You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tim Dunphy <bl...@gmail.com> on 2015/03/19 17:41:43 UTC
[users@httpd] apache 2.4 allow by IP
Hey all,
I'm attempting to setup the server-status module and limit access to it by
IP.
So I have this block in my apache configuration file:
#Mod_status config
ExtendedStatus on
<Location /server-status>
SetHandler server-status
Require ip 10.10.10.5 127.0.0.1
</Location>
And if I do a GET by IP, I'm getting permission denied
[root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
</ul>
</body></html>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
*<p>You don't have permission to access /server-status*
on this server.<br />
</p>
</body></html>
Can someone please let me know where I'm going wrong?
Thanks
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
Posted by Daniel <df...@gmail.com>.
2015-03-20 1:06 GMT+01:00 Tim Dunphy <bl...@gmail.com>:
> Do you also have the corresponding LoadModule directives in your config
>> file?
>> (shared modules need it to be effectively loaded).
>
>
> Affirmative:
>
> [root@uszwsls00015la apache2]# egrep "status_module|authz_host"
> conf/httpd.conf
> LoadModule authz_host_module modules/mod_authz_host.so
> LoadModule status_module modules/mod_status.so
>
> Thanks,
> Tim
>
> On Thu, Mar 19, 2015 at 7:57 PM, Yann Ylavic <yl...@gmail.com> wrote:
>
>> On Thu, Mar 19, 2015 at 9:51 PM, Tim Dunphy <bl...@gmail.com> wrote:
>> >> mod_status loaded?
>> >
>> >
>> > Yep!
>> >
>> > [root@uszwsls00015la apache2]# apachectl -M | grep status
>> > status_module (shared)
>> >
>> > And so are mod_authz_host:
>> >
>> > [root@uszwsls00015la apache2]# apachectl -M | grep authz_host
>> > authz_host_module (shared)
>>
>> Do you also have the corresponding LoadModule directives in your config
>> file?
>> (shared modules need it to be effectively loaded).
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>
Do not define <VirtualHost *> define it like <VirtualHost *:80>
Change <Directory /*> to point to your exact documentrootpath and then set
AllowOverride none.
Also use apachectl -S to check and make sure your virtualhosts are defined
correctly.
And now the most important thing, the log:
[Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid
140005409228544] [client216.178.108.232:63636] AH01630: client denied by
server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status
Here it says you are reaching your server with IP 216.178.108.232, and you
have "Require ip 10.10.10.5". It will never let you in, even if you land in
the correct context.
--
*Daniel Ferradal*
IT Specialist
email dferradal@gmail.com
linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] apache 2.4 allow by IP
Posted by Tim Dunphy <bl...@gmail.com>.
>
> Do you also have the corresponding LoadModule directives in your config
> file?
> (shared modules need it to be effectively loaded).
Affirmative:
[root@uszwsls00015la apache2]# egrep "status_module|authz_host"
conf/httpd.conf
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule status_module modules/mod_status.so
Thanks,
Tim
On Thu, Mar 19, 2015 at 7:57 PM, Yann Ylavic <yl...@gmail.com> wrote:
> On Thu, Mar 19, 2015 at 9:51 PM, Tim Dunphy <bl...@gmail.com> wrote:
> >> mod_status loaded?
> >
> >
> > Yep!
> >
> > [root@uszwsls00015la apache2]# apachectl -M | grep status
> > status_module (shared)
> >
> > And so are mod_authz_host:
> >
> > [root@uszwsls00015la apache2]# apachectl -M | grep authz_host
> > authz_host_module (shared)
>
> Do you also have the corresponding LoadModule directives in your config
> file?
> (shared modules need it to be effectively loaded).
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
Posted by Yann Ylavic <yl...@gmail.com>.
On Thu, Mar 19, 2015 at 9:51 PM, Tim Dunphy <bl...@gmail.com> wrote:
>> mod_status loaded?
>
>
> Yep!
>
> [root@uszwsls00015la apache2]# apachectl -M | grep status
> status_module (shared)
>
> And so are mod_authz_host:
>
> [root@uszwsls00015la apache2]# apachectl -M | grep authz_host
> authz_host_module (shared)
Do you also have the corresponding LoadModule directives in your config file?
(shared modules need it to be effectively loaded).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.4 allow by IP
Posted by Tim Dunphy <bl...@gmail.com>.
>
> mod_status loaded?
Yep!
