captainober
asked on
Allow, deny access to Apache by IP Addr.
I'm new to the Apache world so please excuse my ignorance...and I did already consult the PAQs and FAQs...
For those of you familiar with IIS, I'm trying to do the following: Open ISM on the websever | right click (either the web site or Virtual Directory)| properties |Directory Security tab |Select Radio button for Deny Access .... after that I select which IP address I want to grant access from. All others are excluded.
So, In Apache, now do a restrict access to all other hosts except 127.0.0.1. Me thinks, by looking at some other posts that it may be located in either <virualhost> or possibly mod_access.
Thanks in advance!
Captain0ber
For those of you familiar with IIS, I'm trying to do the following: Open ISM on the websever | right click (either the web site or Virtual Directory)| properties |Directory Security tab |Select Radio button for Deny Access .... after that I select which IP address I want to grant access from. All others are excluded.
So, In Apache, now do a restrict access to all other hosts except 127.0.0.1. Me thinks, by looking at some other posts that it may be located in either <virualhost> or possibly mod_access.
Thanks in advance!
Captain0ber
ASKER
Here is what my <directory> looks like.
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
is any of this contridictory to what you sent me? it doesn't seem to work when I add the text that you suggested above. I went to another server and pulled up the page from across the network...bummer:( So maybe I need to edit what is currently in there and then add your text.
CaptainOber.
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
is any of this contridictory to what you sent me? it doesn't seem to work when I add the text that you suggested above. I went to another server and pulled up the page from across the network...bummer:( So maybe I need to edit what is currently in there and then add your text.
CaptainOber.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, I think I'm getting closer. Those links don't really help me much though. I'm having trouble understanding any of the doco....but I've been in the Apache world for 5 days so...
I have been able to deny access from other hosts by editing my httpd.conf file like so:
<Directory "D:/PROGRA~1/CSCOpx/htdocs /" >
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
and..
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
However, now I can't access my page locally. (404 not found. Wrong URL or page doesn't exist /apache/htdocs)
This line is present in the Global environment section:
ServerRoot D:/PROGRA~1/CSCOpx/lib/web
Perhaps I need to work some mojo on that...or not.
As you can tell (possibly) this is a stripted down Cisco version of Apache (/CSCpx/lib/web).
Many thanks for your time and effort. I think we're really close!! (I doubled the points)
Capt. Ober
I have been able to deny access from other hosts by editing my httpd.conf file like so:
<Directory "D:/PROGRA~1/CSCOpx/htdocs
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
and..
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
However, now I can't access my page locally. (404 not found. Wrong URL or page doesn't exist /apache/htdocs)
This line is present in the Global environment section:
ServerRoot D:/PROGRA~1/CSCOpx/lib/web
Perhaps I need to work some mojo on that...or not.
As you can tell (possibly) this is a stripted down Cisco version of Apache (/CSCpx/lib/web).
Many thanks for your time and effort. I think we're really close!! (I doubled the points)
Capt. Ober
Order allow,deny
Allow from localhost
#Deny from all # do not use !!
Allow from localhost
#Deny from all # do not use !!
ASKER
ahoffmann,
are you telling me to not use Deny All? not to use loop back? I have tried a variety of different interpretations of what you suggested - none work. The remote host now receives a not found rather than an access denied. please be more descriptive.
are you telling me to not use Deny All? not to use loop back? I have tried a variety of different interpretations of what you suggested - none work. The remote host now receives a not found rather than an access denied. please be more descriptive.
ok, you can use "localhost 127.0.0.1" instead of just "localhost".
If you get "not found", then you're on the right track, 'cause it authenticates correct (not "access denied").
You have to write these lines in all your
<Location> and <Directory> scopes you wish to protect.
If you get "not found", then you're on the right track, 'cause it authenticates correct (not "access denied").
You have to write these lines in all your
<Location> and <Directory> scopes you wish to protect.
ASKER
still not getting it. what can I provide (httpd.conf file?) that would help move this along?
Capt.
Capt.
post the essential parts of your httpd.conf ...
