Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 720
  • Last Modified:

Allow, deny access to Apache by IP Addr.

I'm new to the Apache world so please excuse my ignorance...and I did already consult the PAQs and FAQs...

For those of you familiar with IIS, I'm trying to do the following:  Open ISM on the websever | right click (either the web site or Virtual Directory)| properties |Directory Security tab |Select Radio button for Deny Access .... after that I select which IP address I want to grant access from.  All others are excluded.

So, In Apache, now do a restrict access to all other hosts except 127.0.0.1.  Me thinks, by looking at some other posts that it may be located in either <virualhost> or possibly mod_access.

Thanks in advance!

Captain0ber
0
captainober
Asked:
captainober
  • 8
  • 7
  • 4
1 Solution
 
samriCommented:
CaptainOber,

For your case, you would neeed to apply the following directive to the portion of web that you want to protect;

Order deny,allow
Deny from all
Allow from 127.0.0.1

This directive can be in <Directory>,<Location> ,<Limit> tag (and a few others I think), or in .htaccess file.

Some docs on Apache website on how to work with authentication and ACL.
http://httpd.apache.org/docs/howto/auth.html
http://httpd.apache.org/docs/howto/auth.html#access

The module you would be looking at would be mod_access, and it's part of standard apache base module;
http://httpd.apache.org/docs/howto/auth.html#access
0
 
captainoberAuthor Commented:
Here is what my <directory> looks like.


<Directory />

    Options FollowSymLinks

    AllowOverride None

</Directory>

is any of this contridictory to what you sent me?  it doesn't  seem to work when I add the text that you suggested above.  I went to another server and pulled up the page from across the network...bummer:(  So maybe I need to edit what is currently in there and then add your text.

CaptainOber.
0
 
samriCommented:
CaptainOber,

There would be a few of the <Directory> tag exist in the Apache configuration file (httpd.conf), and each will actually effective for that directory structure UNLESS there is another <Directory> tag for the folders inside that directory hierarachy.

I would presume that this is what you had;
<Directory />
   Options FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
</Directory>

This will make all directories if your website to be accessible from 127.0.0.1 ONLY.

However, if you scroll down the httpd.conf, there would be a few more Directory directive.  Specifically look for (on Win32 Apache)

<Directory "C:/Program Files/Apache Group/Apache/htdocs">

and change the
    Order allow,deny
    Allow from all
to

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

FOr more discussion, please visit Apache website;

http://httpd.apache.org/docs/mod/mod_access.html#order
http://httpd.apache.org/docs/howto/auth.html#allowdeny

Hope this help.

0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
captainoberAuthor Commented:
Well, I think I'm getting closer.  Those links don't really help me much though.  I'm having trouble understanding any of the doco....but I've been in the Apache world for 5 days so...

I have been able to deny access from other hosts by editing my httpd.conf file like so:
<Directory "D:/PROGRA~1/CSCOpx/htdocs/" >
 Order Deny,Allow
 Deny from all
 Allow from 127.0.0.1
 </Directory>

and..

<Directory />
  Options FollowSymLinks
  AllowOverride None
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1
  </Directory>

However, now I can't access my page locally.  (404 not found.  Wrong URL or page doesn't exist /apache/htdocs)

This line is present in the Global environment section:
ServerRoot D:/PROGRA~1/CSCOpx/lib/web
Perhaps I need to work some mojo on that...or not.

As you can tell (possibly) this is a stripted down Cisco version of Apache (/CSCpx/lib/web).  

Many thanks for your time and effort.  I think we're really close!!  (I doubled the points)

Capt. Ober

0
 
ahoffmannCommented:
Order          allow,deny
Allow from     localhost
#Deny from     all # do not use !!
0
 
captainoberAuthor Commented:
ahoffmann,

are you telling me to not use Deny All?  not to use loop back?  I have tried a variety of different interpretations of  what you suggested - none work.  The remote host now receives a not found rather than an access denied.  please be more descriptive.
0
 
ahoffmannCommented:
ok, you can use  "localhost 127.0.0.1" instead of just "localhost".

If you get "not found", then you're on the right track, 'cause it authenticates correct (not "access denied").

You have to write these lines in all your
<Location> and <Directory> scopes you wish to protect.
0
 
captainoberAuthor Commented:
still not getting it.  what can I provide (httpd.conf file?) that would help move this along?

