logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Locking down Apache to LAN
Author
Tonyz



Joined: 20 Nov 2006
Posts: 13

PostPosted: Mon 20 Nov '06 0:38    Post subject: Locking down Apache to LAN Reply with quote

Could someone please advise how I can lock Apache down to my internal LAN i.e. address range 192.168.0.1 to 192.168.0.255 with subnet mask of 255.255.0.0.

Regards,


Tony
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 20 Nov '06 13:00    Post subject: Reply with quote

Order Deny/Allow
Deny from All
Allow from 192.168.0/255.255.0.0
Back to top
Tonyz



Joined: 20 Nov 2006
Posts: 13

PostPosted: Mon 20 Nov '06 22:09    Post subject: Reply with quote

James Blond wrote:
Order Deny/Allow
Deny from All
Allow from 192.168.0/255.255.0.0


I presume I could change the last line to:

Allow from 192.168.0.2/255.255.0.0

Regards.
Back to top
Tonyz



Joined: 20 Nov 2006
Posts: 13

PostPosted: Wed 22 Nov '06 4:52    Post subject: Locking down Apache, sorry I meant... Reply with quote

Could someone please advise how I can lock Apache down to my internal LAN i.e. address range 192.168.0.2 to 192.168.0.255 only with subnet mask of 255.255.0.0.

I don't want to include 192.168.0.1 in the allowable range because Apache will be configured for the internal LAN and 192.168.0.1 happens to be a router with Web access so I don't want to allow traffic to/from it to reach Apache.

Apologies for me not clearing this up earlier.

Regards,


Tony
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Wed 22 Nov '06 9:09    Post subject: Reply with quote

Code:
Order Deny/Allow
Deny from All
Allow from 192.168.0/255.255.0.0
Deny from 192.168.0.1


this allows nobody to access it
then allows the entire LAN
disalways 192.168.0.1 again so it allways all IP's from the LAN accept 192.168.0.1
Back to top
Tonyz



Joined: 20 Nov 2006
Posts: 13

PostPosted: Wed 22 Nov '06 12:39    Post subject: Reply with quote

Jorge wrote:
Code:
Order Deny/Allow
Deny from All
Allow from 192.168.0/255.255.0.0
Deny from 192.168.0.1


this allows nobody to access it
then allows the entire LAN
disalways 192.168.0.1 again so it allways all IP's from the LAN accept 192.168.0.1


Thank you, greatly appreciated.
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Wed 22 Nov '06 17:10    Post subject: Reply with quote

I don't think this will work because of the order of the tests: Deny, then Allow.
    mod_authz_host will first match All and 192.168.0.1 - denied

    Next it will match 192.168/255.255.0.0 - allowed
The final result for 192.168.0.1 will be 'allowed'.

I think you want this instead:
Code:
Order Allow,Deny
Allow from 192.168/255.255.0.0
Deny from 192.168.0.1
    First all the 192.168.*.* IP addresses will be allowed.

    Next, the specific address 192.168.0.1 will be denied.

    With Order Allow,Deny, access is denied by default
    - so any IP address not in the 192.168 subnet will automatically be denied

See the Order Directive in the Apache docs.

-tom-
Back to top
Tonyz



Joined: 20 Nov 2006
Posts: 13

PostPosted: Thu 23 Nov '06 0:19    Post subject: Reply with quote

tdonovan wrote:
I don't think this will work because of the order of the tests: Deny, then Allow.
    mod_authz_host will first match All and 192.168.0.1 - denied

    Next it will match 192.168/255.255.0.0 - allowed
The final result for 192.168.0.1 will be 'allowed'.

I think you want this instead:
Code:
Order Allow,Deny
Allow from 192.168/255.255.0.0
Deny from 192.168.0.1
    First all the 192.168.*.* IP addresses will be allowed.

    Next, the specific address 192.168.0.1 will be denied.

    With Order Allow,Deny, access is denied by default
    - so any IP address not in the 192.168 subnet will automatically be denied

See the Order Directive in the Apache docs.