[root@uszwsls00015la apache2]# apachectl -M | grep status
status_module (shared)
And so are mod_authz_host:
[root@uszwsls00015la apache2]# apachectl -M | grep authz_host
authz_host_module (shared)
So it's a litle puzzling..
On Thu, Mar 19, 2015 at 4:39 PM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Mar 19, 2015 at 4:26 PM, Tim Dunphy <bl...@gmail.com> wrote:
> > I'm still not sure why this is happening. Any help/clues would be
> > appreciated!
>
>
> mod_status loaded?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
Posted by Eric Covener <co...@gmail.com>.
On Thu, Mar 19, 2015 at 4:26 PM, Tim Dunphy <bl...@gmail.com> wrote:
> I'm still not sure why this is happening. Any help/clues would be
> appreciated!
mod_status loaded?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.4 allow by IP
Posted by Tim Dunphy <bl...@gmail.com>.
Hello Kees,
Thanks for that suggestion. Not sure if I understood you correctly, but
this is what I tried:
#Mod_status config
ExtendedStatus on
<VirtualHost *>
ServerAdmin webmaster@nbcuni.com
DocumentRoot /opt/apache2/htdocs/hcphp.nbc.com
ServerName hcphp.nbc.com
ServerAlias phphc.nbc.com 10.10.10.5 uszwsls00015la.dmz.tfayd.com
<Directory /*>
AddHandler cgi-script .cgi
Options -Indexes +FollowSymLinks +ExecCGI +Includes
AllowOverride All
Require all granted
</Directory>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
ExpiresActive On
ExpiresDefault "access plus 30 minutes"
<Location /server-status>
SetHandler server-status
Require ip 10.10.10.5
#Require all granted
</Location>
</VirtualHost>
But that didn't change my result:
[root@uszwsls00015la apache2]# GET http://$(hostname -i)/server-status
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
</ul>
</body></html>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status
on this server.<br />
</p>
</body></html>
And the same entry was added to the error log as before:
[Thu Mar 19 16:19:41.577437 2015] [authz_core:error] [pid 57932:tid
140005330646784] [client 10.10.10.5:30780] AH01630: client denied by server
configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status
Does anyeone have any other ideas? Would showing more of the config be
helpful?
Thanks
Tim
On Thu, Mar 19, 2015 at 6:59 PM, Kees Nuyt <k....@zonnet.nl> wrote:
> On Thu, 19 Mar 2015 16:26:28 -0400, you wrote:
>
> >This is what I'm seeing in the error logs:
> >
> >[Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid
> >140005409228544] [client 216.178.108.232:63636] AH01630: client denied by
> >server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status
> >
> >But that error seems to be referencing another VHOST:
> >
> >
> >#Mod_status config
> > ExtendedStatus on
> ><Location /server-status>
> > SetHandler server-status
> > Require ip 10.10.10.5
> > #Require all granted
> ></Location>
> >
> ><VirtualHost *>
> > ServerAdmin webmaster@somewhere.com
> > DocumentRoot /opt/apache2/htdocs/hcphp.nbc.com
> > ServerName hcphp.nbc.com
> > ServerAlias phphc.nbc.com 10.10.10.5
> uszwsls00015la.dmz.tfayd.com
> ><Directory /*>
> > AddHandler cgi-script .cgi
> > Options -Indexes +FollowSymLinks +ExecCGI +Includes
> > AllowOverride All
> > Require all granted
> ></Directory>
> > RewriteEngine On
> > RewriteCond %{REQUEST_METHOD} ^TRACE
> > RewriteRule .* - [F]
> > ExpiresActive On
> > ExpiresDefault "access plus 30 minutes"
> > </VirtualHost>
> >
> >I'm still not sure why this is happening. Any help/clues would be
> >appreciated!
> >
> >Tim
>
> The first virtual host is the default servername.
> You could try to move the <Location ...> ... server-status ... </Location>
> block into that <VirtualHost ... ></VirtualHost> block.
>
> --
> Regards, Cordialement, Groet,
>
> Kees Nuyt
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
Posted by Kees Nuyt <k....@zonnet.nl>.
