You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Stormy <st...@stormy.ca> on 2020/03/19 19:48:45 UTC
[users@httpd] "Work from home" access
I have, on Apache 2.4.7:
https://mysite.com/ which runs a Perl/Mysql based application perfectly
and a parallel "staff only" accessed (now) only on our LAN to edit the
above public application.
I need to add "outside" access for staff working from home, so that I
would end up with e.g.
https://mysite.com/ [working exactly as before]
and
https://mysite.com/foo [for the "staff_only", fully working on LAN]
I have tried variations of: Redirect permanent "/foo/"
"http://mysite.com/staff_only/" -- but end up with 404 every time.
Is there an elegant solution for this?
Many thanks -- Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "Work from home" access
Posted by Richard <li...@listmail.innovate.net>.
> Date: Thursday, March 19, 2020 16:05:19 -0400
> From: Jim Albert <ji...@netrition.com>
>
> On 3/19/2020 3:48 PM, Stormy wrote:
>> I have, on Apache 2.4.7:
>> https://mysite.com/ which runs a Perl/Mysql based application
>> perfectly and a parallel "staff only" accessed (now) only on our
>> LAN to edit the above public application.
>>
>> I need to add "outside" access for staff working from home, so
>> that I would end up with e.g.
>>
>> https://mysite.com/ [working exactly as before]
>> and
>> https://mysite.com/foo [for the "staff_only", fully working on
>> LAN]
>>
>> I have tried variations of: Redirect permanent "/foo/"
>> "http://mysite.com/staff_only/" -- but end up with 404 every time.
>>
>> Is there an elegant solution for this?
>>
>> Many thanks -- Paul
>
> You need to explain in more detail what you are trying to do.
> Is mysite.com referencing the same server whether accessed publicly
> or privately?
> Are you trying to use split-DNS to reference public vs private
> servers so you can use the same domain name to access a private
> server across a VPN?
>
> If staff-only is confidential and on the same server as public
> mysite.com you still have some significant risks which can be
> mitigated with apache access controls (.htaccess for example)...
> but still not a very good idea.
>
> If none of above is relevant to what you want to do then your
> redirect is to an http resource where you reference https
> everywhere else... is that your problem?
>
> If still none of my discussion is relevant then what is the purpose
> of https://mysite.com/foo redirecting to staff_only... why not just
> use a URL directly to staff_only?
>
> If working from home is completely new to your company (and I
> imagine there's a lot of that with current health concerns) and
> security is a concern then opening up private resources on a public
> server is not a good idea and you should look into some secure
> remote access solutions to access private servers across a vpn.
>
Also, please show the relevant error log entries as they are rather
more insightful than something like the browser reported 404.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "Work from home" access
Posted by Stormy <st...@stormy.ca>.
On 2020-03-19 5:15 p.m., Jim Albert wrote:
> On 3/19/2020 4:50 PM, Stormy wrote:
>> Jim -- tnx -- see below
>>
>> On 2020-03-19 4:05 p.m., Jim Albert wrote:
>>> On 3/19/2020 3:48 PM, Stormy wrote:
>>>> I have, on Apache 2.4.7:
>>>> https://mysite.com/ which runs a Perl/Mysql based application perfectly
>>>> and a parallel "staff only" accessed (now) only on our LAN to edit
>>>> the above public application.
>>>>
>>>> I need to add "outside" access for staff working from home, so that
>>>> I would end up with e.g.
>>>>
>>>> https://mysite.com/ [working exactly as before]
>>>> and
>>>> https://mysite.com/foo [for the "staff_only", fully working on LAN]
>>>>
>>>> I have tried variations of: Redirect permanent "/foo/"
>>>> "http://mysite.com/staff_only/" -- but end up with 404 every time.
>>>>
>>>> Is there an elegant solution for this?
>>>>
>>>> Many thanks -- Paul
>>>
>>> You need to explain in more detail what you are trying to do.
>>> Is mysite.com referencing the same server whether accessed publicly
>>> or privately?
