tags:

views:

704

answers:

3
Q: 

Apache2 access restricted to local LAN

Until recently, I had a bunch of virtual sites set up like so:

<VirtualHost 127.0.0.1:1234>
    ...

This works fine for testing on my local machine, where I use a Linux desktop. In order to test how MS and explorer displays my pages from my Windows laptop, I changed this to

<VirtualHost *:1234>
    ...

Which also works fine, calling the site up from http://[mylinuxservername]:1234 on my laptop's IE. However, I want to restrict that wildcard to the local lan. Plugging in any ip, like 192.nnn.nnn.nnn or 192.*.*.* where the wildcard is above results in 403 Forbidden on the windows machine. The local server still works fine on my Linux box:

<VirtualHost 127.0.0.1:1234 192.*.*.*:1234>
    ...

or 

<VirtualHost 127.0.0.1:1234 192.nnn.nnn.nnn:1234> #exact IP of laptop
    ...

Anyway, I don't like that wildcard in the second config example above. Hints anyone?

+1  A: 

Belongs on serverfault, but whatever:

The parameter(s) of <VirtualHost are the local addresses you listen to, not the remote ones.

You are looking for authz_host configuration:

Order Allow,Deny
allow from 127.0.0.0/8
allow from 192.168.0.0/16
phihag  2009-06-16 15:22:41
Thank you! Works great. What do the numbers at the end of the ip after the forward slashes mean?
 2009-06-16 15:33:02
@~jack-laplante Already answered by Ted: CIDR notation (The number of invariable bits)
phihag  2009-06-16 18:00:33
A: 

Use iptables to restrict access to the machine itself. The first command will allow HTTP traffic from any network in the 192 range (note that I think you need 192.168 to truly be local but I could wrong). The second command simply drops packets from other sources for port 80

iptables -I 1 INPUT -s 192.0.0.0/8 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


iptables -I 2 INPUT -p tcp --dport 80 -m state --state NEW -j DROP

Then in your virtual host you can do <VirtualHost *:80>

Cfreak  2009-06-16 15:24:18
+1  A: 

Jack,

The /8 and /16 are lengths of the subnet mask. It's CIDR Notation

tethys  2009-06-16 16:19:55
So much arcana, so little time :-) Thanks!
 2009-06-16 16:46:04

related questions

How to fix Apache instability ?
Apache Redirect Rule Always fires on every request
Disabling non-secure access for only one URL on one instance of apache
PHP4 for Apache 2.2.9 in Ubuntu server 8.10
What Virtual Host Definitions do I need to support subdomain.mydomain.com and *.mydomain.com on the same IP Address on Apache 2?
What access does Apache 2.0 need in Windows Server 2003 in order to start as a service?
Using Subversion and Apache
How to fix apache2 timestamps, incorrect values
Why is _POST sometimes empty when a textarea is posted in PHP
How to make Apache/mod_python process collect its zombies?
Apache development config on OS X (again)
Windows could not start the Apache2 on Local Computer - problem
Alternative Reverse Proxy Architecture Directions
Can I run LAMP and Rails from the same Apache instance?
Apache configuration help -- Why are different processes "in" different time zones?
Is there any way to determine the amount of time a client spends on a web page
Apache/Rails/Passenger Displaying Site Index?
How can I use post-commit hooks to copy committed files to a web directory from SVN?
Running Apache without explicitly declaring listening on ports such as :3000 or :6600
Apache rate limiting options
Intra-process coordination in mod_perl under the worker MPM
Licensing: Changing Apache License v2 code to GPLv3 licensed code
Django + FCGID on Fedora Core 9 -- what am I missing?
How do I install modperl under OS X Leopard's default Apache 2?
Failures caused by logrotate on Apache 2 with passphrase protected SSL key