Solved

filter access to data on Apache

Posted on 2011-03-23
8
202 Views
Last Modified: 2012-05-11
Is it possible to filter access to directories in Apache via ProxyPass or proxyPassReverse in mod proxy.

For example I have a server with two interfaces.  10.1.1.1 and lets say 1.1.1.1.
Anyone coming to the server from 1.1.1.1 I dont want to give access to the admin interface and anyone coming from 10.1.1.1 I do want to give access to the server.

Lets say the directories are test and test/admin

0
Comment
Question by:enigma1234567890
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 35198035
You can achieve this simply by iptables


iptables -A INPUT -d 1.1.1.1 --dport 80 -j DROP

iptables -A INPUT -d 10.1.1.1 --dport 80 -j ACCEPT

Open in new window

0
 

Author Comment

by:enigma1234567890
ID: 35198096
sorry not using IP tables.  I was asked to do it a specisif way and want to know if its possible or not
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35198208
Some more info.

Lets see if I have this right.
You have an apache server with 2 nics
Nic1 has IP 10.1.1.1.
Nic2 Has IP 1.1.1.1

If a user hits IP Address 10.1.1.1 then allow access to test AND test/admin
If a user hits IP Address 1.1.1.1 then only allow access to test and OT test/admin

You can do directory level access when you know the IP of the host
eg:
Allow from 192.168.1.104 192.168.1.205

can you have it so a know list of IP Addresses can get access to the test/admin and everyone else is denied.

eg: (this may not be 100% but you get the idea)
<Directory /path to web folder/test>
     Order Deny,Allow
     Allow from all
 </Directory>
<Directory /path to web folder/test/admin>
     Order Deny,Allow
     Allow from <ip 1> <ip 2>
 </Directory>



0
 

Author Comment

by:enigma1234567890
ID: 35198916
Yea please not the question is can it be achieved vi mod proxy not any other method and if so how.  The explination above is fine
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Expert Comment

by:PowerToaster
ID: 35215478
I think m_walker had the correct answer to your question.

You configure your proxy just like a normal apache directory as he stated. The specific example used on the mod_proxy website is.

<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
</Proxy>

If you would post your proxy configuration directives it would be simple to give you exact changes required to achieve this result.
0
 
LVL 31

Expert Comment

by:farzanj
ID: 35220648
You may want to try something like this
RewriteCond %{REMOTE_ADDR} !^1\.1\.1\.1$

Open in new window

0
 
LVL 4

Accepted Solution

by:
m_walker earned 500 total points
ID: 35220753
farzani:  I think the filter needs to be on the apache server IP that the user hits,not the users source IP.  

eg: On my my computer I have IP Address of 10.1.1.10 Then I could http://10.1.1.1 and since I hit the server IP 10.1.1.1 then I can Access the admin folder.  But if I go to http://1.1.1.1 then I cant get access to the admin folder.  So the rule needs to use the apache serveres local IP.

I am assuming there are other things in place that will manage who can route to each interface, so the 10.1.1.x/24 could be the admin network.

That said I'm sure you will know how do to it :)
 
0
 

Author Comment

by:enigma1234567890
ID: 35231992
yes it is possible via mod proxy as a reverse proxy to itself.  Set it up last week
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now