On Thu, 19 Mar 2015 16:26:28 -0400, you wrote:
>This is what I'm seeing in the error logs:
>
>[Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid
>140005409228544] [client 216.178.108.232:63636] AH01630: client denied by
>server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status
>
>But that error seems to be referencing another VHOST:
>
>
>#Mod_status config
> ExtendedStatus on
><Location /server-status>
> SetHandler server-status
> Require ip 10.10.10.5
> #Require all granted
></Location>
>
><VirtualHost *>
> ServerAdmin webmaster@somewhere.com
> DocumentRoot /opt/apache2/htdocs/hcphp.nbc.com
> ServerName hcphp.nbc.com
> ServerAlias phphc.nbc.com 10.10.10.5 uszwsls00015la.dmz.tfayd.com
><Directory /*>
> AddHandler cgi-script .cgi
> Options -Indexes +FollowSymLinks +ExecCGI +Includes
> AllowOverride All
> Require all granted
></Directory>
> RewriteEngine On
> RewriteCond %{REQUEST_METHOD} ^TRACE
> RewriteRule .* - [F]
> ExpiresActive On
> ExpiresDefault "access plus 30 minutes"
> </VirtualHost>
>
>I'm still not sure why this is happening. Any help/clues would be
>appreciated!
>
>Tim
The first virtual host is the default servername.
You could try to move the <Location ...> ... server-status ... </Location>
block into that <VirtualHost ... ></VirtualHost> block.
--
Regards, Cordialement, Groet,
Kees Nuyt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.4 allow by IP
Posted by Tim Dunphy <bl...@gmail.com>.
This is what I'm seeing in the error logs:
[Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid
140005409228544] [client 216.178.108.232:63636] AH01630: client denied by
server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status
But that error seems to be referencing another VHOST:
#Mod_status config
ExtendedStatus on
<Location /server-status>
SetHandler server-status
Require ip 10.10.10.5
#Require all granted
</Location>
<VirtualHost *>
ServerAdmin webmaster@somewhere.com
DocumentRoot /opt/apache2/htdocs/hcphp.nbc.com
ServerName hcphp.nbc.com
ServerAlias phphc.nbc.com 10.10.10.5 uszwsls00015la.dmz.tfayd.com
<Directory /*>
AddHandler cgi-script .cgi
Options -Indexes +FollowSymLinks +ExecCGI +Includes
AllowOverride All
Require all granted
</Directory>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
ExpiresActive On
ExpiresDefault "access plus 30 minutes"
</VirtualHost>
I'm still not sure why this is happening. Any help/clues would be
appreciated!
Tim
On Thu, Mar 19, 2015 at 3:42 PM, Daniel <df...@gmail.com> wrote:
>
>
>
>
>>
>> On 3/19/2015 1:24 PM, Daniel wrote:
>>
>>
>>
>> 2015-03-19 18:06 GMT+01:00 Robert Webb <rw...@ropeguru.com>:
>>
>>> I don't agree with your analysis.
>>>
>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li> is an href
>>> inside an html page that does nothing until clicked on by the client.
>>>
>>> This is all assuming that the access denied he is getting is from
>>> http://$(hostname>>-i)/server-status and "server-status" is the html
>>> page of the code he posted. Not when clicking on the healthcheck.php href
>>> link.
>>>
>>>
>>> Robert
>>>
>>>
>>> On Thu, 19 Mar 2015 17:57:09 +0100
>>> Daniel <df...@gmail.com> wrote:
>>>
>>>> 2015-03-19 17:41 GMT+01:00 Tim Dunphy <bl...@gmail.com>:
>>>>
>>>> Hey all,
>>>>>
>>>>> I'm attempting to setup the server-status module and limit access to
>>>>> it
>>>>> by IP.
>>>>>
>>>>> So I have this block in my apache configuration file:
>>>>>
>>>>> #Mod_status config
>>>>> ExtendedStatus on
>>>>> <Location /server-status>
>>>>> SetHandler server-status
>>>>> Require ip 10.10.10.5 127.0.0.1
>>>>> </Location>
>>>>>
>>>>> And if I do a GET by IP, I'm getting permission denied
>>>>>
>>>>> [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status
>>>>> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
>>>>> <html>
>>>>> <head>
>>>>> <title>Index of /</title>
>>>>> </head>
>>>>> <body>
>>>>> <h1>Index of /</h1>
>>>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>>>> </ul>
>>>>> </body></html>
>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>> <html><head>
>>>>> <title>403 Forbidden</title>
>>>>> </head><body>
>>>>> <h1>Forbidden</h1>
>>>>> *<p>You don't have permission to access /server-status*
>>>>> on this server.<br />
>>>>> </p>
>>>>> </body></html>
>>>>>
>>>>> Can someone please let me know where I'm going wrong?
