I have several named virtual hosts on the same apache server, for one of the virtual host I need to ensure only a specific set of IP addresses are allowed to access.
Please suggest the best way to do this. I have looked at mod_authz_hosts module but it does not look like I can do it inside virtual host.
The mod_authz_host directives need to be inside a <Location> or <Directory> block but I've used the former within <VirtualHost> like so for Apache 2.2:
<VirtualHost *:8080>
<Location>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
...
</VirtualHost>
Reference: https://askubuntu.com/questions/262981/how-to-install-mod-authz-host-in-apache
For Apache 2.4, you would use the Require IP directive. So to only allow machines from the 192.168.0.0/24 network (range 192.168.0.0 - 192.168.0.255)
<VirtualHost *:80>
<Location />
Require ip 192.168.0.0/24
</Location>
...
</VirtualHost>
And if you just want the localhost machine to have access, then there's a special Require local directive.
The local provider allows access to the server if any of the following conditions is true:
the client address matches 127.0.0.0/8
the client address is ::1
both the client and the server address of the connection are the same
This allows a convenient way to match connections that originate from the local host:
<VirtualHost *:80>
<Location />
Require local
</Location>
...
</VirtualHost>
If you are using apache 2.2 inside your virtual host you should add following directive (mod_authz_host):
Order deny,allow
Deny from all
Allow from 10.0.0.1
You can even specify a subnet
Allow from 10.0.0
Apache 2.4 looks like a little different as configuration.
Maybe better you specify which version of apache are you using.
In Apache 2.4, the authorization configuration syntax has changed, and the Order, Deny or Allow directives should no longer be used.
The new way to do this would be:
<VirtualHost *:8080>
<Location />
Require ip 192.168.1.0
</Location>
...
</VirtualHost>
Further examples using the new syntax can be found in the Apache documentation: Upgrading to 2.4 from 2.2
Related
I have an Apache httpd v2.2 server (on Centos 6) set up as a forward proxy to get to a DMZ in a test lab environment. It is working, but I would like to restrict destinations to specific subnets, both IPv4 and IPv6. I've searched for a solution and have not been able to find and answer.
Here is the virtualhost segment of my httpd.conf file:
<VirtualHost 10.10.10.185:8080>
ProxyRequests On
ProxyVia On
ProxyBlock "10.20.30.30"
<Proxy *>
Order deny,allow
Allow from 10.1.0.0/24
Deny from all
</Proxy>
ErrorLog "/var/log/httpd/proxy-error.log"
CustomLog "/var/log/httpd/proxy-access.log" common
</VirtualHost>
The above config allows incoming connections from the 10.1.0.0/24 subnet. It does not allow connections specifically to 10.20.30.30 through the proxy. Instead of blocking that single address, I would like to specify a set of subnets that are allowed, and everything else be denied. For example, allow:
2001:1111:2222:301::0/64
2001:1111:2222:302::0/64
10.20.40.0/24
But block everything else from passing through the proxy. I understand that this would block any url that used a hostname instead of an IP address.
Thanks in advance for any help you can provide.
Regards,
I have asked a similar question before
Restrict access to directories through ip address
at that time the problem was solved for apache 2.2. Recently I re-installed the OS (to Debian 8) and it comes with apache 2.4.
I want to restrict access to files - when the request comes "by" IP. Mainly if in the browser I try to open http://192.168.252.178/test/image.jpg it should show error - 403 forbidden. Directory test is in www directory of apache. However I should be able to access that image if I type http://www.example.com/image.jpg - considering that example.com points to that test directory.
With apache version 2.2 I would simply put this lines in my default site config file - and the problem was solved
<Files ~ ".+">
Order allow,deny
Deny from all
</Files>
Now, trying the same thing does not work: I am getting 403 forbidden even if I try to open any site by the domain name.
Considering the changes in 2.4 I also tried this, but again getting the the same 403 forbidden when trying to open some site.
<Files ~ ".+">
Require all denied
</Files>
My goal is to prevent any kind of access to directories and files - if they are being accessed through ip address. I have also this lines in my default site's config to prevent the directory access and this works fine.
<Directory /home/username/www>
Options -Indexes
AllowOverride All
Require all granted
</Directory>
So, the question is - how to prevent file access through IP address. Also I need to achieve this by apache config, by htaccess is not a solution for me. And I need to achieve this for all the directories/files inside www recursively, so specifying the exact file names and/or directories is not a solution either.
Thanks
When you use name based virtual hosts, the main server goes away. Apache will choose which virtual host to use according to IP address (you may have more than one) and port first, and only after this first selection it will search for a corresponding ServerName or ServerAlias in this subset of candidates, in the order in which the virtual hosts appear in the configuration.
If no virtual host is found, then the first VHost in this subset (also in order of configuration) will be choosen. More.
I mention this because it will be important you have only one type of VirtualHost directive:
<VirutalHost *:80>
or
<VirtualHost 123.45.67.89:80>
I'll use the wildcard in the example.
You need a directory like /var/www/catchall with a file index.html or similar, as you prefer.
<VirtualHost *:80>
# This first-listed virtual host is also the default for *:80
# It will be used as the catchall.
ServerName 123.45.67.89
# Giving this DocRoot will avoid any request based on IP or any other
# wrong request to get to the other users directories.
DocumentRoot "/var/www/catchall"
<Directory /var/www/catchall>
...
</Directory>
</VirtualHost>
# Now you can add as usuall the configuration for any other VHost you need.
<VirtualHost *:80>
ServerName site1.com
ServerAlias www.site2.com
DocumentRoot "/home/username1/www"
<Directory /home/username1/www>
...
