Solved

filter access to data on Apache

Posted on 2011-03-23
8
204 Views
Last Modified: 2012-05-11
Is it possible to filter access to directories in Apache via ProxyPass or proxyPassReverse in mod proxy.

For example I have a server with two interfaces.  10.1.1.1 and lets say 1.1.1.1.
Anyone coming to the server from 1.1.1.1 I dont want to give access to the admin interface and anyone coming from 10.1.1.1 I do want to give access to the server.

Lets say the directories are test and test/admin

0
Comment
Question by:enigma1234567890
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 35198035
You can achieve this simply by iptables


iptables -A INPUT -d 1.1.1.1 --dport 80 -j DROP

iptables -A INPUT -d 10.1.1.1 --dport 80 -j ACCEPT

Open in new window

0
 

Author Comment

by:enigma1234567890
ID: 35198096
sorry not using IP tables.  I was asked to do it a specisif way and want to know if its possible or not
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35198208
Some more info.

Lets see if I have this right.
You have an apache server with 2 nics
Nic1 has IP 10.1.1.1.
Nic2 Has IP 1.1.1.1

If a user hits IP Address 10.1.1.1 then allow access to test AND test/admin
If a user hits IP Address 1.1.1.1 then only allow access to test and OT test/admin

You can do directory level access when you know the IP of the host
eg:
Allow from 192.168.1.104 192.168.1.205

can you have it so a know list of IP Addresses can get access to the test/admin and everyone else is denied.

eg: (this may not be 100% but you get the idea)
<Directory /path to web folder/test>
     Order Deny,Allow
     Allow from all
 </Directory>
<Directory /path to web folder/test/admin>
     Order Deny,Allow
     Allow from <ip 1> <ip 2>
 </Directory>



0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:enigma1234567890
ID: 35198916
Yea please not the question is can it be achieved vi mod proxy not any other method and if so how.  The explination above is fine
0
 
LVL 2

Expert Comment

by:PowerToaster
ID: 35215478
I think m_walker had the correct answer to your question.

You configure your proxy just like a normal apache directory as he stated. The specific example used on the mod_proxy website is.

<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
</Proxy>

If you would post your proxy configuration directives it would be simple to give you exact changes required to achieve this result.
0
 
LVL 31

Expert Comment

by:farzanj
ID: 35220648
You may want to try something like this
RewriteCond %{REMOTE_ADDR} !^1\.1\.1\.1$

Open in new window

0
 
LVL 4

Accepted Solution

by:
m_walker earned 500 total points
ID: 35220753
farzani:  I think the filter needs to be on the apache server IP that the user hits,not the users source IP.  

eg: On my my computer I have IP Address of 10.1.1.10 Then I could http://10.1.1.1 and since I hit the server IP 10.1.1.1 then I can Access the admin folder.  But if I go to http://1.1.1.1 then I cant get access to the admin folder.  So the rule needs to use the apache serveres local IP.

I am assuming there are other things in place that will manage who can route to each interface, so the 10.1.1.x/24 could be the admin network.

That said I'm sure you will know how do to it :)
 
0
 

Author Comment

by:enigma1234567890
ID: 35231992
yes it is possible via mod proxy as a reverse proxy to itself.  Set it up last week
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question