Apache :: Apache 'Require all denied'

dave8 · Joined: 28 Aug 2018 Posts: 4 Location: USA, Alexandria

I have an older ruby on rails application (ruby v1.8, rails v2.3.5) running on a CentOS Linux v7 server. I'm using Apache as the web server and want it configured so that only the host domain and private IPs can access the site. When doing some tests with Apache 2.4 and Require I was setting the following:

DavidSpector · Joined: 07 Oct 2017 Posts: 15 Location: Maine, USA

My guess is that you forgot that the Apache default is to serve all directories and files. You have to explicitly DENY what you want denied. Hope this helps.

dave8 · Joined: 28 Aug 2018 Posts: 4 Location: USA, Alexandria

@DavidSpector I'm not sure I fully understand what you mean. I want to Deny any requests that are not from either a 10.255.xx.xx ip or my domain name sitename.com

My understanding is that the Require lines will solve this.

DavidSpector · Joined: 07 Oct 2017 Posts: 15 Location: Maine, USA

I am sorry I confused you. All I meant was that I thought the lines you presented would allow the access you want, but that is only part of the story. You have to deny access to everyone else. That is the definition of "private", isn't it?

dave8 · Joined: 28 Aug 2018 Posts: 4 Location: USA, Alexandria

How can I deny access to everyone else? I thought that's what the `Require all denied` was doing? Is there somewhere else I need to configure this? Or is there something else I need to do to deny access to everything/ everyone else?

DavidSpector · Joined: 07 Oct 2017 Posts: 15 Location: Maine, USA

Sorry, I'm trying to be brief and I don't have time to study what you posted to understand your goal completely. I'm working on my own config problems right now.

As you know, directories are hierarchical. /u/apps/core/current contains /u/apps/core/current/public.

Your "deny" directives apply only to /u/apps/core/current/public, but not to its parents. That means, under certain assumptions, that access to other directories is up to Apache, and its default is "Require all granted".

So you have to provide the access you want to each directory, either in the httpd.conf file or in local .htaccess files. Any access you might specify for /u (for example) is inherited by its children, such as /u/apps/core. I hope this helps.

dave8 · Joined: 28 Aug 2018 Posts: 4 Location: USA, Alexandria

Yes, I see what you mean that's likely what is causing my problem. Thank You.

Additionally, do you know what is a better configuration for allowing access from only your trusted IPs and domain:

a) Block everything else and show an error page
b) Redirect everything else to the domain name

I know for example one other domain name (which I do not control) that will resolve to my site, for whatever reason their DNS records point to my AWS load balancer. So is it better to block those requests completely or to redirect them to my domain name?

DavidSpector · Joined: 07 Oct 2017 Posts: 15 Location: Maine, USA

Redirecting anything else to a private web page kind of defeats the whole purpose of "private", doesn't it?

I think you want to deny access to the root of your server file system, then grant access to any "private" directories, either in the main config file or in .htaccess files located in the private dirs.

I'm glad I could be of help.

glsmith

When going to your sitename.com address, chances are you're connecting to your computer via your wan IP. It depends on the router. Linksys I always had my router IP logged. DLink, cheap-o AirLink and Belkin always my wan. I've never tried with Netgear, Buffalo or any others.

If your wan IP resolves to something.sitename.com, you've granted access to that. Look at your log and see what IP is showing when you go to your site via its sitename.com hostname. If it shows your LAN IP or some IP in the 10.255 block.