OT – Httpd/conf.d Include Questions – Allowing Only Some Addresses
My web searching is not finding out the answers to this, so I turn to you all here.
I am trying to NOT modify my httpd/conf/httpd.conf file, and only make changes via includes. I have done that with a 00-init.conf where I set things like servername and serveradmin. Now I want to move my allow and denies to a 01-allow.conf include. I tried:
Order allow,deny
deny from all
as that seems to be what is in the default conf, but I see in the error_log:
[Tue Oct 07 08:51:58 2014] [error] [client 208.83.67.156] Directory index forbidden by Options directive: /var/www/html/
And maybe this is not the right restriction, because when I make this change directly in the default httpd.conf, I still can get to the default web page.
Now on to the ‘allow’ statement. All syntax examples I have seen for it follow:
allow from 1.1.1.0/24 1.1.2.0/24 2400:cb00:2048:1::/64
and soforth. That is each range separated by a space. But potentially I have 18 ranges to specify, and at least named makes it easy with each range on its own line ending with a ‘;’. For now I am only putting 2
ranges in, but how does one set up a longer list of allowed ranges?
thanks
8 thoughts on - OT – Httpd/conf.d Include Questions – Allowing Only Some Addresses
For apache to automatically generate index, you need to gave the following directive:
Options Indexes
If there is no such directive, and no index.html (or index.php, or whichever you described as index in config), you will get that error. Read on apache documentation to see how setting for diretory affect subdirectories.
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Of course, if I am going to preempt the provided directory directive, I
have to have all the needed content. So I tried:
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
allow from 192.84.67.128/255.255.255.0
deny from all
where the allowed address is not mine, and I still get the default access page. Almost like the content later in the default httpd.conf is overriding my include.
Or is it since I have no provided content, that default screen is coming from somewhere else…
No, I created a /var/www/html/index.html with only the line ‘Hello World’, and it gets displayed. So my deny,allow is not working…
You did not (that I see) say what version of CentOS this is for. The newer CentOS-7 apache uses different commands for this than CentOS-5 and CentOS-6.
Now THAT is something to watch out for…
CentOS 6.
And it seems for IPv4 CIDR addresses you have to use net/mask, not net/bits.
192.84.67.128/255.255.255.192
not
192.84.67.128/26
If you want to allow web site access from only
192.84.67.128/255.255.255.0
then do it in your firewall. The IPtables (ip4) commands would be something like this:-
iptables -I {table name} {table position or line number} -p tcp –dport
80 -s 192.84.67.128/24 -j ACCEPT
iptables -I {table name} {table position AFTER previous line} -p tcp
–dport 80 -j DROP
Robert Moskowitz wrote:
Is that all in /etc/httpd/conf.d? Is there a Listen: or VittualHost directive?
mark
Won’t do what I want. As there is a virtual host that I DO want globally accessible.
I have successfully restricted the postfixadmin directory to only local networks. I just have not done it for the default directories.
Yes, I left off /etc/ from all places shown.
Yes, there is a Listen. The VirtualHost config is coming as soon as I
can build the current RoundCube.