I have asked a similar question before
Restrict access to directories through ip address
at that time the problem was solved for apache 2.2. Recently I re-installed the OS (to Debian 8) and it comes with apache 2.4.
I want to restrict access to files - when the request comes "by" IP. Mainly if in the browser I try to open http://192.168.252.178/test/image.jpg it should show error - 403 forbidden. Directory test is in www directory of apache. However I should be able to access that image if I type http://www.example.com/image.jpg - considering that example.com points to that test directory.
With apache version 2.2 I would simply put this lines in my default site config file - and the problem was solved
<Files ~ ".+">
Order allow,deny
Deny from all
</Files>
Now, trying the same thing does not work: I am getting 403 forbidden even if I try to open any site by the domain name.
Considering the changes in 2.4 I also tried this, but again getting the the same 403 forbidden when trying to open some site.
<Files ~ ".+">
Require all denied
</Files>
My goal is to prevent any kind of access to directories and files - if they are being accessed through ip address. I have also this lines in my default site's config to prevent the directory access and this works fine.
<Directory /home/username/www>
Options -Indexes
AllowOverride All
Require all granted
</Directory>
So, the question is - how to prevent file access through IP address. Also I need to achieve this by apache config, by htaccess is not a solution for me. And I need to achieve this for all the directories/files inside www recursively, so specifying the exact file names and/or directories is not a solution either.
Thanks
When you use name based virtual hosts, the main server goes away. Apache will choose which virtual host to use according to IP address (you may have more than one) and port first, and only after this first selection it will search for a corresponding ServerName or ServerAlias in this subset of candidates, in the order in which the virtual hosts appear in the configuration.
If no virtual host is found, then the first VHost in this subset (also in order of configuration) will be choosen. More.
I mention this because it will be important you have only one type of VirtualHost directive:
<VirutalHost *:80>
or
<VirtualHost 123.45.67.89:80>
I'll use the wildcard in the example.
You need a directory like /var/www/catchall with a file index.html or similar, as you prefer.
<VirtualHost *:80>
# This first-listed virtual host is also the default for *:80
# It will be used as the catchall.
ServerName 123.45.67.89
# Giving this DocRoot will avoid any request based on IP or any other
# wrong request to get to the other users directories.
DocumentRoot "/var/www/catchall"
<Directory /var/www/catchall>
...
</Directory>
</VirtualHost>
# Now you can add as usuall the configuration for any other VHost you need.
<VirtualHost *:80>
ServerName site1.com
ServerAlias www.site2.com
DocumentRoot "/home/username1/www"
<Directory /home/username1/www>
...
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName site2.com
ServerAlias www.site2.com
DocumentRoot "/home/username2/www"
<Directory /home/username2/www>
...
</Directory>
</VirtualHost>
Debian specific :
For Debian, you ideally put one VHost configuration per file, and put the file in the /etc/apache2/sites-available directory.
Name the files as you like, only the file containing the catchall vhost should be named something like 000-catchall, because they will be read in alphabetic order from the /etc/apache2/sites-enabled directory.
Then you disable Debian's usual default site :
a2dissite 000-default
and you enable the new catchall site and the other VHosts if needed :
a2ensite 000-catchall
An ls /etc/apache2/sites-enabled command should show the catchall as the first of list, if not change its file name so that it will always be the first. Restart Apache: service apache2 restart
Of course you could do all this changes in the original default VHost config file, but I usually prefer keep an original model.
Related
I've installed vanilla at Ubuntu server with public-ip by the steps at https://www.vultr.com/docs/how-to-install-vanilla-forum-on-ubuntu-16-04
Then config /etc/apache2/sites-available/forum.example.com.conf as below
<VirtualHost *:80>
ServerName forum.example.com
DocumentRoot /var/www/vanilla
<Directory /var/www/vanilla>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Then I can access http://public-ip at browser, but the result is Apache2 Ubuntu Default Page.
How can I access the installed vanilla at the browser? Should I make any change to the forum.example.com.conf?
If the request doesn't match a virtual host, Apache will serve files from the top level (not inside a <VirtualHost> block) DocumentRoot config value.
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot /var/www/html
I don't know Ubuntu well but I'd guess this is in /etc/apache2/apache2.conf. You can change this to /var/www/vanilla to serve your forum instead of the default page.
Alternatively you could rename / delete the existing /var/www/html and make it a symlink to /var/www/vanilla: then Apache would pick up the forum files without any config change.
Or if you just want to set up access for yourself then you can add the DNS name to your hosts file (/etc/hosts on Linux, \Windows\System32\drivers\etc\hosts on Windows)
forum.example.com AAA.BBB.CCC.DDD
and then you can use forum.example.com in your browser as normal, which will send the 'Host' header so Apache will match the virtual host, even though this isn't configured as public DNS.
I am running apache 2.4 on my web servers and I am always trying to find ways to streamline. Is it possible to include a conf file for every Joomla website and another one for every Wordpress site that I host? I put the Joomla .htaccess configuration (https://docs.joomla.org/Special:MyLanguage/Preconfigured_htaccess) inside of the domainname.com.conf file and specify Allowaccess none for performance reasons.
It would be great to have a single file for different versions of Joomla, Wordpress or other apps that require Apache configurations instead of needing to edit dozens of conf files when the app requirements change.
I found the include directive from Apache, but not sure if it would work on an individual vhost. http://httpd.apache.org/docs/2.4/mod/core.html#include
The Include does work for individual vhosts.