>> Yes -- its a standalone LAMP server with a very large Mysql db with
>> public access for output, and a staff interface to edit the data. It
>> is behind an Nginx front end server to four others and which takes
>> care of Letsencrypt, firewall etc.
>>
>>> Are you trying to use split-DNS to reference public vs private
>>> servers so you can use the same domain name to access a private
>>> server across a VPN?
>>
>> Split-DNS, if I understand the term is already in place on the LAN,
>> the app is on 192.168.1.50 and the editing is on 192.168.1.50, but
>> Bell only give us a single static public IP. (I'm not certain that
>> this meets the definition of VPN)
>>>
>>> If staff-only is confidential and on the same server as public
>>> mysite.com you still have some significant risks which can be
>>> mitigated with apache access controls (.htaccess for example)... but
>>> still not a very good idea.
>>>
>>> If none of above is relevant to what you want to do then your
>>> redirect is to an http resource where you reference https everywhere
>>> else... is that your problem?
>>
>> All the public interfaces are https (I tried that in the "Redirect"
>> and get 404)
>>>
>>> If still none of my discussion is relevant then what is the purpose
>>> of https://mysite.com/foo redirecting to staff_only... why not just
>>> use a URL directly to staff_only?
>>
>> I maybe oversimplified: the site is in fact
>> https://database.mysite.com which goes direct to the public app. I was
>> looking to add /foo (even /gobble-de-gook-foo) for hopefully temporary
>> "staff at home" access.
>>>
>>> If working from home is completely new to your company (and I imagine
>>> there's a lot of that with current health concerns) and security is a
>>> concern then opening up private resources on a public server is not a
>>> good idea and you should look into some secure remote access
>>> solutions to access private servers across a vpn.
>>
>> The staff resources are of course pw protected. A vpn might make
>> sense, but I have no experience (virt-manager, Gnome-boxes whatever
>> would put me into a brand new learning curve :={ )
>>
>> I was just hoping for a simple Apache redirect that can be put in
>> place quickly as a temporary work-around and removed just as quickly.
>>
>> Thanks -- paul
>
> OK... I've presented the caveats of serving private resources on a
> public server... if, in fact, that's what you are trying to do and if so
> please consider how you are protecting those private resources from the
> public.
> I take it your employees need to work from home and instead of accessing
> via private 192.168... IP as they would on your LAN, you'll be accessing
> via public IP?
>
> Just going back to what you want to do outside of the topic of security,
> give us the Redirect configuration again (did you really make an http vs
> https mistake in your original post?)
>
> What is the context of the Redirect?... .htaccess, config file, etc...
Jim thanks -- here's the relevant parts of the .conf:
paul@-----:/etc/apache2/sites-available$ cat database_public.conf
# Database public access Configuration Directives
# This file invoked by nginx
Listen 8088
## database
<VirtualHost 192.168.1.150:8088>
ServerName database.mysite.com
ServerAlias database_public
## Trial 18 March 2020
# Redirect "/gobble-de-gook-foo/" "192.168.1.151"
# Redirect "/gobble-de-gook-foo/" "db_staff"
# Redirect permanent "/gobble-de-gook-foo/"
"http://database.mysite.com/db_staff/"
Redirect permanent "/gobble-de-gook-foo/"
"https://database.mysite.com/db_staff/"
ServerAdmin webmaster@mysite.com
DocumentRoot /usr/share/database_public/htdocs
<Directory "/usr/share/database_public/htdocs">
Options -Indexes
</Directory>
# Secure internal stuff
<DirectoryMatch
"//usr/share/database_public/htdocs/.*/(modules|xslt|includes)">
Require all denied
</DirectoryMatch>
etc..........
> As Richard asks, please present relevant apache error logs rather than
> what you are simply seeing in your browser.
Pls see previous reply.
Many thanks -- Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "Work from home" access
Posted by Jim Albert <ji...@netrition.com>.
