: Allowing access to an Apache virtual host from the local network only I have a web page on a Linux server I administer, running Apache 2.2. This server is visible to the outside world for
I have a web page on a Linux server I administer, running Apache 2.2. This server is visible to the outside world for some other services.
I would like to configure Apache so that a given virtual host is only visible from inside the local network, so I can deploy a web application to get feedback from other people in my organization. I reckon this has to do with the Allow directive, but my experiments are not going well.
How can I alter my config file to achieve that? Should I change the firewall configuration as well?
More posts by @Karen161
4 Comments
Sorted by latest first Latest Oldest Best
People landing in this answer, please note that this is specific for Apache 2.2.
Apache 2.4 has deprecated these directives.
The new way is using the module mod_authz_host and the Require directives. (link)
In Apache 2.4 you should do
<Directory /var/www/ncp-web/>
Require host localhost
Require ip 127.0.0.1
Require ip 192.168
Require ip 10
</Directory>
, and remove all Allow directives.
Easy. Just set something like this within your main configuration or your virtual configuration:
<Directory /var/www/path/to/your/web/documents>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 192.168
Allow from 10
Satisfy Any
</Directory>
The <Directory></Directory> statement basically says, “Use these rules for anything in this directory. And by “this directory” that refers to the /var/www/path/to/your/web/documents which I have set in this example but should be changed to match your site’s local directory path.
Next within the <Directory></Directory> area you are changing the default Apache behavior which Allow’s all by default to Order Deny,Allow. Next, you set Deny from all from denies access from everyone. Follwing that are the Allow from statements which allows access from 127.0.0.1 ::1 (localhost IP address), localhost (the localhost itself). That’s all the standard stuff. Since access from localhost is needed for many internal system processes.
What follows is the stuff that matters to you.
The Allow from for 192.168 as well as 10 will allow access from any/all network addresses within the network range that is prefixed by those numbers.
So by indicating 192.168 that basically means if a user has an address like 192.168.59.27 or 192.168.1.123 they will be able to see the website.
And similarly using the Allow from for the 10 prefix assures that if someone has an IP address of 10.0.1.2 or even 10.90.2.3 they will be able to see the content.
Pretty much all internal networks in the world use either the 192.168 range or something in the 10 range. Nothing external. So using this combo will achieve your goal of blocking access to the outside world but only allow access from within your local network.
Add this section inside your virtual host directive:
<Location /mypathurl>
Order deny,allow
Deny from all
Allow from 192.168.1.10
</Location>
Replace your IP above. This should not be used for financial level security, FYI.
I do not know how you have your network setup, however, I am assuming somethings to try and make a better answer.
Let's assume you have a have a small office with a DSL connection. You would have a static public IP address or a block of addresses assigned to your line, a DSL modem, and a firewall. Without getting into the details of how this happens, I will get to the important part.
You should be using NAT (network address translation). This allows the public IP addresses to reside on the WAN (Internet) side of your network and use private IP addresses (like 10.0.0.100) within the network on the LAN side. This is standard operation procedure. If you host a web server within your network, then you would use port forwarding or other similar mechanism) to point any web traffic to your web server.
In this standard scenario, your internal computers would all use the private IP addresses.
Assuming that you have a similar standard network setup, you would change your computer IP address from a public IP address to a private IP address. Your network may have DHCP setup where your computer can request an available IP address. This means that instead of specifying an IP address, you select to use DHCP and an IP address will be assigned. If DHCP is not available, then you would have to check some other computers for a private IP address space that may be used and select an IP address within the space that is not used. You can specify this unused IP address in your network setup. This should keep your system from being seen on the Internet.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.