ASKER
ServerRoot D:/PROGRA~1/CSCOpx/lib/web
DocumentRoot D:/PROGRA~1/CSCOpx/htdocs
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
PassEnv COMPUTERNAME
<Directory "D:/PROGRA~1/CSCOpx/htdocs ">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
UserDir D:/PROGRA~1/CSCOpx/users>
<Directory "D:/PROGRA~1/CSCOpx/cgi-bi n">
AllowOverride None
Options None
</Directory>
LoadModule perl_module modules/ApacheModulePerl.d ll
ErrorDocument 403 /cgi-bin/error/403.pl
ErrorDocument 404 /cgi-bin/error/404.pl
ErrorDocument 500 /cgi-bin/error/500.pl
<Perl>
use Socket;
use Sys::Hostname;
my $host = hostname();
my $addr = inet_ntoa(scalar gethostbyname( $host || 'localhost'));
$ServerName = $addr;
</Perl>
PerlPassEnv TERM EDITOR NOCHANCE USER
PerlSetEnv KeyForPerlSetEnv OK
PerlSetEnv KeyForPerlSetVar OK
Alias /perl/ D:/PROGRA~1/CSCOpx/modperl -scripts/
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI
PerlSendHeader On
</Location>
Alias /CSCOnm/classpath/ "D:/PROGRA~1/CSCOpx/www/cl asspath/"
Alias /jrm/com/ "D:/PROGRA~1/CSCOpx/www/cl asspath/"
ScriptAlias /cgi-bin/ "D:/PROGRA~1/CSCOpx/cgi-bi n/"
AddHandler csco-perl-script .pl
<IfDefine SSL>
LoadModule ssl_module modules/ApacheModuleSSL.dl l
Listen 1741
Listen 1742
SSLPassPhraseDialog builtin
SSLSessionCache dbm:D:\PROGRA~1\CSCOpx\log \ssl_scach e
SSLSessionCacheTimeout 600
SSLMutex file:D:\PROGRA~1\CSCOpx\lo g\ssl_mute x
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLogLevel none
<VirtualHost _default_:1742>
SSLCertificateFile D:\PROGRA~1\CSCOpx\lib\web \conf\serv er.crt
SSLCertificateKeyFile D:\PROGRA~1\CSCOpx\lib\web \conf\serv er.key
SSLEngine on
</VirtualHost>
</IfDefine>
include D:\PROGRA~1\CSCOpx\lib\web \conf\cmf- app.conf
LoadModule jrun_module modules/mod_jrun.dll
<Location /CSCOnm/servlet>
SetHandler jrun-handler
</Location>
JRunConfig Verbose false
JRunConfig ProxyHost 127.0.0.1
JRunConfig ProxyPort 42343
JRunConfig InitPoolSize 1
JRunConfig MaxPoolSize 50
JRunConfig Timeout 7200
JRunConfig Mappings D:/PROGRA~1/CSCOpx/lib/jru n/jsm-cw20 00/service s/jse/prop erties/rul es.propert ies
Hope this helps! Many thanks for all your effort.
DocumentRoot D:/PROGRA~1/CSCOpx/htdocs
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
PassEnv COMPUTERNAME
<Directory "D:/PROGRA~1/CSCOpx/htdocs
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
UserDir D:/PROGRA~1/CSCOpx/users>
<Directory "D:/PROGRA~1/CSCOpx/cgi-bi
AllowOverride None
Options None
</Directory>
LoadModule perl_module modules/ApacheModulePerl.d
ErrorDocument 403 /cgi-bin/error/403.pl
ErrorDocument 404 /cgi-bin/error/404.pl
ErrorDocument 500 /cgi-bin/error/500.pl
<Perl>
use Socket;
use Sys::Hostname;
my $host = hostname();
my $addr = inet_ntoa(scalar gethostbyname( $host || 'localhost'));
$ServerName = $addr;
</Perl>
PerlPassEnv TERM EDITOR NOCHANCE USER
PerlSetEnv KeyForPerlSetEnv OK
PerlSetEnv KeyForPerlSetVar OK
Alias /perl/ D:/PROGRA~1/CSCOpx/modperl
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI
PerlSendHeader On
</Location>
Alias /CSCOnm/classpath/ "D:/PROGRA~1/CSCOpx/www/cl
Alias /jrm/com/ "D:/PROGRA~1/CSCOpx/www/cl
ScriptAlias /cgi-bin/ "D:/PROGRA~1/CSCOpx/cgi-bi
AddHandler csco-perl-script .pl
<IfDefine SSL>
LoadModule ssl_module modules/ApacheModuleSSL.dl
Listen 1741
Listen 1742
SSLPassPhraseDialog builtin
SSLSessionCache dbm:D:\PROGRA~1\CSCOpx\log
SSLSessionCacheTimeout 600
SSLMutex file:D:\PROGRA~1\CSCOpx\lo
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLogLevel none
<VirtualHost _default_:1742>
SSLCertificateFile D:\PROGRA~1\CSCOpx\lib\web
SSLCertificateKeyFile D:\PROGRA~1\CSCOpx\lib\web
SSLEngine on
</VirtualHost>
</IfDefine>
include D:\PROGRA~1\CSCOpx\lib\web
LoadModule jrun_module modules/mod_jrun.dll
<Location /CSCOnm/servlet>
SetHandler jrun-handler
</Location>
JRunConfig Verbose false
JRunConfig ProxyHost 127.0.0.1
JRunConfig ProxyPort 42343
JRunConfig InitPoolSize 1
JRunConfig MaxPoolSize 50
JRunConfig Timeout 7200
JRunConfig Mappings D:/PROGRA~1/CSCOpx/lib/jru
Hope this helps! Many thanks for all your effort.