-tom-


Okay, thanks. Greatly appreciated. I also want to block out the other half of the subnet (namely everything on 192.168.1.* as well) so I'll try:

Order Allow, Deny
Allow from 192.168.0/255.255.0.0
Deny from 192.168.0.1

Presumably I'd need to do this for <Directory />, <Directory "c:/Apache2/htdocs">, <FilesMatch "^.ht">, and <Directory "c:/Apache2/cgi-bin">

The Apache server itself will have an IP in the range 192.168.0 e.g 192.168.0.131.

I'm not sure what I should do about the "Listen 80" side of things. I wouldn't want Apache listening to anything coming from 192.168.0.1 or 192.168.1.1 which are routers and which carry real www Internet traffic from/to their WAN ports.

This next point is really just an observation: I've read that Apache2 can support IPv6. Given the long hex based IP addresses in IPv6 I imagine it will be a bit more involved to make these kind of settings when IPv6 becomes popular?
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Thu 23 Nov '06 0:36    Post subject: Reply with quote

just for <directory />
this applies to everything Smile
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Thu 23 Nov '06 0:44    Post subject: Reply with quote

re: "I also want to block out the other half of the subnet ..."

You will want to use:
Quote:
Order Allow, Deny
Allow from 192.168.0/255.255.255.0
Deny from 192.168.0.1
.

The subnet mask tells which part of the IP address to consider:
    A subnet mask of 255.255.0.0 considers only the 192.168 portion of the IP address.
    A subnet mask of 255.255.255.0 considers the 192.168.0 or 192.168.1 portion of the IP.

re: "Presumably I'd need to do this for ..."

You can do it once in <Directory C:/> and it will apply to all requests to drive C:,
unless it is superceded by another Allow from directive inside a more specific block.

-tom-
Back to top
Tonyz



Joined: 20 Nov 2006
Posts: 13

PostPosted: Fri 24 Nov '06 7:44    Post subject: Reply with quote

tdonovan wrote:
re: "I also want to block out the other half of the subnet ..."
You can do it once in <Directory C:/> and it will apply to all requests to drive C:,
unless it is superceded by another Allow from directive inside a more specific block.

-tom-


First, thank you to you and all the others who have been helping me. Sorry, but I do have a couple of more questions on this (as you probably know by now I'm new to Apache):

***************************
Listen 80

Should this be the IP address of the machine that Apache has been installed on e.g.:

Listen 192.168.0.131:80 or even 127.0.0.1:80?

************************
As I want to use Apache just on the LAN I presume I can set "ServerName" to be the IP address rather than its DNS name e.g.:

ServerName 192.168.0.131:80

or may be just to:

servername localhost

Please confirm.

*************************

The .msi installer for Apache asks for "Network Domain". I can't see the corresponding entry for that in httpd.conf but I presume that, wherever one sets this that I can set it to:

localdomain

*************************

<Directory /> (Should this be set to <Directory C:/Program Files/Apache Software Foundation>)
Options FollowSymLinks (what does FollowSymLinks mean? Do I need this?)
AllowOverride None
Order deny,allow
Deny from all
Satisfy all (do I need to specify this?)
</Directory>

I was just going to set this to the following but do I need the bits I ask about above in the example below:

<Directory />
Order Allow, Deny
Allow from 192.168.0/255.255.255.0
Deny from 192.168.0.1
</Directory>
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Fri 24 Nov '06 16:15    Post subject: Reply with quote

re: "Listen 80"

This is sufficient. Apache will listen on all the interfaces which your machine uses if you do not specify a specific IP address.
See the Listen Directive.

re: "ServerName 192.168.0.131:80 "

You should use whatever name (and port if not port 80) that you want your users to to see when Apache redirects a request to itself.
Usually this is just the fully-qualified domain name of your machine, but IP address is OK too if that is how your users will access your server.
See the ServerName Directive.