>>>>>
>>>>> Thanks
>>>>> Tim
>>>>>
>>>>> --
>>>>> GPG me!!
>>>>>
>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>>
>>>>>
>>>>> Hello,
>>>>
>>>> This shoud give you a tip:
>>>> <h1>Index of /</h1>
>>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>>> <-------------
>>>> which has nothing to do with server-status
>>>>
>>>> make sure you are accessing the correct virtualhost
>>>>
>>>> --
>>>> *Daniel Ferradal*
>>>> IT Specialist
>>>>
>>>> email dferradal@gmail.com
>>>> linkedin es.linkedin.com/in/danielferradal
>>>>
>>>
>>>
>>>
>> Should that be the case he still needs to check the error.log
>>
>>
>> --
>> *Daniel Ferradal*
>> IT Specialist
>>
>> email dferradal@gmail.com
>> linkedin es.linkedin.com/in/danielferradal
>>
>> 2015-03-19 20:33 GMT+01:00 Larry Irwin <la...@ccamedical.com>:
>>
>>> How about using this within a Directory entry:
>>> Order deny,allow
>>> Deny from all
>>> # Private IP ranges
>>> Allow from 127.0.0.1/32
>>> Allow from 10.0.0.5/32
>>> And then add the server status are under that Directory...
>>> Wouldn't that do it?
>>>
>> --
>> Larry Irwin
>> V.P. Development
>> CCA Medical
>> Ph: 864-233-2700 ext 225
>> Fax: 864-271-1755
>> Cell: 864-525-1322
>> Email: larry.irwin@ccamedical.com
>>
>>
> He is using Require, so 2.4.x. Using deprecated directives in 2.4 is not
> recommended.
>
> The server-status uri will be a virtual path when you define the handler
> for it, not a real directory, so the logical way is calling it Location.
>
> Also if you need to define ranges in 2.4 (not sure about 2.2 know) I don't
> think you need to use CIDR notation, even less if you use /32 hostmask
> which is the same as the IP alone. In 2.4 with Require you can even just
> specify part of the ip to define ranges: aka "Require ip 10" to allow
> 10.0.0.0/8.
>
> He needs to check source ip and error.log to know why he is being denied
> access.
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal@gmail.com
> linkedin es.linkedin.com/in/danielferradal
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
Posted by Daniel <df...@gmail.com>.
>
> On 3/19/2015 1:24 PM, Daniel wrote:
>
>
>
> 2015-03-19 18:06 GMT+01:00 Robert Webb <rw...@ropeguru.com>:
>
>> I don't agree with your analysis.
>>
>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li> is an href
>> inside an html page that does nothing until clicked on by the client.
>>
>> This is all assuming that the access denied he is getting is from
>> http://$(hostname>>-i)/server-status and "server-status" is the html
>> page of the code he posted. Not when clicking on the healthcheck.php href
>> link.
>>
>>
>> Robert
>>
>>
>> On Thu, 19 Mar 2015 17:57:09 +0100
>> Daniel <df...@gmail.com> wrote:
>>
>>> 2015-03-19 17:41 GMT+01:00 Tim Dunphy <bl...@gmail.com>:
>>>
>>> Hey all,
>>>>
>>>> I'm attempting to setup the server-status module and limit access to it
>>>> by IP.
>>>>
>>>> So I have this block in my apache configuration file:
>>>>
>>>> #Mod_status config
>>>> ExtendedStatus on
>>>> <Location /server-status>
>>>> SetHandler server-status
>>>> Require ip 10.10.10.5 127.0.0.1
>>>> </Location>
>>>>
>>>> And if I do a GET by IP, I'm getting permission denied
>>>>
>>>> [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status
>>>> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
>>>> <html>
>>>> <head>
>>>> <title>Index of /</title>
>>>> </head>
>>>> <body>
>>>> <h1>Index of /</h1>
>>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>>> </ul>
>>>> </body></html>
>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>> <html><head>
>>>> <title>403 Forbidden</title>
>>>> </head><body>
>>>> <h1>Forbidden</h1>
>>>> *<p>You don't have permission to access /server-status*
>>>> on this server.<br />
>>>> </p>
>>>> </body></html>
>>>>
>>>> Can someone please let me know where I'm going wrong?
>>>>
>>>> Thanks
>>>> Tim
>>>>
>>>> --
>>>> GPG me!!
