tags:

views:

331

answers:

5
+2  Q: 

Allow request coming from specific IP only

I have application hosted Apache UNIX, and I am allowing users to access the application url from citrix environment (from citrix machine).

However, currently its possible to access the url from all the connected machines. I would like to put the restriction that it should be only accessed from citrix machine. So if any one needs to access it, he needs access to citrix machine.

I tried with below:

<Directory /APP>

    Order Deny,Allow

    Deny from all

    Allow from 160.120.25.65

    Allow from 127

</Directory>

it didn't work. Any suggestion?

Few replied with iptables solution, however this one loaded on Solaris (it doesn't have builtin firewall to OS as linux).

A: 

I would probably use an iptables rule for this. I'm not sure what the example you posted is, but you should be able to configure just about any firewall to work like you want it.

Alex Fort  2009-04-03 15:06:23
That's part of an Apache config file.
Jonathan Leffler  2009-04-03 15:31:51
A: 

You could use IIS to filter IP's also. This article might help you.

http://www.15seconds.com/Issue/011227.htm

Robert  2009-04-03 15:08:37
He mentioned that he's using Apache, so IIS help isn't much good.
Alex Fort  2009-04-03 15:09:27
He also mentioned Unix, and IIS doesn't run on Unix, AFAIK.
Jonathan Leffler  2009-04-03 15:32:30
yeah my bad. sorry for the misleading.
Robert  2009-04-03 18:09:29
+3  A: 

What version of Apache are you running? The IP allowing mechanisms are, AFAIK, provided by mod_authz_host, which was introduced in 2.2 (well, 2.1 technically). If you do have 2.2, make sure it wasn't compiled with mod_authz_host disabled.

Generally speaking, though, you may find a simpler and more robust solution is the iptables or other firewalling suggested in the other answers.

Jarret Hardie  2009-04-03 15:11:11
+3  A: 

This should do what you need:

<Directory /APP>

    Order Allow,Deny

    Allow from 160.120.25.65
    Allow from 127.0.0.0/8

</Directory>

See the mod_authz_host documentation for details.

David Schmitt  2009-04-03 15:22:51
A: 

I would suggest Iptables for this purpose. put a rule in the iptables that wherever the destination port is the port number of your apache machine and the source ip is the ip address of critix machine, the linux machine should drop that packet. This way would solve your problem provided there are no other applications hosted on the apache of your machine which ought to be open for all ips. An example of the perspective rule could be :-

iptables -I INPUT 1 -s 160.120.25.65 -d <port_of_apache_on_your_machine> -j DROP

This should solve your problem, once you replace by its proper value

stack programmer  2009-04-03 18:13:09
Application hosted on UNIX. Can I add this in httpd.conf file?
Mutant  2009-04-07 18:11:19
You have to add this in .bashrc file of the user which boots the machine, or add these as the default rules of the iptables. This is not added in the httpd.conf file.
stack programmer  2009-04-08 05:42:04

related questions

Obscuring network proxy password in plain text files on Linux/UNIX-likes
Why doesn't **find** find anything?
Getting stack traces on Unix systems, automatically
Differences between unix and windows files
How do you do a case insensitive search using a pattern modifier using less ?
Using Visual Studio to develop for C++ for Unix
How do I generate ASCII codes 2 and 3 in a Bash command line?
What's in your .procmailrc
Allow user to set up an SSH tunnel, but nothing else
What is PHP Safe Mode GID?
How to avoid redefining VERSION, PACKAGE, etc.
How can I encode xml files to xfdl (base64-gzip)?
Faster way to find duplicates conditioned by time
Date arithmetic in Unix shell scripts
Using Xming X Window Server over a VPN
Windows Equivalent of 'nice'
How do I configure and communicate with a serial port?
Choosing a static code analysis tool
What should a longtime Windows user know when starting to use Linux?
How do I use (n)curses in Ruby?
Process size on UNIX
Getting root permissions on a file inside of vi?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
Fastest way to get value of pi