logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Apache 'Require all denied' - still renders HTML

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
dave8



Joined: 28 Aug 2018
Posts: 4
Location: USA, Alexandria

PostPosted: Wed 29 Aug '18 16:24    Post subject: Apache 'Require all denied' - still renders HTML Reply with quote

I have an older ruby on rails application (ruby v1.8, rails v2.3.5) running on a CentOS Linux v7 server. I'm using Apache as the web server and want it configured so that only the host domain and private IPs can access the site. When doing some tests with Apache 2.4 and Require I was setting the following:

Code:

ServerName www.sitename.com
ServerAlias sitename.com
DocumentRoot /u/apps/core/current/public
<Directory "/u/apps/core/current/public">
  Options FollowSymLinks
  AllowOverride None
  Require all denied
  Require host sitename.com
  Require ip 10.255
</Directory>


With this setting I can access the site by the private IPs and everything seems to be working. I wanted to test that all other IPs would be blocked so I removed the line

Code:

Require ip 10.255


At this point I would expect to be denied access to the site when using a private IP, this is how I would expect the functionality to be for all public IPs regardless of the Require ip line.

The issue is that I am not getting denied access on the private IP after removing the Require line. I am still able to see the site's HTML. The css and javascript are no longer loading, however I would expect to see nothing loaded at all. I would expect to see a browser error page.

I have not tried this in production yet, but the overall goal is to only be able to access the site by the hostname sitename.com, I also have various redirects configured for example http -> https and sitename.com will redirect to www.sitename.com.

I feel like this configuration must be a simple line I am overlooking, does anyone know why I can still access the site based on the IP even when I only have the following set?

Code:

Require all denied
Require host sitename.com
Back to top
DavidSpector



Joined: 07 Oct 2017
Posts: 15
Location: Maine, USA

PostPosted: Wed 29 Aug '18 22:28    Post subject: Apache default is all access Reply with quote

My guess is that you forgot that the Apache default is to serve all directories and files. You have to explicitly DENY what you want denied. Hope this helps.
Back to top
dave8



Joined: 28 Aug 2018
Posts: 4
Location: USA, Alexandria

PostPosted: Wed 29 Aug '18 23:21    Post subject: Reply with quote

@DavidSpector I'm not sure I fully understand what you mean. I want to Deny any requests that are not from either a 10.255.xx.xx ip or my domain name sitename.com

My understanding is that the Require lines will solve this.
Code:

  Require all denied
  Require host sitename.com
  Require ip 10.255


Are you saying that I should configure this for a different directory? Is there a configuration that will apply those Require lines to all directories/ folders? Should I use?
Back to top
DavidSpector



Joined: 07 Oct 2017
Posts: 15
Location: Maine, USA

PostPosted: Wed 29 Aug '18 23:26    Post subject: They look okay Reply with quote

I am sorry I confused you. All I meant was that I thought the lines you presented would allow the access you want, but that is only part of the story. You have to deny access to everyone else. That is the definition of "private", isn't it?
Back to top
dave8



Joined: 28 Aug 2018
Posts: 4
Location: USA, Alexandria

PostPosted: Wed 29 Aug '18 23:29    Post subject: Reply with quote

How can I deny access to everyone else? I thought that's what the `Require all denied` was doing? Is there somewhere else I need to configure this? Or is there something else I need to do to deny access to everything/ everyone else?
Back to top
DavidSpector



Joined: 07 Oct 2017
Posts: 15
Location: Maine, USA

PostPosted: Wed 29 Aug '18 23:40    Post subject: Reply with quote

Sorry, I'm trying to be brief and I don't have time to study what you posted to understand your goal completely. I'm working on my own config problems right now.

As you know, directories are hierarchical. /u/apps/core/current contains /u/apps/core/current/public.

Your "deny" directives apply only to /u/apps/core/current/public, but not to its parents. That means, under certain assumptions, that access to other directories is up to Apache, and its default is "Require all granted".

So you have to provide the access you want to each directory, either in the httpd.conf file or in local .htaccess files. Any access you might specify for /u (for example) is inherited by its children, such as /u/apps/core. I hope this helps.
Back to top
dave8



Joined: 28 Aug 2018
Posts: 4
Location: USA, Alexandria

PostPosted: Thu 30 Aug '18 0:07    Post subject: Reply with quote

Yes, I see what you mean that's likely what is causing my problem. Thank You.

Additionally, do you know what is a better configuration for allowing access from only your trusted IPs and domain:

a) Block everything else and show an error page
b) Redirect everything else to the domain name

I know for example one other domain name (which I do not control) that will resolve to my site, for whatever reason their DNS records point to my AWS load balancer. So is it better to block those requests completely or to redirect them to my domain name?
Back to top
DavidSpector



Joined: 07 Oct 2017
Posts: 15
Location: Maine, USA

PostPosted: Thu 30 Aug '18 0:11    Post subject: Reply with quote

Redirecting anything else to a private web page kind of defeats the whole purpose of "private", doesn't it?

I think you want to deny access to the root of your server file system, then grant access to any "private" directories, either in the main config file or in .htaccess files located in the private dirs.

I'm glad I could be of help.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2170
Location: Sun Diego, USA

PostPosted: Thu 30 Aug '18 0:46    Post subject: Reply with quote

When going to your sitename.com address, chances are you're connecting to your computer via your wan IP. It depends on the router. Linksys I always had my router IP logged. DLink, cheap-o AirLink and Belkin always my wan. I've never tried with Netgear, Buffalo or any others.

If your wan IP resolves to something.sitename.com, you've granted access to that. Look at your log and see what IP is showing when you go to your site via its sitename.com hostname. If it shows your LAN IP or some IP in the 10.255 block.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1