Apache configuration question - restrict folder access to local machine only

I have this question, and not sure if this is the
right place. If not, I do appreciate someone pointing
me to the right place.

We have a situation that we would like to restrict the
access to certain folders only to requests from the
"local machine". Here is why:
When a page is processed by our filter, the filter
(based on page logic) may request pages (just like a
regular web page request) that should never go to the
browser. We put these pages in a folder. And would
like to use apache config to restrict the access to
only the "local machine". Here is the config

Order Deny,Allow
Deny from all
Allow from 127.0.0.1
#Allow from localhost


The issue we face:
When our filter issues the request, we use the
hostname from the original request. eg, original
request
http://1.2.3.4/index.html
our filter might issue
http://1.2.3.4/something/secrete-stuff/server.js

In order to make the above directive work, we will
have to put the ip (1.2.3.4) in the Allow section.
However, we are planning to deply many servers, it
would be very hard for us to edit each config file.
So we are wondering if there are anyway we can achieve
the same result without make ip-specific changes.

Thanks in advanvce for your help.
John

Re: Apache configuration question - restrict folder access to local machine only

On Fri 11 Apr 2008, John Zhang wrote:
> We have a situation that we would like to restrict the
> access to certain folders only to requests from the
> "local machine". =A0Here is why:
> When a page is processed by our filter, the filter
> (based on page logic) may request pages (just like a
> regular web page request) that should never go to the
> browser. =A0We put these pages in a folder. =A0And would
> like to use apache config to restrict the access to
> only the "local machine". =A0Here is the config
>
> =A0 =A0 Order Deny,Allow
> =A0 =A0 Deny from all
> =A0 =A0 Allow from 127.0.0.1
> =A0 =A0 #Allow from localhost
>
>
> The issue we face:
> =A0 =A0 When our filter issues the request, we use the
> hostname from the original request. eg, original
> request
> http://1.2.3.4/index.html
> our filter might issue
> http://1.2.3.4/something/secrete-stuff/server.js
>
> In order to make the above directive work, we will
> have to put the ip (1.2.3.4) in the Allow section.
> However, we are planning to deply many servers, it
> would be very hard for us to edit each config file.
> So we are wondering if there are anyway we can achieve
> the same result without make ip-specific changes.

I see several ways to solve your problem each depending on your setup. I=20
assume you are using modperl 2 with apache 2.2.x.

1) You can fetch the IP address in a block and add the appropriate=20
Allow statement. I use something similar on my notebook. Normally I am at=20
home connected to my LAN. Then the apache should listen on 192.168.0.4. Whe=
n=20
I am not connected to my LAN the apache should nevertheless be able to star=
t.=20
So, I check if there is an interface with my IP address and add the Listen=
=20
directive only if so:


use IO::Interface::Simple;
my ($opi, $vm);
foreach my $if (IO::Interface::Simple->interfaces) {
if( $if->address eq '192.168.0.4' ) {
push @PerlConfig, 'Listen opi.home:80', 'Listen opi.home:443';
$opi++;
} elsif( $if->address eq '192.168.9.1' ) {
push @PerlConfig, 'Listen opi-vm.home:80', 'Listen opi-vm.home:443';
$vm++;
}
}

warn "WARNING: could not find opi.home. Not listening on this address"
unless( $opi );
warn "WARNING: could not find opi-vm.home. Not listening on this address"
unless( $vm );


I don't know how well this works inside a . Maybe you'll have to=
=20
configure the whole Location block in Perl.

2) It's not well documented but apache can evaluate environment variables=20
during configuration. So you can set one containing your local IP address a=
nd=20
then write

Allow from "${LOCAL_IP}"

3) use a fake hostname set in your /etc/hosts that points to the local IP o=
n=20
each host.

4) If your setup is identical on all servers you must be listening on=20
127.0.0.1 as well. So why not issue the request to this address?

5) This is the best solution in my opinion. Why do you bother yourself and=
=20
your server with issuing a full featured request? Why not a subrequest,=20
$r->lookup_uri or even better $r->lookup_file? In the latter case your secu=
re=20
resources can be even outside your DocumentRoot. You only have to make it=20
accessible via a block.

6) a .htaccess file in your secured directory with the following content:

PerlAccessHandler "sub { \
use Apache2::RequestRec (); \
use Apache2::Connection (); \
use Apache2::Const -compile=3D>qw(OK FORBIDDEN); \
return Apache2::Const::FORBIDDEN \
unless $_[0]->connection->local_ip eq $_[0]->connection->remote_ip; \
return Apache2::Const::OK; \
}"

Alternatively this statement may also be in a Location or Directory block. =
It=20
may also be a PerlInitHandler (within Location, Directory or .htaccess) or=
=20
PerlHeaderParserHandler.

Torsten

=2D-
Need professional mod_perl support?
Just ask me: torsten.foertsch@gmx.net

[OT] Re: Apache configuration question - restrict folder access tolocal machine only

This really belongs on users@httpd, but having been asked already...

You could put it into a separate VirtualHost container, which listens on
127.0.0.1 Then you don't need to worry about Allow from to begin with.

Issac

John Zhang wrote:
> I have this question, and not sure if this is the
> right place. If not, I do appreciate someone pointing
> me to the right place.
>
> We have a situation that we would like to restrict the
> access to certain folders only to requests from the
> "local machine". Here is why:
> When a page is processed by our filter, the filter
> (based on page logic) may request pages (just like a
> regular web page request) that should never go to the
> browser. We put these pages in a folder. And would
> like to use apache config to restrict the access to
> only the "local machine". Here is the config
>
> Order Deny,Allow
> Deny from all
> Allow from 127.0.0.1
> #Allow from localhost
>
>
> The issue we face:
> When our filter issues the request, we use the
> hostname from the original request. eg, original
> request
> http://1.2.3.4/index.html
> our filter might issue
> http://1.2.3.4/something/secrete-stuff/server.js
>
> In order to make the above directive work, we will
> have to put the ip (1.2.3.4) in the Allow section.
> However, we are planning to deply many servers, it
> would be very hard for us to edit each config file.
> So we are wondering if there are anyway we can achieve
> the same result without make ip-specific changes.
>
> Thanks in advanvce for your help.
> John

Re: Apache configuration question - restrict folder access to localmachine only

Expertly brought back on topic there, Torsten... if I ask about the
price of beans and how it relates to global warming can you give me a
mod_perl related answer? :)

John

Torsten Foertsch wrote:
> On Fri 11 Apr 2008, John Zhang wrote:
>
>> We have a situation that we would like to restrict the
>> access to certain folders only to requests from the
>> "local machine". Here is why:
>>
> I see several ways to solve your problem each depending on your setup. I
> assume you are using modperl 2 with apache 2.2.x.
>

Re: Apache configuration question - restrict folder access to local machine only

John ORourke wrote:
> Expertly brought back on topic there, Torsten... if I ask about the
> price of beans and how it relates to global warming can you give me a
> mod_perl related answer? :)

Price of beans increases due to fuel costs, driven by the economy,
affected by global warming... um... all because mod_perl is used on so
many servers that data center power requirements have gone through the
roof and required more fossil fuel power plants to be built! ;)

Not Torsten,
Colin