...
<Directory "D:/PROGRA~1/CSCOpx/htdocs ">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from localhost 127.0.0.1
</Directory>
<Directory "D:/PROGRA~1/CSCOpx/htdocs
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from localhost 127.0.0.1
</Directory>
ASKER
These settings, by themselves, only preclude the Apache service from running (restarting). Were you saying this is the only change to make?
Capt.
Capt.
no, I meant that you replace this with the corresponding ings in your file
ASKER
You were right. I was looking in the wrong place. I read today that Apache has a steap learning curve.....very true!
The fairest thing to do (IMHO) is give you the points but less than what was posted in the end. Hope you find this acceptable and equitable.
Thanks
The fairest thing to do (IMHO) is give you the points but less than what was posted in the end. Hope you find this acceptable and equitable.
Thanks
according the grading: does this mean that samri's suggestion works, while mine did not?
capt. ober,
what ahoffman really means is that whether the solution proposed by me is actually the best available.
I would believe the propose options by ahoffmans is also equially important. And again, it's up to the asker to decide.
personally, I would have proceed for a points split.
maybe Mods in CmtySupport could help.
cheers.
samri.
what ahoffman really means is that whether the solution proposed by me is actually the best available.
I would believe the propose options by ahoffmans is also equially important. And again, it's up to the asker to decide.
personally, I would have proceed for a points split.
maybe Mods in CmtySupport could help.
cheers.
samri.
ASKER
Absolutely. You were both right. samri, you had it first. but ahoffman, you provided valuable imput as well. I would love to do a points split but personally I would prefer to do a 49-51 split - just a symbolic jesture for samri who's advise, if I would have followed/understood it, was the solution I was looking for.
Mods: How can I fix this? Hopefully I haven't offended anyone.
Capt.
Mods: How can I fix this? Hopefully I haven't offended anyone.
Capt.
if samri's suggestion work (I'm wondering, 'cause I never got it for me), grading goes there, that's ok.
ahoffman,
I am not that surprise that it *might* not work. The config part is copied from apache website;
http://httpd.apache.org/docs/mod/mod_access.html#order
---
In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.
Order Deny,Allow
Deny from all
Allow from apache.org
---
and changed the apache.org to 127.0.0.1
To be honest, I never tested it though :(
capt. ober:
For assistance, you could post a 0 pts question in https://www.experts-exchange.com/commspt/ and explain the what needs to be done. SOmetime they might be able to suggest what is the best approach.
cheers.
I am not that surprise that it *might* not work. The config part is copied from apache website;
http://httpd.apache.org/docs/mod/mod_access.html#order
---
In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.
Order Deny,Allow
Deny from all
Allow from apache.org
---
and changed the apache.org to 127.0.0.1
To be honest, I never tested it though :(
capt. ober:
For assistance, you could post a 0 pts question in https://www.experts-exchange.com/commspt/ and explain the what needs to be done. SOmetime they might be able to suggest what is the best approach.
cheers.
For your case, you would neeed to apply the following directive to the portion of web that you want to protect;
Order deny,allow
Deny from all
Allow from 127.0.0.1
This directive can be in <Directory>,<Location> ,<Limit> tag (and a few others I think), or in .htaccess file.
Some docs on Apache website on how to work with authentication and ACL.
http://httpd.apache.org/docs/howto/auth.html
http://httpd.apache.org/docs/howto/auth.html#access
The module you would be looking at would be mod_access, and it's part of standard apache base module;
http://httpd.apache.org/docs/howto/auth.html#access