On 3/19/2020 4:50 PM, Stormy wrote:
> Jim -- tnx -- see below
>
> On 2020-03-19 4:05 p.m., Jim Albert wrote:
>> On 3/19/2020 3:48 PM, Stormy wrote:
>>> I have, on Apache 2.4.7:
>>> https://mysite.com/ which runs a Perl/Mysql based application perfectly
>>> and a parallel "staff only" accessed (now) only on our LAN to edit
>>> the above public application.
>>>
>>> I need to add "outside" access for staff working from home, so that
>>> I would end up with e.g.
>>>
>>> https://mysite.com/ [working exactly as before]
>>> and
>>> https://mysite.com/foo [for the "staff_only", fully working on LAN]
>>>
>>> I have tried variations of: Redirect permanent "/foo/"
>>> "http://mysite.com/staff_only/" -- but end up with 404 every time.
>>>
>>> Is there an elegant solution for this?
>>>
>>> Many thanks -- Paul
>>
>> You need to explain in more detail what you are trying to do.
>> Is mysite.com referencing the same server whether accessed publicly
>> or privately?
> Yes -- its a standalone LAMP server with a very large Mysql db with
> public access for output, and a staff interface to edit the data. It
> is behind an Nginx front end server to four others and which takes
> care of Letsencrypt, firewall etc.
>
>> Are you trying to use split-DNS to reference public vs private
>> servers so you can use the same domain name to access a private
>> server across a VPN?
>
> Split-DNS, if I understand the term is already in place on the LAN,
> the app is on 192.168.1.50 and the editing is on 192.168.1.50, but
> Bell only give us a single static public IP. (I'm not certain that
> this meets the definition of VPN)
>>
>> If staff-only is confidential and on the same server as public
>> mysite.com you still have some significant risks which can be
>> mitigated with apache access controls (.htaccess for example)... but
>> still not a very good idea.
>>
>> If none of above is relevant to what you want to do then your
>> redirect is to an http resource where you reference https everywhere
>> else... is that your problem?
>
> All the public interfaces are https (I tried that in the "Redirect"
> and get 404)
>>
>> If still none of my discussion is relevant then what is the purpose
>> of https://mysite.com/foo redirecting to staff_only... why not just
>> use a URL directly to staff_only?
>
> I maybe oversimplified: the site is in fact
> https://database.mysite.com which goes direct to the public app. I was
> looking to add /foo (even /gobble-de-gook-foo) for hopefully temporary
> "staff at home" access.
>>
>> If working from home is completely new to your company (and I imagine
>> there's a lot of that with current health concerns) and security is a
>> concern then opening up private resources on a public server is not a
>> good idea and you should look into some secure remote access
>> solutions to access private servers across a vpn.
>
> The staff resources are of course pw protected. A vpn might make
> sense, but I have no experience (virt-manager, Gnome-boxes whatever
> would put me into a brand new learning curve :={ )
>
> I was just hoping for a simple Apache redirect that can be put in
> place quickly as a temporary work-around and removed just as quickly.
>
> Thanks -- paul
OK... I've presented the caveats of serving private resources on a
public server... if, in fact, that's what you are trying to do and if so
please consider how you are protecting those private resources from the
public.
I take it your employees need to work from home and instead of accessing
via private 192.168... IP as they would on your LAN, you'll be accessing
via public IP?
Just going back to what you want to do outside of the topic of security,
give us the Redirect configuration again (did you really make an http vs
https mistake in your original post?)
What is the context of the Redirect?... .htaccess, config file, etc...
As Richard asks, please present relevant apache error logs rather than
what you are simply seeing in your browser.
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "Work from home" access
Posted by Stormy <st...@stormy.ca>.
Jim -- tnx -- see below
On 2020-03-19 4:05 p.m., Jim Albert wrote:
> On 3/19/2020 3:48 PM, Stormy wrote:
>> I have, on Apache 2.4.7:
>> https://mysite.com/ which runs a Perl/Mysql based application perfectly
>> and a parallel "staff only" accessed (now) only on our LAN to edit the
>> above public application.
>>
>> I need to add "outside" access for staff working from home, so that I
>> would end up with e.g.
