I have an apache2 server, serving a website from the following directory /var/www/
I'm trying restrict this website to all but 2 ip addresses
I've put the code below in the security file located on my linux
server directory:
etc/apache2/conf.d/security
<Directory /var/www/>
Order allow,deny
#Allow from IPADDRESS1
Allow from IPADRESS2
</Directory>
1) Why can I access the website from IPADDRESS1 when it's commented out?
2) Is this the section of the apache2 documentation that deals with this?
I think you need to specify to deny all other connections. I.E:
<Directory /var/www/>
Order allow,deny
#Allow from 192.168.1.4
Allow from 149.254
Deny from all
</Directory>
Related
I want to restrict all directories and files to the end users, but the application should be accessible. I have restricted all directories except readme.md. I cannot even locate the file inside www folder. But the file is viewed when it is ran in the browser as follows.
Following are the changes I have done in httpd.config file
<Directory "c:/wamp64/www">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Allow from localhost
</Directory>
<Files "c:/wamp64/icons/readme.md">
Order Deny,Allow
Deny from all
</Files>
<Directory "c:/wamp64/www/*">
Allow from all
</Directory>
Apache 2.4 is my version
I need some help here my virtual hosts permissions appear not to be working.
For example site1.com and site2.com can access each others files and even create files!. I have tried to prevent this by having this in the apache2.conf file.
<Directory />
Options FollowSymLinks
Order deny,allow
Deny from all
</Directory>
And then in the virtual host file for site1 I have this
<Directory /var/www/site1.com/public_html>
Options indexes, FollowSymLinks
Order Allow,Deny
Allow from all
</Directory>
And for the virtual host ifle in site2 I have this
<Directory /var/www/site2.com/public_html>
Options indexes, FollowSymLinks
Order Allow,Deny
Allow from all
</Directory>
Can anyone help me with this please as its a big security issue?
What have I done wrong?
Thanks,
Dan
An Apache configuration doesn't have anything to do with who/what can create files in the filesystem, it only determines what this particular program (httpd) is willing to serve.
I cannot get allow and deny directives to work from an htaccess file within any directory in my web root. I am at a loss as to where I should look to configure this. I have checked the obvious (authz modules are loaded, allow overrides is set to all) Any ideas? Here are my configuration details.
I have an Apache 2.2 server running on RHEL. Within this server I have an IP based VirtualHost that is configured like where myipaddr and myserver are the actual IP address and host name respectively:
<VirtualHost myipaddr:80>
ServerName myserver
TransferLog /var/log/httpd/myserver.access
LogFormat loadbalanced
ErrorLog /var/log/httpd/myserver.error
DocumentRoot /var/www/myserver
<Directory /var/www/myserver>
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
I have tried more complex directives but even a simple .htaccess file that should deny everything has no effect.
Order deny,allow
Deny from all
It turns out the was a configuration file in /etc/httpd/conf.d that I did not realize was getting loaded and it was trumping the denies and allows within specific directories.
<Location />
Order allow,deny
Allow from all
<LimitExcept GET POST PUT DELETE>
Deny from all
</LimitExcept>
</Location>
So I recently am working on my new bootstrap website where I am using a VPS. Since I am only assigned one IP and I cannot get additional IP's, I was thinking of using Apache VirtualHosts combined with SRV records. While setting up the virtual hosts, I noticed that only virtual hosts on port 80 and 443 work. I am using ports 80, 8080, 8081, 8082 and 443. While connecting to 8080, I get a "This web page is not available" from google chrome. While connecting to 8081 and 8082, I get a "Oops! Google Chrome could not connect to ...". For now, I am using the domain "entel.us" because I am still transferring starfire1337.com. Here is my httpd.conf file: http://pastebin.com/awvR55aE
Any suggestions?
I am running CentOS 6
All your VirtualHost servernames are set to: *.starfire1337.com but you say your using entel.us...?
Perhaps try adding:
ServerAlias *.entel.us where * is your subdomain, i.e. js.
Another issue is that you have only set a Directory for the /var/www/html directory, where all your virtualhosts goto other directories in /var/www/ so either add a <Directory> for each of your virtual hosts like:
<Directory "/var/www/js">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
or add change this:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
to this:
<Directory "/var/www">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
There are other questions similar to this but don't answer my problem.
This is the default httpd.conf:
<Directory "C:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
# onlineoffline tag - don't remove
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
and it allows only 127.0.0.1, but I want to allow also localhost and 192.168.x.x (my private ip).
Well, the other answers are: put Allow from all and uncomment in hosts file the line 127.0.0.1 localhost; but I read that is unsecure or not reccomended.
So I've tried this:
<Directory "C:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
# onlineoffline tag - don't remove
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.x.x
Allow from localhost
</Directory>
It works for 192.168.x.x, but not for localhost (gets error: 403 Forbidden, You don't have permission to access / on this server.)
1) How can make it works?
2) Maybe is required to uncomment in hosts file the line 127.0.0.1 localhost ?
3) Is it really more secure than Allow from all?
Lets keep it simple, try this
<Directory "C:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1 localhost 192.168
</Directory>
::1 is the IPV6 equivalent of 127.0.0.1
I would use the first 3 of the quartiles 192.168.0 ( assuming your third quartile is 0 )
Update your httpd.conf to this, and you will be able to get to localhost on WAMP.
<Directory "C:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
# onlineoffline tag - don't remove
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.x.x
Allow from ::1
</Directory>
If you are using
Apache 2.4
then use:
<Directory "C:/wamp/www/">
Require all denied
Require ip 127.0.0.1
<If "%{HTTP_HOST} == 'localhost'">
Require all granted
</If>
</Directory>
1) I don't know if your Directory sintax is correct as I use ubuntu server, but I always put the lines that allow individual addresses before the "Deny from all" directive. However, in the apache documentation you can see examples where the directives are in the same order as in your code
Link
I alse specify the netmask, which in the case of individual IPs should be 255.255.255.255, more fine-grained subnet restriction.
I have always seen the words deny,allow in the first directive in lowercase, but as you are using Windows maybe it is not necessary. The code that I would use is:
order deny,allow
Allow from 127.0.0.1/255.255.255.255
Allow from 192.168.x.x/255.255.255.255
Allow from localhost/255.255.255.255
Deny from all
2) Yes, as you are denying every petition except those that come from the specified IPs
Related reference