Author |
|
Tonyz
Joined: 20 Nov 2006 Posts: 13
|
Posted: Mon 20 Nov '06 0:38 Post subject: Locking down Apache to LAN |
|
|
Could someone please advise how I can lock Apache down to my internal LAN i.e. address range 192.168.0.1 to 192.168.0.255 with subnet mask of 255.255.0.0.
Regards,
Tony |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Mon 20 Nov '06 13:00 Post subject: |
|
|
Order Deny/Allow
Deny from All
Allow from 192.168.0/255.255.0.0 |
|
Back to top |
|
Tonyz
Joined: 20 Nov 2006 Posts: 13
|
Posted: Mon 20 Nov '06 22:09 Post subject: |
|
|
James Blond wrote: | Order Deny/Allow
Deny from All
Allow from 192.168.0/255.255.0.0 |
I presume I could change the last line to:
Allow from 192.168.0.2/255.255.0.0
Regards. |
|
Back to top |
|
Tonyz
Joined: 20 Nov 2006 Posts: 13
|
Posted: Wed 22 Nov '06 4:52 Post subject: Locking down Apache, sorry I meant... |
|
|
Could someone please advise how I can lock Apache down to my internal LAN i.e. address range 192.168.0.2 to 192.168.0.255 only with subnet mask of 255.255.0.0.
I don't want to include 192.168.0.1 in the allowable range because Apache will be configured for the internal LAN and 192.168.0.1 happens to be a router with Web access so I don't want to allow traffic to/from it to reach Apache.
Apologies for me not clearing this up earlier.
Regards,
Tony |
|
Back to top |
|
Jorge
Joined: 12 Mar 2006 Posts: 376 Location: Belgium
|
Posted: Wed 22 Nov '06 9:09 Post subject: |
|
|
Code: | Order Deny/Allow
Deny from All
Allow from 192.168.0/255.255.0.0
Deny from 192.168.0.1 |
this allows nobody to access it
then allows the entire LAN
disalways 192.168.0.1 again so it allways all IP's from the LAN accept 192.168.0.1 |
|
Back to top |
|
Tonyz
Joined: 20 Nov 2006 Posts: 13
|
Posted: Wed 22 Nov '06 12:39 Post subject: |
|
|
Jorge wrote: | Code: | Order Deny/Allow
Deny from All
Allow from 192.168.0/255.255.0.0
Deny from 192.168.0.1 |
this allows nobody to access it
then allows the entire LAN
disalways 192.168.0.1 again so it allways all IP's from the LAN accept 192.168.0.1 |
Thank you, greatly appreciated. |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Wed 22 Nov '06 17:10 Post subject: |
|
|
I don't think this will work because of the order of the tests: Deny, then Allow.
mod_authz_host will first match All and 192.168.0.1 - denied
Next it will match 192.168/255.255.0.0 - allowed The final result for 192.168.0.1 will be 'allowed'.
I think you want this instead: Code: | Order Allow,Deny
Allow from 192.168/255.255.0.0
Deny from 192.168.0.1 |
First all the 192.168.*.* IP addresses will be allowed.
Next, the specific address 192.168.0.1 will be denied.
With Order Allow,Deny, access is denied by default
- so any IP address not in the 192.168 subnet will automatically be denied
See the Order Directive in the Apache docs.
-tom- |
|
Back to top |
|
Tonyz
Joined: 20 Nov 2006 Posts: 13
|
Posted: Thu 23 Nov '06 0:19 Post subject: |
|
|
tdonovan wrote: | I don't think this will work because of the order of the tests: Deny, then Allow.
mod_authz_host will first match All and 192.168.0.1 - denied
Next it will match 192.168/255.255.0.0 - allowed The final result for 192.168.0.1 will be 'allowed'.
I think you want this instead: Code: | Order Allow,Deny
Allow from 192.168/255.255.0.0
Deny from 192.168.0.1 |
First all the 192.168.*.* IP addresses will be allowed.
Next, the specific address 192.168.0.1 will be denied.
