Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 71A51200D60 for ; Fri, 1 Dec 2017 13:59:35 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 702CB160C06; Fri, 1 Dec 2017 12:59:35 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 407D0160BFB for ; Fri, 1 Dec 2017 13:59:34 +0100 (CET) Received: (qmail 97324 invoked by uid 500); 1 Dec 2017 12:59:32 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 97314 invoked by uid 99); 1 Dec 2017 12:59:32 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Dec 2017 12:59:32 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 140D7180161 for ; Fri, 1 Dec 2017 12:59:32 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.93 X-Spam-Level: * X-Spam-Status: No, score=1.93 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id F3syXto76x0l for ; Fri, 1 Dec 2017 12:59:29 +0000 (UTC) Received: from mail-qt0-f181.google.com (mail-qt0-f181.google.com [209.85.216.181]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 6F4595F6C8 for ; Fri, 1 Dec 2017 12:59:29 +0000 (UTC) Received: by mail-qt0-f181.google.com with SMTP id u42so12816656qte.7 for ; Fri, 01 Dec 2017 04:59:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=qV7WbPEBEqipvGp946DTqN+aYc9qttrwi3xX0fDFLqE=; b=rXYcTJRhlNRGq1In0i60OFihuuPUSa39jFKFql+I5qhhnwCU/LgMNjEE9ac8StvsC8 QhHe6LQAVu7JmA/9LFw4j6VZdghLu7EgA81YYV04AznR5wsJ8zPXouUvaXOYqv9AW0M+ ZWDKVuPg2xBghcXuudqXL5aV2m8JZ3GTL+HLb9DyHkxCasD8eQCWfHTtWnzzBA8vi9F+ MeJLJztGGJuktFNv9FViskY8VElfAvfxeCWRq6UfsfqxQqxsmeNxpxLF2wQ9m9WEb84d igG4UDlOwXmch5xEI7WBF3kW81DHqIYCYHtMVNAIV8ez+4vBpsdC+xqlZzsqmHLh7Wry pM2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=qV7WbPEBEqipvGp946DTqN+aYc9qttrwi3xX0fDFLqE=; b=ANYPuWoRFS7zZbs1JawRr2zgl0eoxRKUVBZEkLFGOQZ7OWSENEH/T41mE6u6MMSvdc havXzBUUFlwfb0z60eiZH1ea7iAN5kPYQtEdmqq4hdRzN9q144mc0aHDuGbtVCieJonK CWH4xISx9qQj9SOb8I0DWI2rpvFWIhmdY0Oo6QoBhkfirlXUwuYTgxgGmeeQY2sWlZgN GzceUSeBgqEkTKJQDR82AQLdNcaEW+vaXP4WnoSabZS7TuPhNJODk7UPTlPFz97MWJiH ymQSDiTT/BZKTl1CaX/oAwl1BpPkAX5it530jsByBVQWba6Xwo/1XCF3vDdjWH90+jGX 1Zuw== X-Gm-Message-State: AKGB3mK+PsBHhDnSSvYoUuVd801rfBgX5Wb087s9wd3Jsyha3u5YzQLa lKQGTd3BSBx5HI2dk7SFi0gP8Yavs6uEstyRFWM= X-Google-Smtp-Source: AGs4zMYUhApsL0sznQ4i151kMDOCpcG/Sgp0z/35aNuRCk00vV2bAzF8SfngYe6/XG+zdzHdD0r9e5yy0nwogs7vGXE= X-Received: by 10.237.58.67 with SMTP id n61mr8384366qte.171.1512133169009; Fri, 01 Dec 2017 04:59:29 -0800 (PST) Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Fri, 1 Dec 2017 04:59:28 -0800 From: Osama Elnaggar In-Reply-To: <8d350542bd598dce1a5abf732c5b3f71.squirrel@sellfam.com> References: <1039908e04063245c7a6192ad7c4542c.squirrel@www.sellfam.com> <8d350542bd598dce1a5abf732c5b3f71.squirrel@sellfam.com> X-Mailer: Airmail (461) MIME-Version: 1.0 Date: Fri, 1 Dec 2017 04:59:28 -0800 Message-ID: To: Timothy D Legg , users@httpd.apache.org Content-Type: multipart/alternative; boundary="001a1140501864701a055f46f02c" Subject: Re: [users@httpd] Best practice for restricting access to exact IP addresses archived-at: Fri, 01 Dec 2017 12:59:35 -0000 --001a1140501864701a055f46f02c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable While testing, are you sure that you=E2=80=99re accessing it over HTTPS and= not HTTP? If this is over normal HTTP, then none of your below configuration will apply. --=20 Osama Elnaggar On December 1, 2017 at 11:39:11 PM, Timothy D Legg (apache@timothylegg.com) wrote: There is only one virtualhost active, so it is inherently unique. I tried the following: I have not tried: but I suspect that this isn't where the problem lies. This is a privacy-sanitized edit of the exact conf file. By the way, I did reload the server on each modification. NameVirtualHost *:443 ServerName