I have a web2py application run under Apache via mod_wsgi. How do I restrict access to the admin page (www.myapp.com/admin) based on source IP?
Ideally, I do it directly within Apache for two reasons: 1) I assume that Apache has more effective access to the source IP [citation needed] and 2) I don't feel like modifying the stock admin page in web2py to block specific IPs.
My (abridged) configuration looks something like this:
<VirtualHost *:80>
WSGIDaemonProcess web2py user=myapp group=myapp
WSGIProcessGroup web2py
WSGIScriptAlias / /home/myapp/myapp/wsgihandler.py
TimeOut 45
ServerName myapp.com
ServerAlias www.myapp.com
<Directory /home/myapp/myapp>
AllowOverride None
Order Allow,Deny
Deny from all
<Files wsgihandler.py>
Allow from all
</Files>
</Directory>
#======================================
# THIS IS WHAT I TRIED THAT DIDN'T WORK
<Directory /home/myapp/myapp/admin>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
#======================================
AliasMatch ^/static/(.*) \
/home/myapp/myapp/applications/myapp/static/$1
<Directory /home/myapp/myapp/applications/myapp/static/>
Options -Indexes
Order Allow,Deny
Allow from all
</Directory>
# HTTPS enforcement
# Out of convenience, forward /a* to https, covers /admin /appadmin and /a (front facing admin)
RedirectMatch ^/a(.*) https://myapp.com/a$1
RedirectMatch ^/c/(.*) https://myapp.com/c/$1
RedirectMatch ^/w/user/login(?:/(.*)|$) https://myapp.com/w/user/login/$1
RedirectMatch ^/w/user/register(?:/(.*)|$) https://myapp.com/w/user/register/$1
CustomLog /var/log/apache2/access.log common
ErrorLog /var/log/apache2/error.log
</VirtualHost>
Note that I have a similar VirtualHost for port 443. I just didn't include it for the sake of redundancy.
Normally, it is my understanding that I could use something like the directory notation to deny access to certain directories. However, the above didn't work and I wonder if it has to do with the WSGIScriptAlias directive.
Use:
<Location /admin>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>
Related
CONTEXT. I work on a server running Centos 8.3 with Apache 2.4.37.
In Apache's vhosts.conf configuration file I have this vhost for one of my websites:
<VirtualHost *:80>
ServerAdmin se#site.com
DocumentRoot /var/www/html/site
ServerName site.com
ErrorLog /var/log/httpd/admin-site.com-error_log
CustomLog /var/log/httpd/admin-site.com-access_log common
<Directory "/var/www/html/site">
Options SymLinksIfOwnerMatch
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
<Files ~ "test\.txt">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch "\.(txt|png)$">
Order Allow,Deny
Deny from all
</FilesMatch>
</VirtualHost>
I have these two different scenarios:
If in the DocumentRoot folder I put only static files (html, css, images, etc), the Files and FilesMatch directives work perfectly and the frontend looks excellent.
If I put a Ghost installation in the DocumentRoot folder, I necessarily have to add the following Proxy directives to the vhost. And when doing so, the frontend looks great too, but the Files and FilesMatch directives NOT work at all, i.e. the browser allows me to open site.com/test.txt and site.com /file.png, when they shouldn't open.
ProxyRequests off
ProxyPass / http://localhost:2368/
ProxyPassReverse / http://localhost:2368/
Any ideas how to get the Files and FilesMatch directives to work on my Ghost installation?
I already tried this:
For those thinking about .htaccess. If I activate AllowOverride so that the .htaccess is read: I already tried and the directives in the .htaccess don't work either.
For those thinking of Deny from all. I know Deny from all is for Apache 2.2, and for 2.4 Require all denied should be used. I have done tests and in my Apache 2.4 the Require does not work, it only works Deny from all.
I cannot get allow and deny directives to work from an htaccess file within any directory in my web root. I am at a loss as to where I should look to configure this. I have checked the obvious (authz modules are loaded, allow overrides is set to all) Any ideas? Here are my configuration details.
I have an Apache 2.2 server running on RHEL. Within this server I have an IP based VirtualHost that is configured like where myipaddr and myserver are the actual IP address and host name respectively:
<VirtualHost myipaddr:80>
ServerName myserver
TransferLog /var/log/httpd/myserver.access
LogFormat loadbalanced
ErrorLog /var/log/httpd/myserver.error
DocumentRoot /var/www/myserver
<Directory /var/www/myserver>
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
I have tried more complex directives but even a simple .htaccess file that should deny everything has no effect.
Order deny,allow
Deny from all
It turns out the was a configuration file in /etc/httpd/conf.d that I did not realize was getting loaded and it was trumping the denies and allows within specific directories.
