Re: Only allow reverse proxy traffic with mod_remoteip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



By the way, I noticed that a VirtualHost with:
<Location "/>
Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
</Location>
has a dangerous behaviour that I did not notice directly.
It made my .htaccess files visible publicly by accessing them in a web browser when using the reverse proxy (Cloudflare).
This also resulted in my private folders requiring HTTP authentication, to be accessible publicly since the .htaccess files were not working anymore.
The issue did not happen when setting the direct server IP address for my domain name in the /etc/hosts file of my computer to bypass the reverse proxy.
Do you know why it happened? The other solution using mod_rewrite does not have this problem:
RewriteEngine on
RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
RewriteRule ^ - [F]


On Sun, 26 Apr 2020 at 10:39, baptx <baptx.is@xxxxxxxxx> wrote:
Is there a way to display an error with a different message than the 403 Forbidden page configured with "ErrorDocument 403"?
This would improve the privacy, otherwise if a website displays a 403 error on an admin login page restricted by IP address, someone trying to bypass the reverse proxy will see the same error page and could know that a domain name is used on the IP address.


On Sat, 25 Apr 2020 at 18:16, baptx <baptx.is@xxxxxxxxx> wrote:
It worked when using Require in a location, thanks!


On Sat, 25 Apr 2020 at 13:41, Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
On Sat, Apr 25, 2020 at 1:24 PM baptx <baptx.is@xxxxxxxxx> wrote:
>
> @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}":
> I want to restrict access on some virtualhosts only because I want to use some domain names without Cloudflare.
> It looks like your previous solution with mod_rewrite is better in my case, since Require does not work in virtualhosts (I got the error: "Require not allowed in <VirtualHost> context").

Ah yes, correct, it should be enclosed in a location like:

<VirtualHost ...>
  ...
  RemoteIP...
  <Location "/">
    Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
  </Location>
  ...
</VirtualHost>

>>>
>>> Thanks Yann, it worked.

Great!

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux