location />
Order Deny,Allow
Deny from All
</Location>
# then allow access to specific URL
<Location /test/test.js>
Order Allow,Deny
Allow from All
</Location>
Have a look on Order directive and one or more of following: Location, LocationMatch, Directory, DirectoryMatch, Files, FilesMatch, etc.
I have been struggling with this problem for some time now. Let me break it down:
We have an apache2 server which hosts most of our company's websites. Each website is a separate vhost. One of this vhosts is used by our internal UI Designer to present his latest drafts and projects to both internal users and 3rd party clients. At the moment, this VHost is password protected from the Vhost configuration file using this directive:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
Allow from all
AuthUserFile /home/secure/passwords
AuthName "Username and password required"
AuthType Basic
Require valid-user
</Directory>
What I need is to make this website available (so NO password prompt) to our internal users meaning a specific IP range. I have tried to use the Allow from 192.168.xxx.xxx option in the above instruction set. However this is not letting the internal IP through (still asking for a password). So I tried to use our company's external IP address (which you can find on any "what's my IP website"). No luck with that either.
So for my last attempt, I have created a second vhost which obviously uses a different ServerName. Also, in order not to have any conflicts in the configuration file, I have created a symlink to /var/www and called it www2. Therefore, the Directory directive in the second vhost file looks like this:
<Directory /var/www2/>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
Allow from all
</Directory>
However the configuration files are clearly conflicting because with the current configuration I get password protection on both hosts. If I disable this in the first Vhost, I lose it on both.
There is no .htaccess file in any of the directories, so there is nothing there to overwrite the configuration. The apache2.conf file has nothing defined related to Auth.
I'm not sure if you require more details, but feel free to ask me anything.
I appreciate the help!
----edit----
I just want to specify that I can't say 100% that my method of doing it is the correct one. Maybe setting up 2 VHosts isn't the solution to my problem. If anyone thinks of a better way of doing it, I'm open to suggestions. Bottom line is that I need one website to be available to internal users and password protected for anyone else.
Cheers!
have you tried to solve this using Satisfy Directive of Apache?
For example:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
Allow from all
AuthUserFile /home/secure/passwords
AuthName "Username and password required"
AuthType Basic
Require valid-user
Allow from 192.168.1
Satisfy Any
</Directory>
More information can be found here
I am getting
[Tue Apr 24 12:12:55 2012] [error] [client 127.0.0.1] client denied by server configuration: /labs/Projects/Nebula/bin/
My directory structure looks like (I am using Symfony 2, should be similar structure for other web frameworks)
I have vhosts setup like:
<VirtualHost nebula:80>
DocumentRoot "/labs/Projects/Nebula/web/"
ServerName nebula
ErrorLog "/var/log/httpd/nebula-errors.log"
</VirtualHost>
<Directory "/labs/Projects/Nebula/">
Options All
AllowOverride All
Order allow,deny
Allow from 127.0.0 192.168.1 ::1 localhost
</Directory>
I wonder whats the problem and how do I fix it?
Apache 2.4.3 (or maybe slightly earlier) added a new security feature that often results in this error. You would also see a log message of the form "client denied by server configuration". The feature is requiring an authorized user identity to access a directory. It is turned on by DEFAULT in the httpd.conf that ships with Apache. You can see the enabling of the feature with the directive
Require all denied
This basically says to deny access to all users. To fix this problem, either remove the denied directive (or much better) add the following directive to the directories you want to grant access to:
Require all granted
as in
<Directory "your directory here">
Order allow,deny
Allow from all
# New directive needed in Apache 2.4.3:
Require all granted
</Directory>
OK I am using the wrong syntax, I should be using
Allow from 127.0.0.1
Allow from ::1
...
In Apache 2.4 the old access authorisation syntax has been deprecated and replaced by a new system using Require.
What you want then is something like the following:
<Directory "/labs/Projects/Nebula/">
Options All
AllowOverride All
<RequireAny>
Require local
Require ip 192.168.1
</RequireAny>
</Directory>
This will allow connections that originate either from the local host or from ip addresses that start with "192.168.1".
There is also a new module available that makes Apache 2.4 recognise the old syntax if you don't want to update your configuration right away:
sudo a2enmod access_compat
I had this issue using Vesta CP and for me, the trick was remove .htaccess and try to access to any file again.
That resulted on regeneration of .htaccess file and then I was able to access to my files.
Can you try changing "Allow from 127.0.0 192.168.1 ::1 localhost" to "Allow from all".
If that fixes your problem, you need to be less restrict about where content can be requested from
Here's my symfony 1.4 virtual host file on debian, which works fine.
<Directory /var/www/sf_project/web/>
Options All Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
If you wan't to restrict access to a specific ip range, e.g. localhost use this:
Allow from 127.0.0.0/8
The mod_authz_host is responsible for filtering ip ranges. You can look up detailed things in there.
But maybe the problem could be related to some kind of misconfiguration in your "apache2.conf".
On what OS is the apache running?
if you are having the
Allow from All
in httpd.conf then make sure us have
index.php
like in the below line in httpd.conf
DirectoryIndex index.html index.php
In my case the key was:
AllowOverride All
in vhost definition.
I hope it helps someone.
This code worked for me..
<Location />
Allow from all
Order Deny,Allow
</Location>
Hope this helps others
I've been trying to use a <limit> tag to disable PUT and DELETE calls from being executed through our Apache server and have been unsuccessful.
Apache Version: 2.2
I am currently adding something like this to the inside of my httpd.conf file:
<Directory />
Options none
AllowOverride none
Order deny,allow
Deny from all
<Limit PUT DELETE TRACE>
Order deny,allow
Deny from all
</Limit>
</Directory>
But I have been unable to get a successful restart on Apache while this line is in the file. Now, I know very little about Apache and I've been trying to follow along in some of the Apache docs I've found but have been unsuccessful.
With none of my changes this section of the httpd.conf looks like this:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Any help would be appreciated.
http://wiki.linuxquestions.org/wiki/Securing_Apache#Disabling_PUT_and_DELETE
<Directory /usr/apache/www/myserver.com/htdocs>
...bunch of useful stuff
<Limit PUT DELETE>
Require user terribleUnguessableUsername235452309875wesaef
</Limit>
</Directory>
According to Apache docs found at a hyperlink I do not have enough rep to include, you cannot restrict TRACE using a Limit directive.
If you can't restart Apache, there will be a line in the error log telling you what the problem is.
That said, I think a limit is not allowed inside a directory, but I'm not sure.
Note that TRACE can't be limited.
Trace can be limited in server.xml by adding allowTrace = false in connector tag.