With Order Allow,Deny, access is denied by default
- so any IP address not in the 192.168 subnet will automatically be denied
See the Order Directive in the Apache docs.
-tom- |
Okay, thanks. Greatly appreciated. I also want to block out the other half of the subnet (namely everything on 192.168.1.* as well) so I'll try:
Order Allow, Deny
Allow from 192.168.0/255.255.0.0
Deny from 192.168.0.1
Presumably I'd need to do this for <Directory />, <Directory "c:/Apache2/htdocs">, <FilesMatch "^.ht">, and <Directory "c:/Apache2/cgi-bin">
The Apache server itself will have an IP in the range 192.168.0 e.g 192.168.0.131.
I'm not sure what I should do about the "Listen 80" side of things. I wouldn't want Apache listening to anything coming from 192.168.0.1 or 192.168.1.1 which are routers and which carry real www Internet traffic from/to their WAN ports.
This next point is really just an observation: I've read that Apache2 can support IPv6. Given the long hex based IP addresses in IPv6 I imagine it will be a bit more involved to make these kind of settings when IPv6 becomes popular? |
|
Back to top |
|
Jorge
Joined: 12 Mar 2006 Posts: 376 Location: Belgium
|
Posted: Thu 23 Nov '06 0:36 Post subject: |
|
|
just for <directory />
this applies to everything |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Thu 23 Nov '06 0:44 Post subject: |
|
|
re: "I also want to block out the other half of the subnet ..."
You will want to use: Quote: | Order Allow, Deny
Allow from 192.168.0/255.255.255.0
Deny from 192.168.0.1 | .
The subnet mask tells which part of the IP address to consider:A subnet mask of 255.255.0.0 considers only the 192.168 portion of the IP address.
A subnet mask of 255.255.255.0 considers the 192.168.0 or 192.168.1 portion of the IP.
re: "Presumably I'd need to do this for ..."
You can do it once in <Directory C:/> and it will apply to all requests to drive C:,
unless it is superceded by another Allow from directive inside a more specific block.
-tom- |
|
Back to top |
|
Tonyz
Joined: 20 Nov 2006 Posts: 13
|
Posted: Fri 24 Nov '06 7:44 Post subject: |
|
|
tdonovan wrote: | re: "I also want to block out the other half of the subnet ..."
You can do it once in <Directory C:/> and it will apply to all requests to drive C:,
unless it is superceded by another Allow from directive inside a more specific block.
-tom- |
First, thank you to you and all the others who have been helping me. Sorry, but I do have a couple of more questions on this (as you probably know by now I'm new to Apache):
***************************
Listen 80
Should this be the IP address of the machine that Apache has been installed on e.g.:
Listen 192.168.0.131:80 or even 127.0.0.1:80?
************************
As I want to use Apache just on the LAN I presume I can set "ServerName" to be the IP address rather than its DNS name e.g.:
ServerName 192.168.0.131:80
or may be just to:
servername localhost
Please confirm.
*************************
The .msi installer for Apache asks for "Network Domain". I can't see the corresponding entry for that in httpd.conf but I presume that, wherever one sets this that I can set it to:
localdomain
*************************
<Directory /> (Should this be set to <Directory C:/Program Files/Apache Software Foundation>)
Options FollowSymLinks (what does FollowSymLinks mean? Do I need this?)
AllowOverride None
Order deny,allow
Deny from all
Satisfy all (do I need to specify this?)
</Directory>
I was just going to set this to the following but do I need the bits I ask about above in the example below:
<Directory />
Order Allow, Deny
Allow from 192.168.0/255.255.255.0
Deny from 192.168.0.1
</Directory> |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Fri 24 Nov '06 16:15 Post subject: |
|
|
re: "Listen 80"
This is sufficient. Apache will listen on all the interfaces which your machine uses if you do not specify a specific IP address.
See the Listen Directive.
re: "ServerName 192.168.0.131:80 "
You should use whatever name (and port if not port 80) that you want your users to to see when Apache redirects a request to itself.
Usually this is just the fully-qualified domain name of your machine, but IP address is OK too if that is how your users will access your server.
