Unable to configure apache to restrict access by IP for proxy

Question

I added following into my httpd.conf (after VirtualHost):

<VirtualHost *:80>
    ServerName XXX.XXX.XXX

    <Directory proxy:>
        Order allow,deny
        Allow from 10.52.208.221
        Allow from 10.52.208.223
        Deny from all
    </Directory>

    ProxyPass / http://XXX.XXX.XXX/

    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/admin/$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

</VirtualHost>

yet, I'm able to access my VirtualHost from other IPs:

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.4 (Santiago)
# uname -a
Linux XXXXX.XXXXX.XXX 2.6.32-358.18.1.el6.x86_64 #1 SMP Fri Aug 2 17:04:38 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux
# httpd -V
Server version: Apache/2.2.15 (Unix)
Server built:   Aug  2 2013 08:02:15
Server's Module Magic Number: 20051115:25
Server loaded:  APR 1.3.9, APR-Util 1.3.9
Compiled using: APR 1.3.9, APR-Util 1.3.9
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
# rpm -q httpd
httpd-2.2.15-29.el6_4.x86_64
#

alexus · Accepted Answer · 2013-10-15T19:39:28.817

6

I found answer from: mod_proxy - Apache HTTP Server and I test it (It works!(TM)):

<Proxy *>
        Order deny,allow
        Deny from all
        Allow from 10.52.208.221
        Allow from 10.52.208.223
</Proxy>

edited Oct 15 '13 at 19:39

answered Oct 15 '13 at 19:34

alexus

13,112
32
117
174

And if you have an entry for port :80 and another for port :443, make sure to change both (duh!). – Alexis Wilke Jul 01 '22 at 17:37

score 3 · Answer 2 · answered Oct 15 '13 at 18:13

3

I believe what you're looking for is:

<Directory proxy:>
    Order deny,allow
    Deny from all
    Allow from 10.52.208.221
    Allow from 10.52.208.223
</Directory>

The order of Order matters :-)

answered Oct 15 '13 at 18:13

Jeff

496
3
10

Really? I thought "Order" takes care of that (not lines)... – alexus Oct 15 '13 at 19:02
i upvote as some of that answer is right, yet it still didn't solve my issue, so I posted "right answer"), thanks! – alexus Oct 15 '13 at 19:37

score 1 · Answer 3 · answered Jul 25 '16 at 10:06

Following config might come handy if you want to restrict certain paths of you proxied website.

I have included an IP and a subnet in one rule, for those who need to allow a whole subnet rather than a set of single IPs.

<Location /foo>
    Deny from all                       // **This rule is the most IMPORTANT**    
    Allow from 192.168.1.2 10.100       // The second value implies 10.100.0.0/16 subnet
    ProxyPass http://example.com/foo
    ProxyPassReverse http://example.com/foo
</Location>

Unable to configure apache to restrict access by IP for proxy

3 Answers3