example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /vault/cert.pem SSLCertificateKeyFile /vault/key.pem SSLCertificateChainFile /vault/CAchain.pem SSLCACertificateFile /vault/2017.txt SSLOptions +StdEnvVars SSLOptions +StdEnvVars Require ip 172.12.33.177 > Make sure you are really landing in the same virtualhost with that > directory configuration. > > That may very well be an explanation to why it is not happening for > you. Remember to define a unique servername in each virtualhost, > different log names for each virtualhost, etc. > > > 2017-12-01 11:28 GMT+01:00 Timothy D Legg : >> In my scenario, that might work, and I appreciate the elegance of >> high-order switches to access. However, my exact question would lead to >> a >> more useful solution for myself and others. >> >> Lets consider, for example, I created a dashboard in PHP for modifying >> my >> SQL database. It would be best to have a user authentication written >> into >> the PHP, but I'm in a hurry and have a static IP so I think to myself, >> "Hey, this IP never changes. I'm the only one on my network. Lets block >> this access according to path and IP address. I'll put in 192.168.40.80 >> and nobody else can get there unless they are physically in my house or >> logged in my console." >> >> Another case would be I might have an embedded system on manufacturing >> equipment that provides access to: an operator (x.x.40.70), a supervisor >> (x.x.40.80) and an IT technician (v.w.y.z). They may need to access >> certain restricted portions of the webserver from permanently fixed >> terminals an a piece of machinery. It might not be in the supervisor's >> interest to have the operator's web-dashboard be allowed to modify the >> parameters of the machine. The IT administrator would probably not want >> the supervisor accessing admin tools, such as phpmyadmin. >> >> >>> you could try /etc/hosts.deny >>> >>> On Fri, Dec 1, 2017 at 4:03 AM, Timothy D Legg >>> wrote: >>> >>>> Hello, >>>> >>>> I am wanting to restrict a subdirectory of a website to a single, >>>> maybe >>>> two, IP addresses. >>>> >>>> I will refer to this documentation: >>>> httpd.apache.org/docs/current/howto/access.html >>>> under the section "Access control by host". >>>> >>>> This document suggests that 'Allow', 'Order', and 'Deny' are >>>> deprecated, >>>> so I am avoiding using these going forwards. It decided to exercise >>>> this >>>> restriction with mod_authz_host. I verified that authz_core_module, >>>> authz_host_module, authz_user_module are enabled. >>>> >>>> I added these lines inside the block: >>>> >>>> >>>> Require ip 192.168.40.80 >>>> >>>> >>>> But a test revealed I was able to wget graphs/test.html on a different >>>> machine (192.168.40.81). >>>> >>>> I've only read the documentation. Practically every non-Apache >>>> website >>>> still uses Order-Allow-Deny methodologies, so it's still not clear how >>>> this is actually done in practice. Why did this not work? >>>> >>>> Thanks, Timothy D Legg >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org >>>> For additional commands, e-mail: users-help@httpd.apache.org >>>> >>>> >>> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org >> For additional commands, e-mail: users-help@httpd.apache.org >> > > > > -- > Daniel Ferradal > IT Specialist > > email dferradal at gmail.com > linkedin es.linkedin.com/in/danielferradal > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --001a1140501864701a055f46f02c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =
While testing, are you sure that you=E2=80=99re a= ccessing it over HTTPS and not HTTP?=C2=A0 If this is over normal HTTP, the= n none of your below configuration will apply.

