Apache2 access restricted to local LAN

StackOverflow https://stackoverflow.com/questions/1002150

  •  05-07-2019
  •  | 
  •  

Question

Until recently, I had a bunch of virtual sites set up like so:

<VirtualHost 127.0.0.1:1234>
    ...

This works fine for testing on my local machine, where I use a Linux desktop. In order to test how MS and explorer displays my pages from my Windows laptop, I changed this to

<VirtualHost *:1234>
    ...

Which also works fine, calling the site up from http://[mylinuxservername]:1234 on my laptop's IE. However, I want to restrict that wildcard to the local lan. Plugging in any ip, like 192.nnn.nnn.nnn or 192.*.*.* where the wildcard is above results in 403 Forbidden on the windows machine. The local server still works fine on my Linux box:

<VirtualHost 127.0.0.1:1234 192.*.*.*:1234>
    ...

or 

<VirtualHost 127.0.0.1:1234 192.nnn.nnn.nnn:1234> #exact IP of laptop
    ...

Anyway, I don't like that wildcard in the second config example above. Hints anyone?

Was it helpful?

Solution

The parameter(s) of VirtualHost are the local addresses you listen to, not the remote ones.

In Apache 2.4 and newer, use the Require directive:

Require ip 127.0.0.0/8
Require ip 192.0.0.0/8

If you are using Apache 2.2 or earlier, use the authz_host configuration:

Order Allow,Deny
Allow from 127.0.0.0/8
Allow from 192.168.0.0/16

This may also work on Apache 2.4, but Order and Allow have been deprecated.

OTHER TIPS

Just a note in case some noobs like me come here :)

Apache HTTP Server is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. Main Configuration Files

For version 2.4

The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use. Access Control

Require ip 127.0.0.0/8
Require ip 192.0.0.0/8

or (not exactly the same)

Require ip 127.0
Require ip 192.168

Use iptables to restrict access to the machine itself. The first command will allow HTTP traffic from any network in the 192 range (note that I think you need 192.168 to truly be local but I could wrong). The second command simply drops packets from other sources for port 80

iptables -I 1 INPUT -s 192.0.0.0/8 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


iptables -I 2 INPUT -p tcp --dport 80 -m state --state NEW -j DROP

Then in your virtual host you can do <VirtualHost *:80>

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top