htaccess - How to restrict to access from my home - apache

I have a website on the internet that I only want to be accessible from my house.
Could I have htaccess be restricted to the MAC address of my router? If not, are there any other options?
I don't think I could use IP address because my ISP changes it all the time.

You can't use the MAC because it won't get past the next router. Usually, even if you have a dynamic IP, your ISP gives you a hostname that is fixed, something like customer1337.newyork.bestisp.com. See what it is here, and use that in the htaccess.

Since you cannot use your MAC address or your IP Address, your best solution is to use DNS to maintain a host record. You can use dyndns or freedns to set up a dynamic dns record. Many routers these days actually allow you to configure your router to ping these sites to update your host record.
Suppose on freedns.afraid.org you set it up so that gregmyhome.mooo.com points to your router. Then you can update the htaccess file to allow access from that hostname. Apache will perform a reverse dns lookup upon your visiting the site, and let you in.
I will say, however, that there may be a delay which may cause you to be restricted for some time. This problem may force you to look to other authentication mechanisms, such as digest auth, client certificate, or even ssh tunnelling.

In addition to Bart, you could just use a .htpasswd file and set a username and password for the site, so that only you can login.

you probably could but that's not what htaccess is for, in my opinion. unless you set up authentication using htaccess. but then your website will be accessible from everywhere that has the password.
iptables can do mac address filtering though. why don't you set that up?
so if your router's mac is xyz,
first set the default policy:
iptables -P INPUT DROP
then specifically allow yours:
iptables -A INPUT -p tcp –destination-port 80 -m mac –mac-source xyz -j ACCEPT

Related

Cant access my website through its IP address

I have hosting with godaddy with a private IP address. I am able to access my websites and others via the domain name, but not via IP Address.
I am now trying to access the HTTP via port 80 but it gives an error that the website is not setup.
Are there any workarounds on turning allowing accessing the website and other folders through the IP address over http?
This sounds to me like you were on a managed webpack that grants you access to the to-be-served content but not to the webserver or its config itself.
What you are experiencing there is an effect of a technique called virtual-hosts in which multiple sites are tied to one IP address. For this to work in the realm of HTTP, the Host header got introduced in HTTP/1.1. It allows clients to send a domain name for which they want to receive content.
If you request a raw IP, though, the Host header won't look like Host: example.com but rather like Host: 123.45.67.89. The server will not be able to associate a domainname with this as it is unlikely to be found elsewhere in the request. Therefore, it will be forced to serve content out of its default document directory which usually contains further documentations regarding the further configuration of the webserver in question. Linux distributions like to add additional informations specific to them. Check if you see any mentioning of e.g. Debian, RedHat, or Centos.
I am not sure if this is fixable. Usually webservers like Apache support IP-based virtual hosts. If a masshoster like godaddy is really going to address this is uncertain. Try to contact their support and see.
1]If you are using host headers, make sure you have a DNS entry pointing your URL to your IP
2]Telnet port 80 from a machine outside your network.If it fails then check with your ISP that port 80 should not block in firewall.

Iptables : How to block (handle) X-Forwarded-For addresses?

(I'm in fact, on the CentOS behind AWS ELB. But i don't want this question to be specific for AWS ELB only, but for the general ground.)
I'm working on a CentOS 6.5 box, which is behind a loadbalancer which only passes the X-Forwarded-For IPs to me. As a web server, I know the bad IPs coming in, and I need to block them, from by server itself. (Assuming there is no any IPS/IDS/Firewall in front, to rely on.)
So far, I don't know (I can't) block those bad IPs by my iptables because there's no real IP, but only X-Forwarded-For IPs passed to me. (So what I do is, I am using the .htaccess to block. And it works)
How to achieve this by the proper firewall level please?
I'd like to do the same thing. I've got a very long list of IP addresses to block in CIDR format, and converting it to regular expressions to use in a .htaccess file just doesn't seem like the right thing to do. And you know that in terms of processor load, regular expressions in .htaccess aren't even in the same galaxy as the integer bit-fiddling that iptables can do. But I don't believe that it's possible to use iptables for this. Iptables runs in the kernel, and it blocks the incoming IP addresses at a low level, before any header is read.
In my case, I'm only using the load balancer as a convenient way to handle https requests, I don't really need to balance a heavy load across multiple webserver instances. So what I've been considering is running a separate instance with nginx reverse proxy to handle https for my apache webserver, adding the X_FORWARDED headers exactly like the AWS load balancer does. That way I can use iptables on the instance running nginx, and I don't have to touch my apache configuration or webapps that have been running behind the load balancer.
You lose the redundancy of multiple IP addresses for the load balancer itself, as well as integration with AWS Cloud Front to balance backend load, but you gain ability to use iptables and you can offload processing of static content from apache, perhaps improving your response time. Since nginx is said to be much lighter-weight than apache for simple request processing, you shouldn't need much muscle on that instance. I wonder if AWS load balancers are actually just instances running nginx. If you look at the pricing, the hourly cost of a load balancer is roughly the same as a t2.small linux instance.
I haven't tried this yet myself, as nginx configuration is brand new to me, and it would require buying and installing an SSL certificate instead of using the wonderfully simple and convenient certificate manager.
I wonder if AWS would consider user feature-requests to be able to configure load balancers with iptables...
UPDATE: I just posted this in the AWS EC2 forum.
UPDATE 2: My feature request to AWS asking for a feature to configure iptables for the load balancer got answered with an explanation of how to use a network ACL to block requests originating from any CIDR in a list from reaching the load balancer. To me, that's just as good a solution. The OP was looking for a solution not specific to AWS, and this doesn't meet that criterion. If you have this problem with some server that is behind a reverse proxy, it simply isn't possible to use that server's iptables-style firewall to block incoming requests based on the original IP address - the firewall needs to decide whether to block a request long before it reads the headers, which is the only place that the original requesting address can be found. If you're on AWS, you can use a network ACL. Otherwise you'd need to have full control over the server performing the reverse proxy, and put the firewall rules on that server.
Looks like you can do pattern matching with IP Tables: http://wiztelsys.com/Article_iptables_bob2.html
So you'd have to do that for example:
iptables -I INPUT 1 -p tcp --dport <port> -m string --string "X-Forwarded-For: <ip>" --algo bm -j DROP
"-m": matching type = string
"--string": what string
"--algo bm": Boyer-Moore algorithm for pattern matching
Since you mention .htaccess it sounds like you're using Apache Webserver, so I'd recommend adding these rules there instead of in iptables. The basic way of blocking based on X-Forwarded-For in Apache is this:
RewriteCond %{HTTP:X-FORWARDED-FOR} ^171.42.6.123$
RewriteRule .* - [F,L]
Since the IP address is just a string being matched against then you can specify all sorts of regular expressions in your condition. See this question for an example of doing that.