Capt.
0
 
ahoffmannCommented:
post the essential parts of your httpd.conf ...
0
 
captainoberAuthor Commented:
ServerRoot D:/PROGRA~1/CSCOpx/lib/web

DocumentRoot D:/PROGRA~1/CSCOpx/htdocs

<Directory />
Options FollowSymLinks
AllowOverride None

</Directory>
<Files .htaccess>
Order allow,deny
Deny from all
</Files>

PassEnv COMPUTERNAME

<Directory "D:/PROGRA~1/CSCOpx/htdocs">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
UserDir D:/PROGRA~1/CSCOpx/users>
<Directory "D:/PROGRA~1/CSCOpx/cgi-bin">
AllowOverride None
Options None
</Directory>
LoadModule perl_module  modules/ApacheModulePerl.dll
ErrorDocument 403 /cgi-bin/error/403.pl
ErrorDocument 404 /cgi-bin/error/404.pl
ErrorDocument 500 /cgi-bin/error/500.pl
<Perl>
use Socket;
use Sys::Hostname;
my $host = hostname();
my $addr = inet_ntoa(scalar gethostbyname( $host || 'localhost'));
$ServerName = $addr;
</Perl>
PerlPassEnv TERM EDITOR NOCHANCE USER
PerlSetEnv KeyForPerlSetEnv OK
PerlSetEnv KeyForPerlSetVar OK
Alias /perl/ D:/PROGRA~1/CSCOpx/modperl-scripts/
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI
PerlSendHeader On
</Location>  
Alias /CSCOnm/classpath/  "D:/PROGRA~1/CSCOpx/www/classpath/"
Alias /jrm/com/  "D:/PROGRA~1/CSCOpx/www/classpath/"
ScriptAlias /cgi-bin/ "D:/PROGRA~1/CSCOpx/cgi-bin/"
AddHandler csco-perl-script .pl
<IfDefine SSL>
LoadModule ssl_module modules/ApacheModuleSSL.dll
Listen 1741
Listen 1742
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:D:\PROGRA~1\CSCOpx\log\ssl_scache
SSLSessionCacheTimeout  600
SSLMutex  file:D:\PROGRA~1\CSCOpx\log\ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLogLevel none
<VirtualHost _default_:1742>
SSLCertificateFile D:\PROGRA~1\CSCOpx\lib\web\conf\server.crt
SSLCertificateKeyFile D:\PROGRA~1\CSCOpx\lib\web\conf\server.key
SSLEngine on
</VirtualHost>
</IfDefine>
include D:\PROGRA~1\CSCOpx\lib\web\conf\cmf-app.conf
LoadModule jrun_module modules/mod_jrun.dll
<Location /CSCOnm/servlet>
SetHandler jrun-handler
</Location>
JRunConfig Verbose false
JRunConfig ProxyHost 127.0.0.1
JRunConfig ProxyPort 42343
JRunConfig InitPoolSize 1
JRunConfig MaxPoolSize 50
JRunConfig Timeout 7200
JRunConfig Mappings D:/PROGRA~1/CSCOpx/lib/jrun/jsm-cw2000/services/jse/properties/rules.properties

Hope this helps!  Many thanks for all your effort.
0
 
ahoffmannCommented:
...
<Directory "D:/PROGRA~1/CSCOpx/htdocs">
   Options FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from localhost 127.0.0.1
</Directory>
0
 
captainoberAuthor Commented:
These settings, by themselves, only preclude the Apache service from running (restarting).  Were you saying this is the only change to make?

Capt.
0
 
ahoffmannCommented:
no, I meant that you replace this with the corresponding ings in your file
0
 
captainoberAuthor Commented:
You were right. I was looking in the wrong place.  I read today that Apache has a steap learning curve.....very true!
The fairest thing to do (IMHO) is give you the points but less than what was posted in the end.  Hope you find this acceptable and equitable.

Thanks
0
 
ahoffmannCommented:
according the grading: does this mean that samri's suggestion works, while mine did not?
0
 
samriCommented:
capt. ober,

what ahoffman really means is that whether the solution proposed by me is actually the best available.

I would believe the propose options by ahoffmans is also equially important. And again, it's up to the asker to decide.

personally, I would have proceed for a points split.  

maybe Mods in CmtySupport could help.

cheers.
samri.
0
 
captainoberAuthor Commented:
Absolutely.  You were both right.  samri, you had it first.  but ahoffman, you provided valuable imput as well.  I would love to do a points split but personally I would prefer to do a 49-51 split - just a symbolic jesture for samri who's advise, if I would have followed/understood it, was the solution I was looking for.

Mods:  How can I fix this?  Hopefully I haven't offended anyone.

Capt.
0
 
ahoffmannCommented:
if samri's suggestion work (I'm wondering, 'cause I never got it for me), grading goes there, that's ok.
0
 
samriCommented:
ahoffman,

I am not that surprise that it *might* not work.  The config part is copied from apache website;

http://httpd.apache.org/docs/mod/mod_access.html#order
---
In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.

     Order Deny,Allow
     Deny from all
     Allow from apache.org
---
and changed the apache.org to 127.0.0.1

To be honest, I never tested it though :(

capt. ober:

For assistance, you could post a 0 pts question in http://www.experts-exchange.com/commspt/ and explain the what needs to be done.  SOmetime they might be able to suggest what is the best approach.

cheers.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 8
  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now