See the ServerName Directive.
re: "<Directory /> (Should this be set to <Directory C:/Program Files/Apache Software Foundation>) "
Just <Directory /> will encompass anything on the same drive as Apache. This is the common way to specify this, since it would include "C:/Program Files/Apache Software Foundation". You could specify just "C:/Program Files/Apache Software Foundation" if you wanted to - but any Alias or similar directive which pointed to a directory outside the Apache diretory tree would then become accessable from non-192.168.0.* IPs.
See the Directory Directive.
re "Options FollowSymLinks"
Symbolic links are used on Unix, but not on Windows. You don't need this on Windows.
re: "Satisfy all"
You do not need this if you are only restricting access by IP address.
If you were using a combination of IP address and username/password, you could use Satisfy.
See the Satisfy Directive
re: "AllowOverride None "
This only applies if you place files named .htaccess in your web directories to override the access set in httpd.conf.
See the AllowOverride Directive.
You surely need a browser bookmark to the Apache 2.2 Directive Quick Reference page, which is the place to get succinct answers about all these Apache directives.
-tom- |
|
Back to top |
|
Tonyz
Joined: 20 Nov 2006 Posts: 13
|
Posted: Fri 24 Nov '06 23:04 Post subject: |
|
|
tom wrote: | "You surely need a browser bookmark to the Apache 2.2 Directive Quick Reference page, which is the place to get succinct answers about all these Apache directives."
-tom- |
Thanks, greatly appreciated. I have bookmarked the quick reference page in my browser. |
|
Back to top |
|
pips
Joined: 03 May 2006 Posts: 65 Location: Manchester, UK
|
Posted: Wed 20 Dec '06 20:38 Post subject: |
|
|
I want to take this one step further - I have been hit a few times by specific IP addresses who are leaving abusive/sexual www links in our guestbook. As a result, I want to block these IP addresses for future.
Am I correct in thinking I can just list the IP addresses as below:-
<Directory "d:/Apache2/htdocs/gbtheatre">
Order allow,deny
Allow from all
Deny from 201.63.37.90 68.92.192.179 121.1.6.130 124.104.14.234 64.92.161.178 211.189.26.8
</Directory>
Cheers,
Phil
These are the specific IP addresses that were used when the user signed the guestbook, so feel free everyone to block them too!! |
|
Back to top |
|
Jorge
Joined: 12 Mar 2006 Posts: 376 Location: Belgium
|
Posted: Thu 21 Dec '06 13:21 Post subject: |
|
|
yes that looks correct.
Do note that not all IP's are static. Best to check if there is a pointer record, if the result looks like its dynamic best not to block it. |
|
Back to top |
|
pips
Joined: 03 May 2006 Posts: 65 Location: Manchester, UK
|
Posted: Thu 21 Dec '06 13:29 Post subject: |
|
|
thanks for the info Jorge - these guys have left messages on more than one occasion using the same IP address - so chances are they are static ones.
doing a search on the IP address on http://lacnic.net shows most of them originate in SP which i presume is Singapore - as we are a UK based amateur theatre group, the info is probably not relevant to them anyway - they are just out to cause offence!
Cheers,
Phil. |
|
Back to top |
|
pips
Joined: 03 May 2006 Posts: 65 Location: Manchester, UK
|
Posted: Sun 24 Dec '06 3:15 Post subject: |
|
|
I want to be able to block out a range of IP numbers 62.181.32.0 - 62.181.43.255
What is the best way of doing this? I could add several DENY FROM 62.181.32
DENY FROM 62.181.33
DENY FROM 62.181.34
DENY FROM 62.181.35 entries etc, but these seems a bit long-winded.
I have tried DENY FROM 62.181.32-43 but this doesn't seem to work (I tried on a local IP 172.19.0-2 but i can still access the pages!)
Thanks,
Phil |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Sun 24 Dec '06 12:44 Post subject: |
|
|
You can make several Deny from
But easier for you would be
Deny from 62.181.33 62.181.34 62.181.35 |
|
Back to top |
|