>>
>> https://mysite.com/ [working exactly as before]
>> and
>> https://mysite.com/foo [for the "staff_only", fully working on LAN]
>>
>> I have tried variations of: Redirect permanent "/foo/"
>> "http://mysite.com/staff_only/" -- but end up with 404 every time.
>>
>> Is there an elegant solution for this?
>>
>> Many thanks -- Paul
>
> You need to explain in more detail what you are trying to do.
> Is mysite.com referencing the same server whether accessed publicly or
> privately?
Yes -- its a standalone LAMP server with a very large Mysql db with
public access for output, and a staff interface to edit the data. It is
behind an Nginx front end server to four others and which takes care of
Letsencrypt, firewall etc.
> Are you trying to use split-DNS to reference public vs private servers
> so you can use the same domain name to access a private server across a
> VPN?
Split-DNS, if I understand the term is already in place on the LAN, the
app is on 192.168.1.50 and the editing is on 192.168.1.50, but Bell only
give us a single static public IP. (I'm not certain that this meets the
definition of VPN)
>
> If staff-only is confidential and on the same server as public
> mysite.com you still have some significant risks which can be mitigated
> with apache access controls (.htaccess for example)... but still not a
> very good idea.
>
> If none of above is relevant to what you want to do then your redirect
> is to an http resource where you reference https everywhere else... is
> that your problem?
All the public interfaces are https (I tried that in the "Redirect" and
get 404)
>
> If still none of my discussion is relevant then what is the purpose of
> https://mysite.com/foo redirecting to staff_only... why not just use a
> URL directly to staff_only?
I maybe oversimplified: the site is in fact https://database.mysite.com
which goes direct to the public app. I was looking to add /foo (even
/gobble-de-gook-foo) for hopefully temporary "staff at home" access.
>
> If working from home is completely new to your company (and I imagine
> there's a lot of that with current health concerns) and security is a
> concern then opening up private resources on a public server is not a
> good idea and you should look into some secure remote access solutions
> to access private servers across a vpn.
The staff resources are of course pw protected. A vpn might make sense,
but I have no experience (virt-manager, Gnome-boxes whatever would put
me into a brand new learning curve :={ )
I was just hoping for a simple Apache redirect that can be put in place
quickly as a temporary work-around and removed just as quickly.
Thanks -- paul
>
> Jim Albert
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "Work from home" access
Posted by Jim Albert <ji...@netrition.com>.
On 3/19/2020 3:48 PM, Stormy wrote:
> I have, on Apache 2.4.7:
> https://mysite.com/ which runs a Perl/Mysql based application perfectly
> and a parallel "staff only" accessed (now) only on our LAN to edit the
> above public application.
>
> I need to add "outside" access for staff working from home, so that I
> would end up with e.g.
>
> https://mysite.com/ [working exactly as before]
> and
> https://mysite.com/foo [for the "staff_only", fully working on LAN]
>
> I have tried variations of: Redirect permanent "/foo/"
> "http://mysite.com/staff_only/" -- but end up with 404 every time.
>
> Is there an elegant solution for this?
>
> Many thanks -- Paul
You need to explain in more detail what you are trying to do.
Is mysite.com referencing the same server whether accessed publicly or
privately?
Are you trying to use split-DNS to reference public vs private servers
so you can use the same domain name to access a private server across a VPN?
If staff-only is confidential and on the same server as public
mysite.com you still have some significant risks which can be mitigated
with apache access controls (.htaccess for example)... but still not a
very good idea.
If none of above is relevant to what you want to do then your redirect
is to an http resource where you reference https everywhere else... is
that your problem?
If still none of my discussion is relevant then what is the purpose of
https://mysite.com/foo redirecting to staff_only... why not just use a
URL directly to staff_only?
If working from home is completely new to your company (and I imagine
there's a lot of that with current health concerns) and security is a
concern then opening up private resources on a public server is not a
good idea and you should look into some secure remote access solutions
to access private servers across a vpn.
Jim Albert
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org