Re: Apache configuration question - restrict folder access to local machine only
On Fri 11 Apr 2008, John Zhang wrote:
We have a situation that we would like to restrict the
access to certain folders only to requests from the
local machine. Here is why:
When a page is processed by our filter, the filter
(based on page logic) may request pages (just like a
regular web page request) that should never go to the
browser. We put these pages in a folder. And would
like to use apache config to restrict the access to
only the local machine. Here is the config
LocationMatch /secrete-stuff/
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
#Allow from localhost
/LocationMatch
The issue we face:
When our filter issues the request, we use the
hostname from the original request. eg, original
request
http://1.2.3.4/index.html
our filter might issue
http://1.2.3.4/something/secrete-stuff/server.js
In order to make the above directive work, we will
have to put the ip (1.2.3.4) in the Allow section.
However, we are planning to deply many servers, it
would be very hard for us to edit each config file.
So we are wondering if there are anyway we can achieve
the same result without make ip-specific changes.
I see several ways to solve your problem each depending on your setup. I
assume you are using modperl 2 with apache 2.2.x.
1) You can fetch the IP address in a Perl block and add the appropriate
Allow statement. I use something similar on my notebook. Normally I am at
home connected to my LAN. Then the apache should listen on 192.168.0.4. When
I am not connected to my LAN the apache should nevertheless be able to start.
So, I check if there is an interface with my IP address and add the Listen
directive only if so:
Perl
use IO::Interface::Simple;
my ($opi, $vm);
foreach my $if (IO::Interface::Simple-interfaces) {
if( $if-address eq '192.168.0.4' ) {
push @PerlConfig, 'Listen opi.home:80', 'Listen opi.home:443';
$opi++;
} elsif( $if-address eq '192.168.9.1' ) {
push @PerlConfig, 'Listen opi-vm.home:80', 'Listen opi-vm.home:443';
$vm++;
}
}
warn WARNING: could not find opi.home. Not listening on this address
unless( $opi );
warn WARNING: could not find opi-vm.home. Not listening on this address
unless( $vm );
/Perl
I don't know how well this works inside a Location. Maybe you'll have to
configure the whole Location block in Perl.
2) It's not well documented but apache can evaluate environment variables
during configuration. So you can set one containing your local IP address and
then write
Allow from ${LOCAL_IP}
3) use a fake hostname set in your /etc/hosts that points to the local IP on
each host.
4) If your setup is identical on all servers you must be listening on
127.0.0.1 as well. So why not issue the request to this address?
5) This is the best solution in my opinion. Why do you bother yourself and
your server with issuing a full featured request? Why not a subrequest,
$r-lookup_uri or even better $r-lookup_file? In the latter case your secure
resources can be even outside your DocumentRoot. You only have to make it
accessible via a Directory block.
6) a .htaccess file in your secured directory with the following content:
PerlAccessHandler sub { \
use Apache2::RequestRec (); \
use Apache2::Connection (); \
use Apache2::Const -compile=qw(OK FORBIDDEN); \
return Apache2::Const::FORBIDDEN \
unless $_[0]-connection-local_ip eq $_[0]-connection-remote_ip; \
return Apache2::Const::OK; \
}
Alternatively this statement may also be in a Location or Directory block. It
may also be a PerlInitHandler (within Location, Directory or .htaccess) or
PerlHeaderParserHandler.
Torsten
--
Need professional mod_perl support?
Just ask me: [EMAIL PROTECTED]
[OT] Re: Apache configuration question - restrict folder access to local machine only
This really belongs on [EMAIL PROTECTED], but having been asked already... You could put it into a separate VirtualHost container, which listens on 127.0.0.1 Then you don't need to worry about Allow from to begin with. Issac John Zhang wrote: I have this question, and not sure if this is the right place. If not, I do appreciate someone pointing me to the right place. We have a situation that we would like to restrict the access to certain folders only to requests from the local machine. Here is why: When a page is processed by our filter, the filter (based on page logic) may request pages (just like a regular web page request) that should never go to the browser. We put these pages in a folder. And would like to use apache config to restrict the access to only the local machine. Here is the config LocationMatch /secrete-stuff/ Order Deny,Allow Deny from all Allow from 127.0.0.1 #Allow from localhost /LocationMatch The issue we face: When our filter issues the request, we use the hostname from the original request. eg, original request http://1.2.3.4/index.html our filter might issue http://1.2.3.4/something/secrete-stuff/server.js In order to make the above directive work, we will have to put the ip (1.2.3.4) in the Allow section. However, we are planning to deply many servers, it would be very hard for us to edit each config file. So we are wondering if there are anyway we can achieve the same result without make ip-specific changes. Thanks in advanvce for your help. John
Re: Apache configuration question - restrict folder access to local machine only
Expertly brought back on topic there, Torsten... if I ask about the price of beans and how it relates to global warming can you give me a mod_perl related answer? :) John Torsten Foertsch wrote: On Fri 11 Apr 2008, John Zhang wrote: We have a situation that we would like to restrict the access to certain folders only to requests from the local machine. Here is why: I see several ways to solve your problem each depending on your setup. I assume you are using modperl 2 with apache 2.2.x.
Re: [RELEASE CANDIDATE] mod_perl-2.0.4 RC1
Philippe M. Chiasson wrote: The mod_perl 2.0.4 release candidate 1 Works with Perl 5.10 is ready. It can be downloaded here: http://www.apache.org/~gozer/mp2/mod_perl-2.0.4-rc1.tar.gz Hi, I can report that the test suite passes on current Debian unstable with both Perl 5.8.8 and 5.10.0. However, with 5.10.0, the Apache2 server crashes on shutdown after the test suite with a segmentation fault, which goes unnoticed by the build system. The crash can be reproduced by running just two tests: ./t/TEST t/api/content_encoding.t t/modules/apache_status.t This is a bug in Perl itself, it can be reduced to #!/usr/bin/perl -w use Compress::Zlib; use Devel::Symdump; print Devel::Symdump-isa_tree; __END__ which crashes for me on Perl 5.10.0 but not 5.8.8. More details can be found at http://rt.perl.org/rt3/Public/Bug/Display.html?id=52740 There's probably nothing mod_perl2 can or should do about this, but I thought you'd want to know :) Cheers, -- Niko Tyni [EMAIL PROTECTED]
Re: Apache configuration question - restrict folder access to local machine only
John ORourke wrote: Expertly brought back on topic there, Torsten... if I ask about the price of beans and how it relates to global warming can you give me a mod_perl related answer? :) Price of beans increases due to fuel costs, driven by the economy, affected by global warming... um... all because mod_perl is used on so many servers that data center power requirements have gone through the roof and required more fossil fuel power plants to be built! ;) Not Torsten, Colin