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName site2.com
ServerAlias www.site2.com
DocumentRoot "/home/username2/www"
<Directory /home/username2/www>
...
</Directory>
</VirtualHost>
Debian specific :
For Debian, you ideally put one VHost configuration per file, and put the file in the /etc/apache2/sites-available directory.
Name the files as you like, only the file containing the catchall vhost should be named something like 000-catchall, because they will be read in alphabetic order from the /etc/apache2/sites-enabled directory.
Then you disable Debian's usual default site :
a2dissite 000-default
and you enable the new catchall site and the other VHosts if needed :
a2ensite 000-catchall
An ls /etc/apache2/sites-enabled command should show the catchall as the first of list, if not change its file name so that it will always be the first. Restart Apache: service apache2 restart
Of course you could do all this changes in the original default VHost config file, but I usually prefer keep an original model.
I have setup virtual hosts now when I type localhost it does not work I figured that now I'll have to make a virtual host for local host it self and it worked but now when I type my external ip it does not work it says 403 forbidden so how do i fix this do I have to make a virtual host for my external ip and will it work for everyone or just my computer for example if I give to a friend and he typed my external ip will it work?
When you create Virtual Hosts, Apache ignored the host defined in httpd.conf i.e. localhost. So you have to create a vhost for localhost as well.
For security it should be the first vhost defined, as if someone just tries your ip address, Apache will default to the first vhost and that will be defined with only local access and they will get an error saying you are not allowed in.
As per your other question, you should only be allowing access to your .tk domains if the user actually enters a valid xxx.tk domain name and disallow access if they just use your wan ip address.
# Should be the first VHOST definition so that it is the default virtual host
# Also access rights should remain restricted to the local PC and the local network
# So that any random ip address attack will recieve an error code and not gain access
<VirtualHost *:80>
ServerAdmin webmaster#homemail.net
DocumentRoot "c:/wamp/www"
ServerName localhost
ServerAlias localhost
<Directory "c:/wamp/www">
AllowOverride All
<IfDefine APACHE24>
Require local
</IfDefine>
<IfDefine !APACHE24>
Order Deny,Allow
Deny from all
Allow from 127.0.0.0 localhost ::1
</IfDefine>
</Directory>
</VirtualHost>
We have an Apache web server that receive user requests. It only allows https connections JkHTTPSIndicator HTTPS. But now we have a new requirement, which will allow a particular url pattern like /myurl on http via Apache. That is, we want Apache to only accept http if a particular url pattern is thrown at it.
You can use a Location block to restrict/allow access
http://httpd.apache.org/docs/2.2/sections.html
I'm not quite sure if this is what you want, but you could block the root location:
<Location />
Deny from all
</Location>
And then add a location to allow
<Location /myurl>
Allow from all
</Location>
The above suggestion did not work for me with Apache 2.2.15. I had to do something different although still along the lines suggested above:
<VirtualHost *:80>
...
<Location / >
Require all denied
</Location>
<Location /my-dir>
Require all granted
</Location>
</VirtualHost>
I am trying to get mod_status set up on my apache 2.4 server. I have trawled the net for hours but all the examples given just show the tags in the main httpd.conf file, not how to place the directives into a virtual host setup.
This is my virtual host config with what I have tried. When I do this and then open a local browser or a browser from my allowed ip address (my remote public address) I get a forbidden error in the browser.
<VirtualHost *:80>
ServerName www.thevmscloud.com
ServerAlias thevmscloud.com
ServerAdmin admin#thevmscloud.com
DocumentRoot "d:/wamp/webdocs/www/"
ErrorLog "logs/www.thevmscloud.com.log"
CustomLog "logs/www.thevmscloud.com.log" common
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Require host 127.0.0.1 81.133.136.16
</Location>
<Directory "d:/wamp/webdocs/www/">
LogLevel crit
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride all
Order Allow,Deny
Allow from all
Require all granted
</Directory>
I have tried all manner of different combinations of settings commented in/out, location block with the virtual host block, outside it, in the httpd.conf main body and still no joy.
Trouble is, I just cant find an example of this setup anywhere. Some posts say 'you might want to add this to you virtual host config' but then dont show how.
Does anybody have any idea how this is to be configured so I can browse to my domain.com/server-status and see the server stats as expected?
Many thanks
Mark
Change it to this:
<Location /server-status>
SetHandler server-status
Require ip 127.0.0.1
Require ip ::1
Require ip 81.133.136.16
</Location>
Don't use require "host" if you don't need it because it will try to resolve it (especially for localhost)
Check the error logs also.
The ::1 is localhost for IPv6, you probably need it.
to access the server status by the name of the virtual host, and not by localhost/127.0.0.1, please see my configuration:
<IfModule mod_status.c>
<Location /server-status>
SetHandler server-status
Order deny,allow
Allow from 127.0.0.1
Allow from ::1
</Location>
</IfModule>
Allow from addresses the location of the client being on the same host, and not the address by which you are calling the server, given that different virtual boxes with different server addresses share the same localhost computer.
since i have only one virtual box, i don't know yet whether the returned data comes split per different virtual boxes. if you know it please edit this post or leave a comment.
please note, that trying to access http(s)://hostname/server-status from other address failed with status 403 and the log showed the misterious: AH01797: client denied by server configuration. in the end, i couldn't access the status from outside, even when i let Allow from all, but it wasn't that important to me.
hope that helps
https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html#requiredirectives
In place of ::1 and 127.x or localhost
<Location /server-status>
SetHandler server-status
Require local
Require ip 81.133.136.16
</Location>