Allow request coming from specific IP only

Question

I have application hosted Apache UNIX, and I am allowing users to access the application url from citrix environment (from citrix machine).

However, currently its possible to access the url from all the connected machines. I would like to put the restriction that it should be only accessed from citrix machine. So if any one needs to access it, he needs access to citrix machine.

I tried with below:

<Directory /APP>

    Order Deny,Allow

    Deny from all

    Allow from 160.120.25.65

    Allow from 127

</Directory>

it didn't work. Any suggestion?

Few replied with iptables solution, however this one loaded on Solaris (it doesn't have builtin firewall to OS as linux).

I happened to find it useful even though I agree it is off-topic. — icedwater, Sep 03 '13 at 06:38

David Schmitt · Accepted Answer · 2009-04-03T21:16:09.027

50

This should do what you need:

<Directory /APP>

    Order Allow,Deny

    Allow from 160.120.25.65
    Allow from 127.0.0.0/8

</Directory>

See the mod_authz_host documentation for details.

edited Apr 03 '09 at 21:16

answered Apr 03 '09 at 15:22

David Schmitt

58,259
26
121
165

15

Since this question is an off-top, but a lot of people still come here, I just wanted to say, that as of 2018, the `Allow`, `Deny`, and `Order` directives are deprecated and `Require ip 1.2.3.4` should be used. Documentation is [here](https://httpd.apache.org/docs/2.4/howto/access.html). – Neurotransmitter Apr 11 '18 at 12:51

score 2 · Answer 2 · answered Apr 03 '09 at 15:11

What version of Apache are you running? The IP allowing mechanisms are, AFAIK, provided by mod_authz_host, which was introduced in 2.2 (well, 2.1 technically). If you do have 2.2, make sure it wasn't compiled with mod_authz_host disabled.

Generally speaking, though, you may find a simpler and more robust solution is the iptables or other firewalling suggested in the other answers.

score 0 · Answer 3 · answered Apr 03 '09 at 18:13

0

I would suggest Iptables for this purpose. put a rule in the iptables that wherever the destination port is the port number of your apache machine and the source ip is the ip address of critix machine, the linux machine should drop that packet. This way would solve your problem provided there are no other applications hosted on the apache of your machine which ought to be open for all ips. An example of the perspective rule could be :-

iptables -I INPUT 1 -s 160.120.25.65 -d <port_of_apache_on_your_machine> -j DROP

This should solve your problem, once you replace by its proper value

answered Apr 03 '09 at 18:13

Stack Programmer

3,386
1
20
12

Application hosted on UNIX. Can I add this in httpd.conf file? – Mutant Apr 07 '09 at 18:11
You have to add this in .bashrc file of the user which boots the machine, or add these as the default rules of the iptables. This is not added in the httpd.conf file. – Stack Programmer Apr 08 '09 at 05:42

score -2 · Answer 4 · answered Apr 03 '09 at 15:06

-2

I would probably use an iptables rule for this. I'm not sure what the example you posted is, but you should be able to configure just about any firewall to work like you want it.

answered Apr 03 '09 at 15:06

Alex Fort

18,459
5
42
51

That's part of an Apache config file. – Jonathan Leffler Apr 03 '09 at 15:31
iptables is not/poorly working when you're using SNI. – Izzy Jul 18 '16 at 10:44

Allow request coming from specific IP only

4 Answers4