Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache virtualhost order deny, allow works only on localhost |
|
| Author |
|
kdwoell
Joined: 24 Aug 2012
Posts: 7
|
 Posted: Mon 17 Jun '13 18:12 Post subject: Apache virtualhost order deny, allow works only on localhost |
 |
|
I have vhost setup for test of a new website. I want to allow access on the localhost, and, from one IP from the Internet (redacted). Apache serves the site just fine on the server but I can't access the site from my the "xxx...." IP.
I'm using a physical path to test from the public IP as follows:
| Quote: | | http://xxx.xxx.xxx.xxx/~user/test/index.html |
Apache v2.2
RHEL6
UserDir configured/running
SuExec configured/running
Below is the relevant vhost block in httpd.conf:
| Code: | <VirtualHost *:80>
ServerName test
ServerAlias test
DocumentRoot /home/user/public_html/test
<IfModule mod_fcgid.c>
SuexecUserGroup test test
<Directory /home/user/public_html/test>
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx 127
Options +ExecCGI
DirectoryIndex index.php index.html
AllowOverride All
AddHandler fcgid-script .php
FcgiWrapper /var/www/php-fcgi-scripts/user/php-fcgi-starter .php
</Directory>
</IfModule>
</VirtualHost> |
I don't have a FQDN as yet, so I just made a entry in /etc/hosts as follows:
Here is an excerpt from the Apache error log:
| Quote: | | [Mon Jun 17 12:02:16 2013] [error] [client xxx.xxx.xxx.xxx] client denied by server configuration: /home/user/public_html/test/index.html |
I've checked the firewall and the /etc/hosts.allow- that's not it. I've read the Apache docs and in the vhost block Allow should be evaluated last, and apparently is matching localhost but is not matching my IP.
Any help? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Tue 18 Jun '13 17:26 Post subject: |
|
|
| Quote: |
<IfModule mod_fcgid.c>
|
Are you sure that the fcgid module is loaded? |
|
| Back to top |
|
kdwoell
Joined: 24 Aug 2012
Posts: 7
|
| Posted: Tue 18 Jun '13 18:43 Post subject: |
|
|
My apologies to forum members for incomplete background- I should have mentioned that an existing virtual host using mod_fcgid is working fine. The vhost block for that site is the same structure as the one I'm troubleshooting, but, as its serving to the public, the Order,Deny and Allow directives are different. See excerpt below:
| Code: | <VirtualHost *:80>
Order Deny,Allow
Allow from all
</VirtualHost> |
|
|
| Back to top |
|
kdwoell
Joined: 24 Aug 2012
Posts: 7
|
| Posted: Tue 25 Jun '13 1:53 Post subject: |
|
|
| Anyone have suggestions? I have tried several variations of the Order Deny,Allow directives but can't seem to get Apache to allow access for my desired public IP. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Thu 27 Jun '13 11:40 Post subject: |
|
|
| Yepp, your IP might be IPv6 on localhost. View the error log which client IP is denied. |
|
| Back to top |
|
kdwoell
Joined: 24 Aug 2012
Posts: 7
|
| Posted: Thu 27 Jun '13 15:39 Post subject: Solved |
|
|
The issue was more complicated than it needed to be due to my lack of understanding of DNS routing integrated with Apache (using a public IP for the alias directive).
I appended the server IP adresss to the ServerAlias directive in the 3rd vhost block. That allows Apache to route the request to the right vhost block.
The third vhost is accesible from User the Internet now. The current access control directives are:
Order allow,deny
All from all
Now that Apache can route to the 3rd vhost block I edited the access controls to tighten things down and enable localhost access as:
Order deny,allow
Deny from all
Allow from [redacted public IP subnet] 127.
And it works great! |
|
| Back to top |
|
|
|
|
|
|
