Power By 专否社区

Apache2 access restricted to local LAN

Go To StackoverFlow.com

5

Until recently, I had a bunch of virtual sites set up like so:

<VirtualHost 127.0.0.1:1234>
    ...

This works fine for testing on my local machine, where I use a Linux desktop. In order to test how MS and explorer displays my pages from my Windows laptop, I changed this to

<VirtualHost *:1234>
    ...

Which also works fine, calling the site up from http://[mylinuxservername]:1234 on my laptop's IE. However, I want to restrict that wildcard to the local lan. Plugging in any ip, like 192.nnn.nnn.nnn or 192.*.*.* where the wildcard is above results in 403 Forbidden on the windows machine. The local server still works fine on my Linux box:

<VirtualHost 127.0.0.1:1234 192.*.*.*:1234>
    ...

or 

<VirtualHost 127.0.0.1:1234 192.nnn.nnn.nnn:1234> #exact IP of laptop
    ...

Anyway, I don't like that wildcard in the second config example above. Hints anyone?

2009-06-16 15:12
by user105090
This should probably be on ServerFault - though IIRC, your issue is that you don't put the requesting IP in the VirtualHost tag - it goes in a Location or Directory piece - Harper Shelby 2009-06-16 15:16

12

The parameter(s) of VirtualHost are the local addresses you listen to, not the remote ones.

In Apache 2.4 and newer, use the Require directive:

Require ip 127.0.0.0/8
Require ip 192.0.0.0/8

If you are using Apache 2.2 or earlier, use the authz_host configuration:

Order Allow,Deny
Allow from 127.0.0.0/8
Allow from 192.168.0.0/16

This may also work on Apache 2.4, but Order and Allow have been deprecated.

2009-06-16 15:22
by phihag
Thank you! Works great. What do the numbers at the end of the ip after the forward slashes mean - user105090 2009-06-16 15:33
@~jack-laplante Already answered by Ted: CIDR notation (The number of invariable bits - phihag 2009-06-16 18:00
Jack, The /8 and /16 are lengths of the subnet mask. It's CIDR Notationtethys 2009-06-16 16:19
So much arcana, so little time :-) Thanks - user105090 2009-06-16 16:46
this has been deprecated in favor of 'require'. Please, downvote this one and upvote apachenoob's answe - nachoparker 2017-07-16 17:13
Updated with a solution for Apache 2.4 - phihag 2017-07-16 17:24

4

Just a note in case some noobs like me come here :)

Apache HTTP Server is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. Main Configuration Files

For version 2.4

The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use. Access Control

Require ip 127.0.0.0/8
Require ip 192.0.0.0/8

or (not exactly the same)

Require ip 127.0
Require ip 192.168
2016-03-20 09:53
by apachenoob

0

Use iptables to restrict access to the machine itself. The first command will allow HTTP traffic from any network in the 192 range (note that I think you need 192.168 to truly be local but I could wrong). The second command simply drops packets from other sources for port 80

iptables -I 1 INPUT -s 192.0.0.0/8 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


iptables -I 2 INPUT -p tcp --dport 80 -m state --state NEW -j DROP

Then in your virtual host you can do <VirtualHost *:80>

2009-06-16 15:24
by Cfreak
Ads