Solved

Denial of user access via ip-address through .htaccess files

Posted on 2009-07-13
12
339 Views
Last Modified: 2013-12-06
I am trying to deny all users except those with source address 192.168.1.0 access to the root of my web site, hosted with Apache2 on a Debian server. The root of the web server is /var/www. So I changed the relevant lines in httpd.conf:

DocumentRoot /var/www
AccessFileName .htaccess
<Directory "/var/www">
    AllowOverride AuthConfig
</Directory>

After this was done I created /var/www/.htaccess to contain this:

order allow,deny
allow from 192.168.1.
deny from all

I even tried to comment away the allow line, so that the .htaccess file would deny all. I aldo tried the same example with several other folders, without luck.

If I try to access the website, I am granted access. No matter if everyone is denied or not, no matter the source IP if the client accessing. I set up authentication on another folder /var/www/Secured through a similar process. The difference was only the content of the .htaccess file and the inclusion of the password file created by htpasswd. The authentication system I setup worked at that attempt, but the denial of all clients or all clients except those in the specified IP-range did not work.

Any suggestions?
0
Comment
Question by:itnifl
  • 6
  • 4
  • 2
12 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
order deny,allow
deny from all
allow from 192.168.1.X

Fill in X to the correct number.
0
 
LVL 2

Author Comment

by:itnifl
Comment Utility
That did not do the trick. The code was then as follows:

order deny,allow
deny from all
allow from 192.168.1.102

But still if it were to work, this is not what I want. I want to allow a IP range, 192.168.1.0 - 192.168.1.255. Not only one IP. I am not sure, but if the allowing and denying of access work in any way like iptable rules, then denying all at the beginning would never enable them to get to the allow part. They would just be dropped at the deny rule. Please correct me and explain if I am wrong, that is why I chose originally to allow first then deny all.
0
 
LVL 8

Expert Comment

by:NotLogical
Comment Utility
Hello itnifl,

Your logic of deny before allow is correct.

If you would like to encompass a whole network range, you would write it as such into the .htaccess file:

Allow From 192.168.1.0/24

Also, please make sure that the following is set in your httpd.conf file, in the section outlining the DocumentRoot:

AllowOverride Options AuthConfig Limit

The reason I mention the DocumentRoot is that if DocumentRoot is set not to permit an override on the options listed above, a child directory will not permit them either.

As always, please ensure that you restart Apache after changing the DocumentRoot permissions, and always check the logs for errors. Sometimes, you will find that a typo in configuration directives makes it seem like something is not working - thankfully, these are logged...

Cheers,

NotLogical
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
It does work -- that's how I do it on multiple apache configurations.  If you want a range, use 192.168.1.0/24.

"..does not work" means everyone still has access or no one has access?  What do the error logs indicate?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
And ... the order of "allow,deny" changed between apache v1.3 and v2.  In v.13, I used "allow,deny".  In v2, I use "deny, allow".
0
 
LVL 2

Author Comment

by:itnifl
Comment Utility
Seems as if Jesper gets support from some books I have been looking at. The order of allow and deny can be switched, at least in that example. But it is not working anyhow, even after taking your advice. Error log says nothing really.
Access.log says nothing out of the normal.
I flushed Iptables to be sure there wasnt any source addresses being changed.
I re-checked everythin according to your advices.
Denying access based on Ip-address is not working, but authentication is.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Actually, I'm basing it on experience.

The order does matter.  In your main configuration file, your AllowOverride needs to match your directive:

AllowOverride Limit

I don't see any authentication information in the .htaccess file.
0
 
LVL 2

Author Comment

by:itnifl
Comment Utility
All recomendations are no carried out, but without effect. I have a virtual machine trying to access the web server(who is also virtual) via a virtual netwok and over a ip-range that is not allowed. But access is granted anyway.
0
 
LVL 8

Expert Comment

by:NotLogical
Comment Utility
Could it be that the virtual machines are going through the loopback interface, rather than a numbered interface?

Can you provide a detailed configuration file for Apache, an access_log showing the access which should be failing, an error_log to see if anything else may be amiss?
0
 
LVL 2

Author Comment

by:itnifl
Comment Utility
Clients on the physical network cal also access the website, even though I have now blocked all access. There were no errors in the access.log. I could retry from a physical client and check the logs again, but I guess the results would be the same.



.htaccess at /var/www :

order deny,allow

deny from all

#allow from 192.168.1.102
 

access.log at /var/log/apache2 :

192.168.1.108 - - [12/Aug/2009:11:14:46 +0200] "GET / HTTP/1.1" 200 1196 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Browzar)"

192.168.1.108 - - [12/Aug/2009:11:14:46 +0200] "GET /favicon.ico HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Browzar)"

::1 - - [12/Aug/2009:11:14:49 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"

::1 - - [12/Aug/2009:11:14:51 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"

::1 - - [12/Aug/2009:11:15:00 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"

::1 - - [12/Aug/2009:11:15:04 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"

::1 - - [12/Aug/2009:11:15:05 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"

::1 - - [12/Aug/2009:11:15:06 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"

::1 - - [12/Aug/2009:11:15:08 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"

::1 - - [12/Aug/2009:11:15:09 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"

::1 - - [12/Aug/2009:11:15:19 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
 
 

#Tried allowing only from a IP that is not in use, and reload the apache server:
 

.htaccess at /var/www changed to :

order deny,allow

deny from all

allow from 192.168.1.103
 

/etc/init.d/apache2 restart
 

#Same results
 

#/etc/apache2/httpd.conf :
 

ServerName 192.168.1.100

DocumentRoot /var/www

AccessFileName .htaccess

<Directory "/var/www">

    AllowOverride Limit 

</Directory>
 

<Directory "/var/www/Secured">

    AllowOverride AuthConfig

</Directory>
 

<Directory "/var/www/Restricted">

    AllowOverride AuthConfig

</Directory>
 
 

#The same info in apache2.conf :
 

<Directory "/var/www">

    AllowOverride Limit 

</Directory>

Open in new window

0
 
LVL 2

Author Comment

by:itnifl
Comment Utility
Wonder why all those dummy connections from the Ipv6 loopback address are showing up...  ?
0
 
LVL 2

Accepted Solution

by:
itnifl earned 0 total points
Comment Utility
The error was found at last.
/etc/apache2/sites-enabled contains a file with the name 000-default that overrides all changes in httpd.conf, /var/www/.htaccess and apache2.conf. I understand this file sets up the site, and I can at this location also set up several other sites in my apache web-server?

Either way. Problem solved. I set up the correct rules as we have discussed here in this thread via /etc/apache2/sites-enabled/000-default and it worked! =)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now