>>>>
>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>
>>>>
>>>> Hello,
>>>
>>> This shoud give you a tip:
>>> <h1>Index of /</h1>
>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>> <-------------
>>> which has nothing to do with server-status
>>>
>>> make sure you are accessing the correct virtualhost
>>>
>>> --
>>> *Daniel Ferradal*
>>> IT Specialist
>>>
>>> email dferradal@gmail.com
>>> linkedin es.linkedin.com/in/danielferradal
>>>
>>
>>
>>
> Should that be the case he still needs to check the error.log
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal@gmail.com
> linkedin es.linkedin.com/in/danielferradal
>
> 2015-03-19 20:33 GMT+01:00 Larry Irwin <la...@ccamedical.com>:
>
>> How about using this within a Directory entry:
>> Order deny,allow
>> Deny from all
>> # Private IP ranges
>> Allow from 127.0.0.1/32
>> Allow from 10.0.0.5/32
>> And then add the server status are under that Directory...
>> Wouldn't that do it?
>>
> --
> Larry Irwin
> V.P. Development
> CCA Medical
> Ph: 864-233-2700 ext 225
> Fax: 864-271-1755
> Cell: 864-525-1322
> Email: larry.irwin@ccamedical.com
>
>
He is using Require, so 2.4.x. Using deprecated directives in 2.4 is not
recommended.
The server-status uri will be a virtual path when you define the handler
for it, not a real directory, so the logical way is calling it Location.
Also if you need to define ranges in 2.4 (not sure about 2.2 know) I don't
think you need to use CIDR notation, even less if you use /32 hostmask
which is the same as the IP alone. In 2.4 with Require you can even just
specify part of the ip to define ranges: aka "Require ip 10" to allow
10.0.0.0/8.
He needs to check source ip and error.log to know why he is being denied
access.
--
*Daniel Ferradal*
IT Specialist
email dferradal@gmail.com
linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] apache 2.4 allow by IP
Posted by Tim Dunphy <bl...@gmail.com>.
>
> How about using this within a Directory entry:
> Order deny,allow
> Deny from all
> # Private IP ranges
> Allow from 127.0.0.1/32
> Allow from 10.0.0.5/32
> And then add the server status are under that Directory...
> Wouldn't that do it?
I believe that's the old pre-2.4 syntax. It's not recommended for the
latest version of apache from what I understand.
On Thu, Mar 19, 2015 at 3:33 PM, Larry Irwin <la...@ccamedical.com>
wrote:
> How about using this within a Directory entry:
> Order deny,allow
> Deny from all
> # Private IP ranges
> Allow from 127.0.0.1/32
> Allow from 10.0.0.5/32
> And then add the server status are under that Directory...
> Wouldn't that do it?
>
>
> On 3/19/2015 1:24 PM, Daniel wrote:
>
>
>
> 2015-03-19 18:06 GMT+01:00 Robert Webb <rw...@ropeguru.com>:
>
>> I don't agree with your analysis.
>>
>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li> is an href
>> inside an html page that does nothing until clicked on by the client.
>>
>> This is all assuming that the access denied he is getting is from
>> http://$(hostname>>-i)/server-status and "server-status" is the html
>> page of the code he posted. Not when clicking on the healthcheck.php href
>> link.
>>
>>
>> Robert
>>
>>
>> On Thu, 19 Mar 2015 17:57:09 +0100
>> Daniel <df...@gmail.com> wrote:
>>
>>> 2015-03-19 17:41 GMT+01:00 Tim Dunphy <bl...@gmail.com>:
>>>
>>> Hey all,
>>>>
>>>> I'm attempting to setup the server-status module and limit access to it
>>>> by IP.
>>>>
>>>> So I have this block in my apache configuration file:
>>>>
>>>> #Mod_status config
>>>> ExtendedStatus on
>>>> <Location /server-status>
>>>> SetHandler server-status
>>>> Require ip 10.10.10.5 127.0.0.1
>>>> </Location>
>>>>
>>>> And if I do a GET by IP, I'm getting permission denied
>>>>
>>>> [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status
>>>> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
>>>> <html>
>>>> <head>
>>>> <title>Index of /</title>
>>>> </head>
>>>> <body>
>>>> <h1>Index of /</h1>
>>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>>> </ul>
>>>> </body></html>
>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>> <html><head>
>>>> <title>403 Forbidden</title>
>>>> </head><body>
>>>> <h1>Forbidden</h1>
>>>> *<p>You don't have permission to access /server-status*
>>>> on this server.<br />
>>>> </p>
>>>> </body></html>
>>>>
>>>> Can someone please let me know where I'm going wrong?
