Re: Best practice for restricting access to exact IP addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In my scenario, that might work, and I appreciate the elegance of
high-order switches to access.  However, my exact question would lead to a
more useful solution for myself and others.

Lets consider, for example, I created a dashboard in PHP for modifying my
SQL database.  It would be best to have a user authentication written into
the PHP, but I'm in a hurry and have a static IP so I think to myself,
"Hey, this IP never changes.  I'm the only one on my network. Lets block
this access according to path and IP address.  I'll put in 192.168.40.80
and nobody else can get there unless they are physically in my house or
logged in my console."

Another case would be I might have an embedded system on manufacturing
equipment that provides access to: an operator (x.x.40.70), a supervisor
(x.x.40.80) and an IT technician (v.w.y.z).  They may need to access
certain restricted portions of the webserver from permanently fixed
terminals an a piece of machinery.  It might not be in the supervisor's
interest to have the operator's web-dashboard be allowed to modify the
parameters of the machine.  The IT administrator would probably not want
the supervisor accessing admin tools, such as phpmyadmin.


> you could try /etc/hosts.deny
>
> On Fri, Dec 1, 2017 at 4:03 AM, Timothy D Legg <apache@xxxxxxxxxxxxxxx>
> wrote:
>
>> Hello,
>>
>> I am wanting to restrict a subdirectory of a website to a single, maybe
>> two, IP addresses.
>>
>> I will refer to this documentation:
>>    httpd.apache.org/docs/current/howto/access.html
>> under the section "Access control by host".
>>
>> This document suggests that 'Allow', 'Order', and 'Deny' are deprecated,
>> so I am avoiding using these going forwards.  It decided to exercise
>> this
>> restriction with mod_authz_host.  I verified that authz_core_module,
>> authz_host_module, authz_user_module are enabled.
>>
>> I added these lines inside the <VirtualHost *:443> block:
>>
>> <Directory /var/www/html/graphs>
>>         Require ip 192.168.40.80
>> </Directory>
>>
>> But a test revealed I was able to wget graphs/test.html on a different
>> machine (192.168.40.81).
>>
>> I've only read the documentation.  Practically every non-Apache website
>> still uses Order-Allow-Deny methodologies, so it's still not clear how
>> this is actually done in practice.  Why did this not work?
>>
>> Thanks,  Timothy D Legg
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux