21

I've set up my Apache server, and the PHP/MySQL works well!

But the issue is, how do I keep this private, since it's a development-only server? The only reason for keeping the content private is if a script went wrong, I don't want Apache errors showing up if it became a public-facing site (and the fact others share the same network too!), and I'm less likely to use my PC as a webhost - I'm more likely to go down using the webhosting provider route for an actual live site.

Currently I can access it three ways:

  • http://localhost (or http://127.0.0.1, the alternate way and localhost's IP but either way is acceptable with me!)

  • http 192.168.0.1 (my router's IP)

  • http pc-name-here (name of my PC, obviously this varies between Windows PCs!)

[note, can't post links, so for the other two you'd have to insert the colon/forward slash as in the first one].

However, I only want to access it via the first one. It's listening on port 80 (and I don't want to change that). Is this not possible, or am I mistaken? I know a bit more about PHP/webdesign than the network side of things, so this is a first for me!

Basically, I want it to be only accessible via localhost on that machine, and not the external IP address, or 192.168.0.1 .

Would I need to edit httpd.conf and use deny on every testbed site, or is there any other solution?

Example:

<Directory /www/vhosts/localhost/>
    Options All
    AllowOverride All
    order allow,deny
    allow from 127.0.0.1
            deny from 192.168.0.1
            deny from my-pc-name
</Directory>
  • that's an example but I'm not sure what's right or wrong here!

My operating system is Windows 7 Ultimate.

I did have a look round the 'net, but some of it seemed a bit technical for me.

What would you recommend?

linthurst53
  • 211
  • 1
  • 2
  • 3

3 Answers3

41

The easiest way to do this is through the Listen directive. By defaults, there's a line in our httpd.conf that reads:

Listen *:80

Meaning it will respond ro requests on port 80 on all of your computer's network addresses. Changing it to:

Listen 127.0.0.1:80

Will tell apache only to only respond to requests on the local adaptor, thus ignoring anything else.

SmallClanger
  • 9,127
  • 1
  • 32
  • 47
15

The listen option is probably best, but just as an FYI, you can do it using allow/deny like this

<Directory /www/vhosts/localhost/>
    Options All
    AllowOverride All
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
</Directory>

Order deny,allow tells Apache to "Deny all requests unless specifically allowed" (Order allow,deny is the opposite, I.E. allow all requests unless specifically blocked)
Deny from all does a similar thing to Order deny,allow in that it'll block all requests from all IPs unless you specifically open them. It seems to be general practice to use both Order deny,allow and Deny from all but I'm not 100% sure why when they both do the same thing
Allow from 127.0.0.1 says "Allow all requests from 127.0.0.1". 127.0.0.1 will map to localhost so you can use http://127.0.0.1/ or http://localhost/ and it'll be allowed

That will serve a 403 (Forbidden) error to anyone who requests the site no on localhost

Some other useful stuff;
Allow from 192.168.0. will allow request from anyone on your network (Providing your network is 192.168.0.0-192.168.0.255)
Allow/deny rules are processed in order, so

Deny from 192.168.0.2
Allow from 192.168.0.2

would allow requests and

Allow from 192.168.0.2
Deny from 192.168.0.2

would deny requests from 192.168.0.2

So

Deny from 192.168.0.2
Allow from all

Would allow requests from 192.168.0.2, even though it had specifically been denied.

You can also use Allow/Deny rules in .htaccess files or on a per-directory basis

  • 1
    Besure it's "Order deny,allow", not "Order allow,deny". A frequent tiny mistake people constantly make. – Scott Chu Oct 29 '15 at 10:06
4

I made changes to ports.conf in /etc/apache2 so that each reference to Listen to a port was only listening to localhost. No other files seem to have listen command in. After restarting apache these changes seemed to have desired effect.

/etc/apache2/ports.conf

NameVirtualHost *:80
########################## Listen 80
Listen 127.0.0.1:80

<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
###############################Listen 443
Listen 127.0.0.1:443
</IfModule>

<IfModule mod_gnutls.c>
##################################Listen 443
Listen 127.0.0.1:443
</IfModule>
Mathew Peet
  • 41
  • 1