re: "<Directory /> (Should this be set to <Directory C:/Program Files/Apache Software Foundation>) "

Just <Directory /> will encompass anything on the same drive as Apache. This is the common way to specify this, since it would include "C:/Program Files/Apache Software Foundation". You could specify just "C:/Program Files/Apache Software Foundation" if you wanted to - but any Alias or similar directive which pointed to a directory outside the Apache diretory tree would then become accessable from non-192.168.0.* IPs.
See the Directory Directive.

re "Options FollowSymLinks"

Symbolic links are used on Unix, but not on Windows. You don't need this on Windows.

re: "Satisfy all"

You do not need this if you are only restricting access by IP address.
If you were using a combination of IP address and username/password, you could use Satisfy.
See the Satisfy Directive

re: "AllowOverride None "

This only applies if you place files named .htaccess in your web directories to override the access set in httpd.conf.
See the AllowOverride Directive.

You surely need a browser bookmark to the Apache 2.2 Directive Quick Reference page, which is the place to get succinct answers about all these Apache directives.

-tom-
Back to top
Tonyz



Joined: 20 Nov 2006
Posts: 13

PostPosted: Fri 24 Nov '06 23:04    Post subject: Reply with quote

tom wrote:
"You surely need a browser bookmark to the Apache 2.2 Directive Quick Reference page, which is the place to get succinct answers about all these Apache directives."

-tom-


Thanks, greatly appreciated. I have bookmarked the quick reference page in my browser.
Back to top
pips



Joined: 03 May 2006
Posts: 65
Location: Manchester, UK

PostPosted: Wed 20 Dec '06 20:38    Post subject: Reply with quote

I want to take this one step further - I have been hit a few times by specific IP addresses who are leaving abusive/sexual www links in our guestbook. As a result, I want to block these IP addresses for future.

Am I correct in thinking I can just list the IP addresses as below:-

<Directory "d:/Apache2/htdocs/gbtheatre">
Order allow,deny
Allow from all
Deny from 201.63.37.90 68.92.192.179 121.1.6.130 124.104.14.234 64.92.161.178 211.189.26.8
</Directory>

Cheers,
Phil

These are the specific IP addresses that were used when the user signed the guestbook, so feel free everyone to block them too!! Very Happy
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Thu 21 Dec '06 13:21    Post subject: Reply with quote

yes that looks correct.
Do note that not all IP's are static. Best to check if there is a pointer record, if the result looks like its dynamic best not to block it.
Back to top
pips



Joined: 03 May 2006
Posts: 65
Location: Manchester, UK

PostPosted: Thu 21 Dec '06 13:29    Post subject: Reply with quote

thanks for the info Jorge - these guys have left messages on more than one occasion using the same IP address - so chances are they are static ones.
doing a search on the IP address on http://lacnic.net shows most of them originate in SP which i presume is Singapore - as we are a UK based amateur theatre group, the info is probably not relevant to them anyway - they are just out to cause offence!
Cheers,
Phil.
Back to top
pips



Joined: 03 May 2006
Posts: 65
Location: Manchester, UK

PostPosted: Sun 24 Dec '06 3:15    Post subject: Reply with quote

I want to be able to block out a range of IP numbers 62.181.32.0 - 62.181.43.255

What is the best way of doing this? I could add several DENY FROM 62.181.32
DENY FROM 62.181.33
DENY FROM 62.181.34
DENY FROM 62.181.35 entries etc, but these seems a bit long-winded.

I have tried DENY FROM 62.181.32-43 but this doesn't seem to work (I tried on a local IP 172.19.0-2 but i can still access the pages!)

Thanks,
Phil
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Sun 24 Dec '06 12:44    Post subject: Reply with quote

You can make several Deny from

But easier for you would be

Deny from 62.181.33 62.181.34 62.181.35
Back to top


Reply to topic   Topic: Locking down Apache to LAN View previous topic :: View next topic
Post new topic   Forum Index -> Apache