|
On 01/18/2014 09:59 PM, John List wrote:
On 01/18/2014 06:45 PM, Jeff Dyke
wrote:
Remember that IPs are easily spoofed.
Actually, since HTTP is based on a TCP connection, I don't know that
you can say that IP addresses can be spoofed in the web context.
(IP addresses can be spoofed, but that's not a security problem in
a web context since any response from the web server will be
directed to the spoofed IP address, not the one that spoofed it.)
but we all do it, and the access restrictions are
so much cleaner, as well as other things in apache2.4, so if
you can i'd upgrade. You're obviously building these as
VHosts, so they can go int the virutual host container, but
you want this page: http://httpd.apache.org/docs/2.2/howto/access.html
and http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow
In Apache 2.2
Order allow, deny
Allow from 172.168.10
Each vhost can do this in a separate <Directory /myapp/my-test1/demo/>
block but does not seem useful . I would keep this
out of Tomcat, but thats just me.
Again, if you have the ability upgrade to 2.4, disable
mod_compatibility and use the require all syntax, it will
take more work, but apache has come a long way sing 2.2.
|