<Location />
Order allow,deny
Allow from all
<LimitExcept GET POST PUT DELETE>
Deny from all
</LimitExcept>
</Location>
I'm running Apache 2.4 on Ubuntu 14.04 server. It's purpose is a mail server so it has postfix, dovecot and roundcube on it (amongst other things). I'm trying, and failing, to configure Apache to serve the pages that I want.
I have an SSL certificate installed and working correctly. I want to force all access over HTTPS so I have:
<VirtualHost *:80>
Redirect / https://mailserver.hni.ae/
</VirtualHost>
Both sets of files to be served are under /var/www/html, the first being /var/www/html/A and the other /var/www/html/B (let's say). I have configured my /etc/apache2/sites-available/000-default.conf (which has a symlink to ./sites-enabled) to be:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/private/mycert.crt
SSLCertificateKeyFile /etc/ssl/private/mycert.key
ServerAdmin webmaster#mydomain.com
ServerName www.mydomain.com
DocumentRoot /var/www/html/
DirectoryIndex index.php
<Directory /var/www/html/A>
Options FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
<Directory /var/www/html/B>
Options FollowSymLinks
AllowOverride None
Order Deny,Allow
Deny from All
Allow from 192.168.1.1
</Directory>
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
And that works. I can go to www.mydomain.com/B and it serves the login page for those pages (only when I access from the specified IP address), and www.mydomain.com/A and login to the pages from app A.
My problem: I want to be able to go to www.mydomain.com/C and just plain www.mydomain.com and be redirected to www.mydomain.com/A but when I use Redirect ... the server gets into a loop and tries to serve www.mydomain.com/AAAAAAA.... I suspect I should use the RedirectMatch temp ^/$... directive but can't get that to work either. Maybe something to do with the Redirect for :80 to :443 clashing? There is no .htaccess involved as I'm using AllowOverride None.
I've read the Apache 2.4 documentation thoroughly but just can't figure it out. Any suggestions?
You can use a RewriteRule. Add this to your VirtualHost:
RewriteEngine On
RewriteRule ^/(C/?|)$ /A [R,L]
Make sure mod_rewrite is enabled too.
Explanation:
Regex ^/(C/?|)$ will match /C optionally followed by a /, or just / i.e. the root of www.mydomain.com
I have two separate Django projects that I want to serve up from the same machine. I'm trying to set up my VirtualHost configurations in apache to serve them up. I know I can serve them up on separate ports, but I'd rather do it based on the request URL. So example.com/app1 would go to one app and example.com/app2 would go to the other. ServerName and ServerAlias won't work since they only look at the Host, which in both cases would just be example.com. Is there any way to do this?
The ServerPath directive looked promising but it looks like, since it was only meant as a fallback for older browsers, apache only looks at ServerPath if the browser doesn't supply the Host field in the request.
Update: Here is what the VirtualHost configuration for my first app looks right now.
<VirtualHost *:80>
ServerAlias *
WSGIScriptAlias /app1 /home/eyuelt/app1/app1/wsgi.py
Alias /app1/static /home/eyuelt/app1/staticfiles
<Directory /home/eyuelt/app1/app1>
<Files wsgi.py>
Order deny,allow
Require all granted
</Files>
</Directory>
<Directory /home/eyuelt/app1/staticfiles>
AllowOverride None
Order deny,allow
Require all granted
</Directory>
</VirtualHost>
I've a subdomain that I only want to be accessible internally; I'm trying to achieve this in Apache by editing the VirtualHost block for that domain. Can anybody see where I'm going wrong? Note, my internal IP address here are 192.168.10.xxx. My code is as follows:
<VirtualHost *:80>
ServerName test.example.co.uk
DocumentRoot /var/www/test
ErrorLog /var/log/apache2/error_test_co_uk.log
LogLevel warn
CustomLog /var/log/apache2/access_test_co_uk.log combined
<Directory /var/www/test>
Order allow,deny
Allow from 192.168.10.0/24
Allow from 127
</Directory>
</VirtualHost>
Thanks
You're missing the Deny from all line? Oh, and using the wrong order.
Quoting the mod_access docs:
[...] all hosts in the apache.org domain are allowed access; all other hosts are denied access.
Order Deny,Allow
Deny from all
Allow from apache.org
The problem is your allow line for the local network. Replace Allow from 192.168.10.0/24 with Allow from 192.168.10. (will allow 192.168.10.*).
For completeness, add a Deny from all line to make it clear that you're blocking everyone else.
I suppose the path inside Directory tag should be simply /
<VirtualHost *:80>
ServerName test.example.co.uk
DocumentRoot /var/www/test
ErrorLog /var/log/apache2/error_test_co_uk.log
LogLevel warn
CustomLog /var/log/apache2/access_test_co_uk.log combined
<Directory />
Order allow,deny
Allow from 192.168.10.0/24
Allow from 127
</Directory>
</VirtualHost>
and please don't forgot to restart apache