How to use a domain for two IP's

I have a minecraft server and I want to make it so example.com points to two IP addresses. I want to know how to make it. So, apache, godaddy, or whatever detects a browser and sends it to the website version and when a client is being detected it sends it to the minecraft server.
For example:
I type example.com in my browser and it takes me to the website.
I type example.com in my minecraft server list and hit enter and it shows my minecraft server.
Thank you.
They do this by adding specific entries to your DNS record. By setting an SRV record you can forward all requests on a specified port to a separate target which may be another domain, a sub-domain, separate directory, or another IP address.
Example SRV record:
_http._tcp.example.com. IN SRV 0 5 80 www.example.com.
_minecraft._tcp.example.com IN SRV 0 5 25565 play.example.com.
In the above example you could also replace the domains used at the end of either record with a separate IP address and it would also work.
Of course your exact method of adding these records depends on who is the host that is controlling your DNS records and what method of edit they offer to you.
You can't use a domain for two IP addresses. However, It is possible to have a web server on the same network. That way the domain name should work with the web server and your minecraft server.

Apache unable to access local DNS ip address

I just set up a server in my house using private IP.
I can access my server using my domain from outside network/ outside from my house.
But I cannot access it from local network using my domain or my private IP address.
What can be the problem for this? is it the Apache settings?
(I can access it if I edit the /etc/hosts file)
Did you use the internal or external IP in your hosts file to get it working? If it was external IP it's probably the DNS issue. If it was the internal IP, the issue could be in the routers NAT.
Some routers/setups will only apply their NAT rules on packets traversing the external internet facing interface.
____________
| |
Server ---IntIf-|IntIP--ExtIP|-ExtIf--- Internet
|____________|
This is a bit simplified but basically when you access the external IP from the internal network the packet, following the dotted line, reaches the routers external IP before a NAT rule can be applied on ExtIf and then the router can't find anything listening so rejects/drops the connection.
To confirm if it is the DNS problem. Run an nslookup $domain from both your local and external boxes and see if they return the same IP address. If the IP's are the same and it's still not working you will need to take a closer look at the router, hopefully that's possible. If not you may need an internal DNS server that can respond with the internal IP addresses for any domains it knows about then forward any other requests externally.
The NAT issue is called NAT Loopback, Hairpinning or Reflection. See here for a linux solution.
If you can access it when you put in an entry in /etc/hosts, then likely it is DNS related. I am assuming you are putting in the public (external IP) and not an internal IP for testing.
If you have recently updated your DNS, then likely your local router (or ISP's DNS server) will still have the old IP cached or the fact that there is no DNS record setup cached. You could reboot your router to try and clear the cached entry, but it could well be cached at the ISP and you can only wait until it updates there (usually somewhere under 24 hours, often just a few hours). However, you could configure your computer to use a different DNS server for a while - eg. 8.8.8.8 or 4.4.4.4 which are both run by Google.

Config Apache to Use VPS as a Browser Proxy

I am from a country with severe internet censorship. I want to surf the internet freely.
I have a VPS installed with CentOS5.5 and Apache 2 in U.S. Assume the VPS has the IP 12.34.56.78.
I want to config it as a browser proxy, like this: 12.34.56.78:8080. (I know how to use the ssh method, but I want to config the VPS as a browser proxy. Put 12.34.56.78:8080 in the browser Firefox, then I can surf the internet freely.)
I have found this link:http://www.vo1dmain.info/how-to-configure-private-proxy-on-vps.But It requires ssh client on your home computer. And I have dynamic IP, by the way.
Thanks a lot!
You can do it through Apache; the link you posted tells you how. Here's another one: http://www.enterpriseitplanet.com/networking/features/article.php/11315_3319671_1
And you have several options for your dynamic IP:
Order Deny, Allow
Deny from all
Allow from 192.168.1 .mcslp.pri
You can specify multiple entries made up for IP prefix, domain name, IP address subnets, and IPv6 addresses and subnets. As shown here, it is preferable to specify an IP address and domain, just to be sure (from the posted url).
And you'll need an ssh client... grab putty if you're on Windows.