httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Osama Elnaggar <>
Subject Re: [users@httpd] Best practice for restricting access to exact IP addresses
Date Fri, 01 Dec 2017 12:59:28 GMT
While testing, are you sure that you’re accessing it over HTTPS and not
HTTP?  If this is over normal HTTP, then none of your below configuration
will apply.

Osama Elnaggar

On December 1, 2017 at 11:39:11 PM, Timothy D Legg (

There is only one virtualhost active, so it is inherently unique.

I tried the following:

<Directory /var/www/html/graphs>
<Directory /graphs>
<Directory graphs/>
<Directory /graphs/>
<Directory graphs>

I have not tried:

<Directory /var/www/html/graphs/>

but I suspect that this isn't where the problem lies.

This is a privacy-sanitized edit of the exact conf file. By the way, I
did reload the server on each modification.

<IfModule mod_ssl.c>
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on

SSLCertificateFile /vault/cert.pem
SSLCertificateKeyFile /vault/key.pem
SSLCertificateChainFile /vault/CAchain.pem
SSLCACertificateFile /vault/2017.txt

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
<Directory graphs>
Require ip

> Make sure you are really landing in the same virtualhost with that
> directory configuration.
> That may very well be an explanation to why it is not happening for
> you. Remember to define a unique servername in each virtualhost,
> different log names for each virtualhost, etc.
> 2017-12-01 11:28 GMT+01:00 Timothy D Legg <>:
>> In my scenario, that might work, and I appreciate the elegance of
>> high-order switches to access. However, my exact question would lead to
>> a
>> more useful solution for myself and others.
>> Lets consider, for example, I created a dashboard in PHP for modifying
>> my
>> SQL database. It would be best to have a user authentication written
>> into
>> the PHP, but I'm in a hurry and have a static IP so I think to myself,
>> "Hey, this IP never changes. I'm the only one on my network. Lets block
>> this access according to path and IP address. I'll put in
>> and nobody else can get there unless they are physically in my house or
>> logged in my console."
>> Another case would be I might have an embedded system on manufacturing
>> equipment that provides access to: an operator (x.x.40.70), a supervisor
>> (x.x.40.80) and an IT technician (v.w.y.z). They may need to access
>> certain restricted portions of the webserver from permanently fixed
>> terminals an a piece of machinery. It might not be in the supervisor's
>> interest to have the operator's web-dashboard be allowed to modify the
>> parameters of the machine. The IT administrator would probably not want
>> the supervisor accessing admin tools, such as phpmyadmin.
>>> you could try /etc/hosts.deny
>>> On Fri, Dec 1, 2017 at 4:03 AM, Timothy D Legg <>
>>> wrote:
>>>> Hello,
>>>> I am wanting to restrict a subdirectory of a website to a single,
>>>> maybe
>>>> two, IP addresses.
>>>> I will refer to this documentation:
>>>> under the section "Access control by host".
>>>> This document suggests that 'Allow', 'Order', and 'Deny' are
>>>> deprecated,
>>>> so I am avoiding using these going forwards. It decided to exercise
>>>> this
>>>> restriction with mod_authz_host. I verified that authz_core_module,
>>>> authz_host_module, authz_user_module are enabled.
>>>> I added these lines inside the <VirtualHost *:443> block:
>>>> <Directory /var/www/html/graphs>
>>>> Require ip
>>>> </Directory>
>>>> But a test revealed I was able to wget graphs/test.html on a different
>>>> machine (
>>>> I've only read the documentation. Practically every non-Apache
>>>> website
>>>> still uses Order-Allow-Deny methodologies, so it's still not clear how
>>>> this is actually done in practice. Why did this not work?
>>>> Thanks, Timothy D Legg
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail:
>>>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> --
> Daniel Ferradal
> IT Specialist
> email dferradal at
> linkedin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message