You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Andrew Schulman <an...@alumni.utexas.net> on 2010/11/19 20:18:08 UTC

[users@httpd] Re: MOD_PROXY and Access Control by IP

> I've been able to secure each proxy with this model:
> <Proxy http://*/App1/*>
>     Order Deny,Allow
>     #Permit IT
>     Allow from 10.1.0.0/24
>     #Permit Team1
>     Allow from 10.1.1.0/24
>     Deny from all
> </Proxy>
> 
> Is there a way we can define access once for the IT Subnet (10.1.0.0/24) once instead of per App?

One way would be

SetEnvIf Remote_Host ^10\.1\.0\. allow_IT
<Proxy http://*/App1/*>
    Order Deny,Allow
    #Permit IT
    Allow from env=allow_IT
    #Permit Team1
    Allow from 10.1.1.0/24
    Deny from all
</Proxy>

With this method you still have to include an Allow from env=allow_IT
inside every <Proxy> stanza, but at least you only have to specify their IP
address in one place.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: MOD_PROXY and Access Control by IP

Posted by Andrew Schulman <an...@alumni.utexas.net>.

> Thanks Andrew, I did see this as an example on a web post.   ...the argument was made that it's a PIA when you don't match class C subnets and have to use RegEx :-)

Yes, I agree, it is a PIA.  You should see the access control file on our
production host... we have about 3000 SetEnvIf statements, just like that
one.  Ugly, and you might also think it's really slow, and yet (1) it
centralizes all of the IP address matching in one place; (2) everywhere
else we just have neat Allow from env= statements; and (3) I can't tell any
difference in speed.

Good luck,
Andrew.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Re: MOD_PROXY and Access Control by IP

Posted by Todd Simons <ts...@delphi-tech.com>.

Thanks Andrew, I did see this as an example on a web post.   ...the argument was made that it's a PIA when you don't match class C subnets and have to use RegEx :-)

...I don't have class C inside, I boiled it down to Class C for the post example.

Thanks!

-----Original Message-----
From: Andrew Schulman [mailto:andrex@alumni.utexas.net]
Sent: Friday, November 19, 2010 2:18 PM
To: users@httpd.apache.org
Subject: [users@httpd] Re: MOD_PROXY and Access Control by IP

> I've been able to secure each proxy with this model:
> <Proxy http://*/App1/*>
>     Order Deny,Allow
>     #Permit IT
>     Allow from 10.1.0.0/24
>     #Permit Team1
>     Allow from 10.1.1.0/24
>     Deny from all
> </Proxy>
>
> Is there a way we can define access once for the IT Subnet (10.1.0.0/24) once instead of per App?

One way would be

SetEnvIf Remote_Host ^10\.1\.0\. allow_IT
<Proxy http://*/App1/*>
    Order Deny,Allow
    #Permit IT
    Allow from env=allow_IT
    #Permit Team1
    Allow from 10.1.1.0/24
    Deny from all
</Proxy>

With this method you still have to include an Allow from env=allow_IT
inside every <Proxy> stanza, but at least you only have to specify their IP
address in one place.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org