All geek questions in one place

Apache2 Access Restricted by Local Area Network

Until recently, I had many virtual sites set up like this:

<VirtualHost 127.0.0.1:1234> ...

This is great for testing on my local machine, where I use the Linux desktop. To check how MS and Explorer display my pages from my Windows laptop, I changed this to

 <VirtualHost *:1234> ...

Which also works great when calling a site with http: // [mylinuxservername]: 1234 on my IE laptop. However, I want to restrict this pattern to the local LAN. Inclusion of any ip, for example, 192.nnn.nnn.nnn or 192. *. *. * Where the wildcard above results in 403 Forbidden on a Windows machine. The local server still works fine on my Linux server:

 <VirtualHost 127.0.0.1:1234 192.*.*.*:1234> ...

or

 <VirtualHost 127.0.0.1:1234 192.nnn.nnn.nnn:1234> #exact IP of laptop ...

Anyway, I don't like this wildcard in the second configuration example above. Anyone tell me?

+4
source share
3 answers

The VirtualHost parameter is the local addresses you are listening to, not the remote ones.

In Apache 2.4 and later, use the Require directive:

 Require ip 127.0.0.0/8 Require ip 192.0.0.0/8

If you are using Apache 2.2 or earlier, use the authz_host configuration:

 Order Allow,Deny Allow from 127.0.0.0/8 Allow from 192.168.0.0/16

This may also work on Apache 2.4, but Order and Allow are deprecated .

+10
source

Just notice that some noobies like me come here :)

Apache HTTP server is configured by placing directives in text form configuration files. The main configuration file is usually called httpd.conf. Basic configuration files

For version 2.4

The Allow, Deny, and Order directives provided by mod_access_compat are deprecated and will be removed in a future version. You should avoid using them and avoid obsolete manuals recommending their use. Access control

 Require ip 127.0.0.0/8 Require ip 192.0.0.0/8

or (not exactly the same)

 Require ip 127.0 Require ip 192.168
+4
source

Use iptables to restrict access to the computer itself. The first command allows HTTP traffic from any network in the 192 range (note that I think you need 192.168 to really be local, but I could be wrong). The second command simply removes packets from other sources for port 80

 iptables -I 1 INPUT -s 192.0.0.0/8 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -I 2 INPUT -p tcp --dport 80 -m state --state NEW -j DROP

Then in your virtual host you can do <VirtualHost *:80>

0
source

Source: https://habr.com/ru/post/1286299/

More articles:


All Articles