4

I have an otherwise happily working server on Ubuntu 14.04. I'm trying to restrict access to a file using an allow/deny block:

<Files "login.php">
order deny,allow
deny from all
allow from 22.123.123.12
</Files>

This successfully denies all users and tells them "Forbidden. You don't have permission to access...". If I remove the "deny from all" line, it allows me to view the login screen.

But no matter what I do, and debug, I can't get it to let me view this file, when I'm using this IP address. The 'allow' statement never seems to work.

Some debugging already tried:

  • I tried adding an AllowOverride All into my host configuration to make sure that the file/authorisation module itself was working.
  • I've tried a bunch of other allow/deny statements
  • This statement is currently in an .htaccess file, but I've tried moving it into the host configuration, which also doesn't work.

Other possibly relevant info:

  • I've used a bit of PHP to output my IP on a webpage: it is successfully recognised as being 22.123.123.12.
  • I'm using SSL for the webpage, so I'm accessing the file at https://example.com/login.php. Not sure if that would affect things.

I'm starting to suspect that for some reason the server doesn't think I'm at this IP address, but can't figure out how that would be the case. Any ideas?

dawud
  • 15,096
  • 3
  • 42
  • 61
jontly
  • 119
  • 5
  • 1
    What do you see in `/var/log/httpd/access_log` `/var/log/httpd/error_log` when you access login.php? – Chris Lam Apr 19 '15 at 06:59
  • Ah, access log tells me that the request is coming from IP 108.162.225.167, which looks like one from Cloudflare. Bear with me, and I'll make sure Cloudflare is not trying to cover this login page. Perhaps this will solve it. – jontly Apr 19 '15 at 07:05
  • And that looks like it has solved it. Thanks @ChrisLam -- I didn't know the access log would reveal IPs like this--was the pointer I needed in order to get this resolved! – jontly Apr 19 '15 at 07:23

1 Answers1

7

Thanks to @ChrisLam's comment, I realised that the IP address being shown in the access logs wasn't the same as my current IP.

This IP, 108.162.225.167, appeared to be matched with the servers of CloudFlare.com, which we are using to speed up the site.

Although there was a rule set to not cache this page, the IP addresses of requests were still not being passed back to the server. CloudFlare say that:

"Because CloudFlare acts as a proxy, you will notice changes to the way that your website visitors' IP addresses are displayed both in your server logs and web applications - notably that all access appears to be coming from CloudFlare IP addresses."

Installing CloudFlare's mod_cloudflare module for Apache httpd allows these IP addresses to be passed back to the server, and fixed my problem perfectly.

Download and information available on CloudFlare's site: https://www.cloudflare.com/resources-downloads#mod_cloudflare

jontly
  • 119
  • 5