Solved

Allow, deny access to Apache by IP Addr.

Posted on 2002-07-22
19
657 Views
Last Modified: 2012-06-22
I'm new to the Apache world so please excuse my ignorance...and I did already consult the PAQs and FAQs...

For those of you familiar with IIS, I'm trying to do the following:  Open ISM on the websever | right click (either the web site or Virtual Directory)| properties |Directory Security tab |Select Radio button for Deny Access .... after that I select which IP address I want to grant access from.  All others are excluded.

So, In Apache, now do a restrict access to all other hosts except 127.0.0.1.  Me thinks, by looking at some other posts that it may be located in either <virualhost> or possibly mod_access.

Thanks in advance!

Captain0ber
0
Comment
Question by:captainober
  • 8
  • 7
  • 4
19 Comments
 
LVL 15

Expert Comment

by:samri
ID: 7170954
CaptainOber,

For your case, you would neeed to apply the following directive to the portion of web that you want to protect;

Order deny,allow
Deny from all
Allow from 127.0.0.1

This directive can be in <Directory>,<Location> ,<Limit> tag (and a few others I think), or in .htaccess file.

Some docs on Apache website on how to work with authentication and ACL.
http://httpd.apache.org/docs/howto/auth.html
http://httpd.apache.org/docs/howto/auth.html#access

The module you would be looking at would be mod_access, and it's part of standard apache base module;
http://httpd.apache.org/docs/howto/auth.html#access
0
 

Author Comment

by:captainober
ID: 7174808
Here is what my <directory> looks like.


<Directory />

    Options FollowSymLinks

    AllowOverride None

</Directory>

is any of this contridictory to what you sent me?  it doesn't  seem to work when I add the text that you suggested above.  I went to another server and pulled up the page from across the network...bummer:(  So maybe I need to edit what is currently in there and then add your text.

CaptainOber.
0
 
LVL 15

Accepted Solution

by:
samri earned 275 total points
ID: 7176152
CaptainOber,

There would be a few of the <Directory> tag exist in the Apache configuration file (httpd.conf), and each will actually effective for that directory structure UNLESS there is another <Directory> tag for the folders inside that directory hierarachy.

I would presume that this is what you had;
<Directory />
   Options FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
</Directory>

This will make all directories if your website to be accessible from 127.0.0.1 ONLY.

However, if you scroll down the httpd.conf, there would be a few more Directory directive.  Specifically look for (on Win32 Apache)

<Directory "C:/Program Files/Apache Group/Apache/htdocs">

and change the
    Order allow,deny
    Allow from all
to

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

FOr more discussion, please visit Apache website;

http://httpd.apache.org/docs/mod/mod_access.html#order
http://httpd.apache.org/docs/howto/auth.html#allowdeny

Hope this help.

0
 

Author Comment

by:captainober
ID: 7179845
Well, I think I'm getting closer.  Those links don't really help me much though.  I'm having trouble understanding any of the doco....but I've been in the Apache world for 5 days so...

I have been able to deny access from other hosts by editing my httpd.conf file like so:
<Directory "D:/PROGRA~1/CSCOpx/htdocs/" >
 Order Deny,Allow
 Deny from all
 Allow from 127.0.0.1
 </Directory>

and..

<Directory />
  Options FollowSymLinks
  AllowOverride None
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1
  </Directory>

However, now I can't access my page locally.  (404 not found.  Wrong URL or page doesn't exist /apache/htdocs)

This line is present in the Global environment section:
ServerRoot D:/PROGRA~1/CSCOpx/lib/web
Perhaps I need to work some mojo on that...or not.

As you can tell (possibly) this is a stripted down Cisco version of Apache (/CSCpx/lib/web).  

Many thanks for your time and effort.  I think we're really close!!  (I doubled the points)

Capt. Ober

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7180079
Order          allow,deny
Allow from     localhost
#Deny from     all # do not use !!
0
 

Author Comment

by:captainober
ID: 7180191
ahoffmann,

are you telling me to not use Deny All?  not to use loop back?  I have tried a variety of different interpretations of  what you suggested - none work.  The remote host now receives a not found rather than an access denied.  please be more descriptive.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7180224
ok, you can use  "localhost 127.0.0.1" instead of just "localhost".

If you get "not found", then you're on the right track, 'cause it authenticates correct (not "access denied").

You have to write these lines in all your
<Location> and <Directory> scopes you wish to protect.
0
 

Author Comment

by:captainober
ID: 7185962
still not getting it.  what can I provide (httpd.conf file?) that would help move this along?

