6

I edited my apache2.conf (on Ubuntu) to restrict access to all except from one IP, but I still can access from other IPs. Below is my configuration:

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require ip x.x.x.x
</Directory>

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require ip x.x.x.x
</Directory>

authz_core module is loaded, so is there something wrong? Thanks.

Albert
  • 93

1 Answers1

6

Example of access restriction from IP addresses for Apache 2.4:

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride All
    <IfModule mod_authz_core.c>
      <RequireAny>
        Require ip 127.0.0.1
        Require ip ::1
        Require ip x.x.x.x
      </RequireAny>
    </IfModule> 
</Directory>

Don't forget to restart apache service by running this command:

service httpd restart

Also don't use directory / for security reasons.

Community
  • 1
Mikhail Khirgiy
  • 2,083
  • 3
    I don't understand why this would have solved the problem - unless it was simply a case of forgetting to restart Apache. Sure, it's better... checking that the mod_authz_core module is loaded, and explicity stating RequireAny rather than relying on that as default behaviour... but as far as I can see, the syntax in the question should work too? – Doug McLean Apr 12 '18 at 10:59
  • From apache 2.4 documentation: ` and are used to enclose a group of authorization directives of which none must fail and at least one must succeed in order for the  directive to succeed.

    If none of the directives contained within the  directive fails, and at least one succeeds, then the  directive succeeds. If none succeed and none fail, then it returns a neutral result. In all other cases, it fails.`

     – Mikhail Khirgiy Apr 12 '18 at 15:16
  • 1
    RequireAll isn't being used in the question or in the answer. You're using RequireAny which is the default behaviour (i.e. if you took out <RequireAny> and </RequireAny> from your answer it would make no functional difference) – Doug McLean Apr 12 '18 at 19:58
  • 4
    "Sure, it's better... checking that the mod_authz_core module is loaded" - this isn't necessarily "better". In fact, this is probably worse. This means that if mod_authz_core is not available (or was ever disabled) then all users gain unrestricted access with no error - this is probably not desirable! The presence of an <IfModule> wrapper implies that the contained directives are optional. @DougMcLean – MrWhite Sep 12 '18 at 18:25
  • 3
    "Also don't use directory / for security reason." - Although, the OP is using the <Directory /> container to restrict all access (AllowOverride None / Require all denied), not allow it, which is recommended. – MrWhite Sep 12 '18 at 18:33