Sebastian Mogilowskis Blog

Just another blog about administration, linux and other stuff

Secure Apache only for other networks

I was ask how to secure an apache 2 webserver, so that the web page is only available for the local network. I need this for an BETA environment and for my Debian Router Project.

Here are some simple examples: (192.168.5.0/24 is the LAN you may have to change it)

1. Allow only local network

<Directory /var/www/htdocs>
        Options FollowSymLinks
        AllowOverride None
        DirectoryIndex index.htm

        Order deny,allow
        Deny from all
        Allow from 192.168.5.0/24
</Directory>

2. Allow local network, require password from all other

<Directory /var/www/htdocs>
        Options FollowSymLinks
        AllowOverride None
        DirectoryIndex index.htm

        Order deny,allow
        Deny from all
        Allow from 192.168.5.0/24
        AuthUserFile /var/www/.htpasswd
        AuthName "Private"
        AuthType Basic
        Require valid-user
        Satisfy Any
</Directory>

With “Satisfy” you can use more than one auth method at the same time. With “Statisfy All”  both  conditions are required, with “Statisfy Any” one of the conditions is required.

Perhaps you have some webservice requests to localhost, than you have to add 127.0.0.1 to the allowed networks:

Allow from 192.168.5.0/24 127.0.0.1

Note:

This method is not very secure. You can use it for low security environments like an BETA webserver. It is very simple to break this protection with SNAT.

iptables -t nat -A POSTROUTING -s REALIP -o eth0 -p tcp -m tcp -j SNAT --to-source 192.168.5.224

This iptables command, change the source IP of all TCP Pakets from REALIP to 192.168.5.224 on the interface eth0.

Links:

http://buecher.lingoworld.de/apache2/showdir.php?id=680

, , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.