Capt.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7186337
post the essential parts of your httpd.conf ...
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:captainober
ID: 7187018
ServerRoot D:/PROGRA~1/CSCOpx/lib/web

DocumentRoot D:/PROGRA~1/CSCOpx/htdocs

<Directory />
Options FollowSymLinks
AllowOverride None

</Directory>
<Files .htaccess>
Order allow,deny
Deny from all
</Files>

PassEnv COMPUTERNAME

<Directory "D:/PROGRA~1/CSCOpx/htdocs">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
UserDir D:/PROGRA~1/CSCOpx/users>
<Directory "D:/PROGRA~1/CSCOpx/cgi-bin">
AllowOverride None
Options None
</Directory>
LoadModule perl_module  modules/ApacheModulePerl.dll
ErrorDocument 403 /cgi-bin/error/403.pl
ErrorDocument 404 /cgi-bin/error/404.pl
ErrorDocument 500 /cgi-bin/error/500.pl
<Perl>
use Socket;
use Sys::Hostname;
my $host = hostname();
my $addr = inet_ntoa(scalar gethostbyname( $host || 'localhost'));
$ServerName = $addr;
</Perl>
PerlPassEnv TERM EDITOR NOCHANCE USER
PerlSetEnv KeyForPerlSetEnv OK
PerlSetEnv KeyForPerlSetVar OK
Alias /perl/ D:/PROGRA~1/CSCOpx/modperl-scripts/
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI
PerlSendHeader On
</Location>  
Alias /CSCOnm/classpath/  "D:/PROGRA~1/CSCOpx/www/classpath/"
Alias /jrm/com/  "D:/PROGRA~1/CSCOpx/www/classpath/"
ScriptAlias /cgi-bin/ "D:/PROGRA~1/CSCOpx/cgi-bin/"
AddHandler csco-perl-script .pl
<IfDefine SSL>
LoadModule ssl_module modules/ApacheModuleSSL.dll
Listen 1741
Listen 1742
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:D:\PROGRA~1\CSCOpx\log\ssl_scache
SSLSessionCacheTimeout  600
SSLMutex  file:D:\PROGRA~1\CSCOpx\log\ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLogLevel none
<VirtualHost _default_:1742>
SSLCertificateFile D:\PROGRA~1\CSCOpx\lib\web\conf\server.crt
SSLCertificateKeyFile D:\PROGRA~1\CSCOpx\lib\web\conf\server.key
SSLEngine on
</VirtualHost>
</IfDefine>
include D:\PROGRA~1\CSCOpx\lib\web\conf\cmf-app.conf
LoadModule jrun_module modules/mod_jrun.dll
<Location /CSCOnm/servlet>
SetHandler jrun-handler
</Location>
JRunConfig Verbose false
JRunConfig ProxyHost 127.0.0.1
JRunConfig ProxyPort 42343
JRunConfig InitPoolSize 1
JRunConfig MaxPoolSize 50
JRunConfig Timeout 7200
JRunConfig Mappings D:/PROGRA~1/CSCOpx/lib/jrun/jsm-cw2000/services/jse/properties/rules.properties

Hope this helps!  Many thanks for all your effort.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7187429
...
<Directory "D:/PROGRA~1/CSCOpx/htdocs">
   Options FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from localhost 127.0.0.1
</Directory>
0
 

Author Comment

by:captainober
ID: 7188554
These settings, by themselves, only preclude the Apache service from running (restarting).  Were you saying this is the only change to make?

Capt.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7188936
no, I meant that you replace this with the corresponding ings in your file
0
 

Author Comment

by:captainober
ID: 7201819
You were right. I was looking in the wrong place.  I read today that Apache has a steap learning curve.....very true!
The fairest thing to do (IMHO) is give you the points but less than what was posted in the end.  Hope you find this acceptable and equitable.

Thanks
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7202455
according the grading: does this mean that samri's suggestion works, while mine did not?
0
 
LVL 15

Expert Comment

by:samri
ID: 7203222
capt. ober,

what ahoffman really means is that whether the solution proposed by me is actually the best available.

I would believe the propose options by ahoffmans is also equially important. And again, it's up to the asker to decide.

personally, I would have proceed for a points split.  

maybe Mods in CmtySupport could help.

cheers.
samri.
0
 

Author Comment

by:captainober
ID: 7203730
Absolutely.  You were both right.  samri, you had it first.  but ahoffman, you provided valuable imput as well.  I would love to do a points split but personally I would prefer to do a 49-51 split - just a symbolic jesture for samri who's advise, if I would have followed/understood it, was the solution I was looking for.

Mods:  How can I fix this?  Hopefully I haven't offended anyone.

Capt.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7203820
if samri's suggestion work (I'm wondering, 'cause I never got it for me), grading goes there, that's ok.
0
 
LVL 15

Expert Comment

by:samri
ID: 7203959
ahoffman,

I am not that surprise that it *might* not work.  The config part is copied from apache website;

http://httpd.apache.org/docs/mod/mod_access.html#order
---
In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.

     Order Deny,Allow
     Deny from all
     Allow from apache.org
---
and changed the apache.org to 127.0.0.1

To be honest, I never tested it though :(

capt. ober:

For assistance, you could post a 0 pts question in http://www.experts-exchange.com/commspt/ and explain the what needs to be done.  SOmetime they might be able to suggest what is the best approach.

cheers.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now