--=C2=A0
Osama Elnaggar

On December 1, 2017 at 11:39:11 PM, Timothy D Leg= g (apache@timothylegg.com) wr= ote:

There is only one virtualhost active, so it is inherently unique.

I tried the following:

<Directory /var/www/html/graphs>
<Directory /graphs>
<Directory graphs/>
<Directory /graphs/>
<Directory graphs>

I have not tried:

<Directory /var/www/html/graphs/>

but I suspect that this isn't where the problem lies.

This is a privacy-sanitized edit of the exact conf file. By the way, I
did reload the server on each modification.


<IfModule mod_ssl.c>
NameVirtualHost *:443
<VirtualHost *:443>
ServerName example.com
ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined


SSLEngine on

SSLCertificateFile /vault/cert.pem
SSLCertificateKeyFile /vault/key.pem
SSLCertificateChainFile /vault/CAchain.pem
SSLCACertificateFile /vault/2017.txt

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
<Directory graphs>
Require ip 172.12.33.177
</Directory>
</VirtualHost>
</IfModule>



> Make sure you are really landing in the same virtualhost with that
> directory configuration.
>
> That may very well be an explanation to why it is not happening fo= r
> you. Remember to define a unique servername in each virtualhost,
> different log names for each virtualhost, etc.
>
>
> 2017-12-01 11:28 GMT+01:00 Timothy D Legg <apache@timothylegg.com>:
>> In my scenario, that might work, and I appreciate the elegance= of
>> high-order switches to access. However, my exact question wou= ld lead to
>> a
>> more useful solution for myself and others.
>>
>> Lets consider, for example, I created a dashboard in PHP for m= odifying
>> my
>> SQL database. It would be best to have a user authentication = written
>> into
>> the PHP, but I'm in a hurry and have a static IP so I thin= k to myself,
>> "Hey, this IP never changes. I'm the only one on my = network. Lets block
>> this access according to path and IP address. I'll put in= 192.168.40.80
>> and nobody else can get there unless they are physically in my= house or
>> logged in my console."
>>
>> Another case would be I might have an embedded system on manuf= acturing
>> equipment that provides access to: an operator (x.x.40.70), a = supervisor
>> (x.x.40.80) and an IT technician (v.w.y.z). They may need to = access
>> certain restricted portions of the webserver from permanently = fixed
>> terminals an a piece of machinery. It might not be in the sup= ervisor's
>> interest to have the operator's web-dashboard be allowed t= o modify the
>> parameters of the machine. The IT administrator would probabl= y not want
>> the supervisor accessing admin tools, such as phpmyadmin.
>>
>>
>>> you could try /etc/hosts.deny
>>>
>>> On Fri, Dec 1, 2017 at 4:03 AM, Timothy D Legg <apache@timothylegg.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I am wanting to restrict a subdirectory of a website t= o a single,
>>>> maybe
>>>> two, IP addresses.
>>>>
>>>> I will refer to this documentation:
>>>> httpd.apache.org/docs/current/howto/access.html
>>>> under the section "Access control by host".
>>>>
>>>> This document suggests that 'Allow', 'Orde= r', and 'Deny' are
>>>> deprecated,
>>>> so I am avoiding using these going forwards. It decid= ed to exercise
>>>> this
>>>> restriction with mod_authz_host. I verified that auth= z_core_module,
>>>> authz_host_module, authz_user_module are enabled.
>>>>
>>>> I added these lines inside the <VirtualHost *:443&g= t; block:
>>>>
>>>> <Directory /var/www/html/graphs>
>>>> Require ip 192.168.40.80
>>>> </Directory>
>>>>
>>>> But a test revealed I was able to wget graphs/test.htm= l on a different
>>>> machine (192.168.40.81).
>>>>
>>>> I've only read the documentation. Practically eve= ry non-Apache
>>>> website
>>>> still uses Order-Allow-Deny methodologies, so it's= still not clear how
>>>> this is actually done in practice. Why did this not w= ork?
>>>>
>>>> Thanks, Timothy D Legg
>>>>
>>>>
>>>> ------------------------------------------------------= ---------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>
>>
>>
>>
>> --------------------------------------------------------------= -------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>
> --
> Daniel Ferradal
> IT Specialist
>
> email dferradal at gmail.com<= /a>
> linkedin = es.linkedin.com/in/danielferradal
>
> ------------------------------------------------------------------= ---
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

--001a1140501864701a055f46f02c--