Re: apache 2.4 allow by IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






On 3/19/2015 1:24 PM, Daniel wrote:


2015-03-19 18:06 GMT+01:00 Robert Webb <rwebb@xxxxxxxxxxxx>:
I don't agree with your analysis.

<ul><li><a href="" healthcheck.php</a></li> is an href inside an html page that does nothing until clicked on by the client.

This is all assuming that the access denied he is getting is from http://$(hostname>>-i)/server-status and "server-status" is the html page of the code he posted. Not when clicking on the healthcheck.php href link.


Robert


On Thu, 19 Mar 2015 17:57:09 +0100
 Daniel <dferradal@xxxxxxxxx> wrote:
2015-03-19 17:41 GMT+01:00 Tim Dunphy <bluethundr@xxxxxxxxx>:

Hey all,

 I'm attempting to setup the server-status module and limit access to it
by IP.

So I have this block in my apache configuration file:

#Mod_status config
    ExtendedStatus on
<Location /server-status>
    SetHandler server-status
    Require ip 10.10.10.5 127.0.0.1
</Location>

And if I do a GET by IP, I'm getting permission denied

[root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<ul><li><a href="" healthcheck.php</a></li>
</ul>
</body></html>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
*<p>You don't have permission to access /server-status*
on this server.<br />
</p>
</body></html>

Can someone please let me know where I'm going wrong?

Thanks
Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B


Hello,

This shoud give you a tip:
<h1>Index of /</h1>
<ul><li><a href="" healthcheck.php</a></li> <-------------
which has nothing to do with server-status

make sure you are accessing the correct virtualhost

--
*Daniel Ferradal*
IT Specialist

email         dferradal@xxxxxxxxx
linkedin     es.linkedin.com/in/danielferradal



Should that be the case he still needs to check the error.log


--
Daniel Ferradal
IT Specialist

email         dferradal@xxxxxxxxx
2015-03-19 20:33 GMT+01:00 Larry Irwin <larry.irwin@xxxxxxxxxxxxxx>:
How about using this within a Directory entry:
                Order deny,allow
                Deny from all
                # Private IP ranges
                Allow from 127.0.0.1/32
                Allow from 10.0.0.5/32
And then add the server status are under that Directory...
Wouldn't that do it?
-- 
Larry Irwin
V.P. Development
CCA Medical
Ph: 864-233-2700 ext 225
Fax: 864-271-1755
Cell: 864-525-1322
Email: larry.irwin@xxxxxxxxxxxxxx

He is using Require, so 2.4.x. Using deprecated directives in 2.4 is not recommended.

The server-status uri will be a virtual path when you define the handler for it, not a real directory, so the logical way is calling it Location.

Also if you need to define ranges in 2.4 (not sure about 2.2 know) I don't think you need to use CIDR notation, even less if you use /32 hostmask which is the same as the IP alone. In 2.4 with Require you can even just specify part of the ip to define ranges: aka "Require ip 10" to allow 10.0.0.0/8.

He needs to check source ip and error.log to know why he is being denied access.


--
Daniel Ferradal
IT Specialist

email         dferradal@xxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux