top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

How to allow from SERVER_ADDR using Apache

+1 vote
20,233 views

I did not find a solution for this:

I want to restrict access to certain files to requests coming from the same public ip address the server is running on, like so:

order deny,allow
deny from all
allow from xx.xx.xx.xx

To make it more maintainable I would like to use the %{SERVER_ADDR} environment variable, but this does not work:

order deny,allow
deny from all
allow from %{SERVER_ADDR}

I tried syntax variations, also combined with SetEnfIf but still no success. How can I allow access only if REMOTE_ADDR == SERVER_ADDR ?

posted Jul 16, 2013 by anonymous

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button
This could work, as could  in 2.4, but not "allow from %{SERVER_ADDR}. What did you try w/ setenvif?

Similar Questions
0 votes

I want to allow a directory " /var/www/html/ldap" to two users according to IPs (192.168.1.2 192.168.1.7):

 Order allow,deny
 Allow from 192.168.1.2 192.168.1.7
 Satisfy any
 AuthName "LDAP Authentication"
 AuthType Basic

 AuthBasicProvider ldap
 AuthzLDAPauthoritative off
 AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*)
 Require valid-user

but I don't want to allow a sub directory to 192.168.1.7 (I want it to be allowed only to 192.168.1.2):

I have tried to add:

 Order allow,deny
 Allow from 192.168.1.2
 Satisfy any
 AuthName "LDAP Authentication"
 AuthType Basic

 AuthBasicProvider ldap
 AuthzLDAPauthoritative off
 AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*)
 Require valid-user

but it seems that 192.168.1.7 can reach to manager directory because it is a part of ldap directory, how can I forbid this?

0 votes

Running Apache 2.4.7 and current configuration limiting access to a directory to only clients that can provide a trusted client certificate. Server is SSL host. Would like to modify configuration to allow "local" clients (127.0.0.1, etc. as defined by Require local auth provider) to access the directory without authenticating with a client certificate. So the local host may access the directory without SSL client auth, but all others must authenticate with a client certificate or access is forbidden. What is the best/proper way to do this?

I would like to use modern directives (avoiding Allow, Deny, Order etc. from mod_access_compat) but I am not clear how to combine Require related directives with mod_ssl options like SSLVerifyClient.

Thanks in advance?

+1 vote

Apache/Tomcat (by default) does not allow symbolic linking (nice as it can cross mounted file systems) except in the top apache/lib directory. I use hard links in the Application/WEB-INF/lib directories to reduce copying and help me manage things.

HOWEVER, some applications have special needs - e.g. pictures. You don't want to always distribute these with the release of the application (Application.war file), so symbolic links are the way to go (except for MS land, sorry). The nice solution to this is:

.../webapps/Application/WEB-INF/context.xml
which must contain at least the two below lines:

However this allows ALL symbolic linking in the Application directory. I agree with the developers that this is dangerous.

Is there some way to allow linking in just ONE sub-directory of the Application?
- e.g. .../webapps/Application/images

This would allow all I need to have local images for the application without endangering other things using a symbolic link.

+1 vote

We have a set up like Apahce (80,443) redirects the request to Tomcat (8080) using mod_jk.

The new requirement is to route the request from the same apache to another tomcat (8090). Hence I made the different config file for apache with different ports (86,4444) and different worker for mod_jk which routes the request to tomcat.

Now the issue is when I hit the url http://:86 and after providing the credentials, it is redirecting to https://:86 and throwing the below error.

Error in browser:

Secure Connection Failed

An error occurred during a connection to x.x.x.x:86. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

Error in logs:

"x16x03x01" 501

[Thu Jan 08 08:22:46 2015] [debug] ssl_engine_io.c(1523): OpenSSL: I/O error, 11 bytes expected to read on BIO#1bf568 [mem: 1f3930]
[Thu Jan 08 08:22:46 2015] [debug] ssl_engine_kernel.c(1806): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Thu Jan 08 08:22:46 2015] [info] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Thu Jan 08 08:22:46 2015] [info] Connection to child 3 closed with abortive shutdown(server pritoolvca1.sw.ericsson.se:443 [2], client 153.88.164.216)
[Thu Jan 08 08:23:53 2015] [error] [client 172.17.136.153] Invalid method in request x16x03x01

Could you please suggest where it might went wrong and the way forward..

+2 votes

I need help in order to configure these api's in eclipse.

...