The documentation you linked (https://httpd.apache.org/docs/2.4/mod/core.html#include) states this in the header block of the section:
Context: server config, virtual host, directory
That means that the "Include" directive can be used, amongst other places, in the virtual host section of the configuration.
See here for a definition of the contexts: https://httpd.apache.org/docs/2.4/mod/directive-dict.html#Context
So you could do this:
<VirtualHost *:80>
ServerName joomla1.example.com
Include "conf/joomla.conf"
</VirtualHost>
<VirtualHost *:80>
ServerName joomla2.example.com
Include "conf/joomla.conf"
</VirtualHost>
<VirtualHost *:80>
ServerName wordpress1.example.com
Include "conf/wp.conf"
</VirtualHost>
<VirtualHost *:80>
ServerName wordpress2.example.com
Include "conf/wp.conf"
</VirtualHost>
joomla.conf and wp.conf would contain the directives that are common to either Joomla or Wordpress.
Well, I am new on Debian, Built server on Digital Ocean with Debian OS.
I successfully added two domains into one droplet:
mysite.com
anothersite.com
Created new dir:
/home/user/www/mysite.com/public_html
and copied files to public_html
The config file inside /etc/apache2/sites-available is:
DocumentRoot /home/user/www/mysite.com/public_html
<Directory /home/user/www/mysite.com/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/myproject-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/myproject-access.log combined
Of Course, I enabled the site.
I haven't edited apache2.conf file and haven't configured 2nd domain (anothersite.com). Just added this 2nd domain to droplet, that's all.
when I enter to the site mysite.com it works perfect. But I wondered that why 2nd domain (anothersite.com) is redirected to 1st (mysite.com) domain?
By the way, I use Apache 2.4
If hostname (e.g. anothersite.com) point to the apache webserver but haven't explicitely configured a section that matches that hostname, then apache will deliver a "best match" (the first ).
so if only have a single in apache config and multiple hostnames (mysite.com and anothersite.com) point to the same machine, all of these names will display the same virtual host
I have a server with multiple websites hosted and distinguishable using name-based virtual hosting of apache.
How do I set it so that a specific website is hosted when the ip of my server is entered in the address bar?
What you want to use is the _default_ VirtualHost.
<VirtualHost _default_:80>
DocumentRoot /www/default80
# ...
</VirtualHost>
It's described here. Basically if nothing else match the request the _default_ host will be used.
EDIT
This could also be written as:
<VirtualHost *>
DocumentRoot /www/default
# ...
</VirtualHost>
Is is important that this is the first VirtualHost in the configuration since Apache will start matching them from top to bottom, selecting the one that fit the best based on ServerName and ServerAlias.
This post might also be of interest:
Apache default VirtualHost
just find the Include sites-enabled/ line in your apache2.conf file and add the path to the conf file you want to be site default above it. from:
Include sites-enabled/
to
Include sites-enabled/mydefault.conf
Include sites-enabled/
When you first install apache2, there is a site configuration file named 000-default.conf. This is going to be the default because it is very likely to appear first in the list of files under /etc/apache2/sites-enabled.
To have your own file as the default, you can either replace the file under /etc/apache2/sites-available/000-default.conf with your own, or replace the link like so:
sudo rm /etc/apache2/sites-enabled/000-default.conf
sudo ln -s ../sites-available/my-site-setup.conf /etc/apache2/sites-enabled/000-default.conf
Then restart apache2 (or just reload).
The _default_ as mentioned by the other answer is for defining a virtual host which can be found with the default IP address. It's not the default virtual host.
<VirtualHost _default_:80>
...
is equivalent to
<VirtualHost *:80>
...
The * is a globing pattern which matches any IP addresses.
Note:
Replacing the 000-default.conf file is okay, but in most cases the installation package is going to view that as a modified file and manage it in some weird way which is why I think it's cleaner to only change the soft link.
Keep it clean, don't delete or edit anything in /etc/apache2/sites-available/.
Create all new site configurations in /etc/apache2/sites-available/. Copy whatever site configuration you want enabled to /etc/apache2/sites-enabled/. Only make sure /etc/apache2/sites-enabled/ has only one configuration file.
Sample format for new apache site configurations in Ubuntu 20.04 LTS is
<VirtualHost *:80>
ServerName http://localhost
ServerAdmin admin#mysite.com
DocumentRoot /var/www/html/mysiteroot/public
<Directory /var/www/html/mysiteroot>
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Notice that 000-default.conf is by default in both directories mentioned above and should only be replaced by your new configuration in /etc/apache2/sites-enabled/ so that it can be restored anytime you need it.
Restart Apache2 service after you make any configuration changes.
Lets' asume I have 1 domain on a Ubuntu Server in the following directory:
/var/www/domain1.com/httpdocs
and that the ip address is 100.100.100.100
If I go to www.domain1.com, Apache will server the files inside the httpdocs folder.
How can I avoid that if the following file exists:
/var/www/domain1.com/privatefile.html
.. apache shows it by going to:
http://100.100.100.100/domain1.com/privatefile.html
In other words, I want to display the content in the httpdocs only, no by ip address.
In a vhost setup, Apache will use the first vhost defined as the default one to serve when a request comes in by IP. So just make a "dummy" vhost that points nowhere, and make sure it's the first one in the config file:
<VirtualHost *:80>
ServerName nothing.nowhere
ServerAdmin nobody#nothing.nowhere
DocumentRoot /var/empty
<Directory /var/empty>
Order Allow,Deny
</Directory>
</VirtualHost>