>>>>
>>>> Thanks
>>>> Tim
>>>>
>>>> --
>>>> GPG me!!
>>>>
>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>
>>>>
>>>> Hello,
>>>
>>> This shoud give you a tip:
>>> <h1>Index of /</h1>
>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>> <-------------
>>> which has nothing to do with server-status
>>>
>>> make sure you are accessing the correct virtualhost
>>>
>>> --
>>> *Daniel Ferradal*
>>> IT Specialist
>>>
>>> email dferradal@gmail.com
>>> linkedin es.linkedin.com/in/danielferradal
>>>
>>
>>
>>
> Should that be the case he still needs to check the error.log
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal@gmail.com
> linkedin es.linkedin.com/in/danielferradal
>
>
> --
> Larry Irwin
> V.P. Development
> CCA Medical
> Ph: 864-233-2700 ext 225
> Fax: 864-271-1755
> Cell: 864-525-1322
> Email: larry.irwin@ccamedical.com
>
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
Posted by Larry Irwin <la...@ccamedical.com>.
How about using this within a Directory entry:
Order deny,allow
Deny from all
# Private IP ranges
Allow from 127.0.0.1/32
Allow from 10.0.0.5/32
And then add the server status are under that Directory...
Wouldn't that do it?
On 3/19/2015 1:24 PM, Daniel wrote:
>
>
> 2015-03-19 18:06 GMT+01:00 Robert Webb <rwebb@ropeguru.com
> <ma...@ropeguru.com>>:
>
> I don't agree with your analysis.
>
> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li> is an
> href inside an html page that does nothing until clicked on by the
> client.
>
> This is all assuming that the access denied he is getting is from
> http://$(hostname>>-i)/server-status and "server-status" is the
> html page of the code he posted. Not when clicking on the
> healthcheck.php href link.
>
>
> Robert
>
>
> On Thu, 19 Mar 2015 17:57:09 +0100
> Daniel <dferradal@gmail.com <ma...@gmail.com>> wrote:
>
> 2015-03-19 17:41 GMT+01:00 Tim Dunphy <bluethundr@gmail.com
> <ma...@gmail.com>>:
>
> Hey all,
>
> I'm attempting to setup the server-status module and
> limit access to it
> by IP.
>
> So I have this block in my apache configuration file:
>
> #Mod_status config
> ExtendedStatus on
> <Location /server-status>
> SetHandler server-status
> Require ip 10.10.10.5 127.0.0.1
> </Location>
>
> And if I do a GET by IP, I'm getting permission denied
>
> [root@uszwslp00031la apache2]# GET http://$(hostname
> -i)/server-status
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
> <html>
> <head>
> <title>Index of /</title>
> </head>
> <body>
> <h1>Index of /</h1>
> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
> </ul>
> </body></html>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>403 Forbidden</title>
> </head><body>
> <h1>Forbidden</h1>
> *<p>You don't have permission to access /server-status*
> on this server.<br />
> </p>
> </body></html>
>
> Can someone please let me know where I'm going wrong?
>
> Thanks
> Tim
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net
> <http://pool.sks-keyservers.net> --recv-keys F186197B
>
>
> Hello,
>
> This shoud give you a tip:
> <h1>Index of /</h1>
> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
> <-------------
> which has nothing to do with server-status
>
> make sure you are accessing the correct virtualhost
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal@gmail.com <ma...@gmail.com>
> linkedin es.linkedin.com/in/danielferradal
> <http://es.linkedin.com/in/danielferradal>
>
>
>
>
> Should that be the case he still needs to check the error.log
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal@gmail.com <ma...@gmail.com>
> linkedin es.linkedin.com/in/danielferradal
> <http://es.linkedin.com/in/danielferradal>
--
Larry Irwin
V.P. Development
CCA Medical
Ph: 864-233-2700 ext 225
Fax: 864-271-1755
Cell: 864-525-1322
Email: larry.irwin@ccamedical.com
Re: [users@httpd] apache 2.4 allow by IP
Posted by Daniel <df...@gmail.com>.
2015-03-19 18:06 GMT+01:00 Robert Webb <rw...@ropeguru.com>:
> I don't agree with your analysis.
>
> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li> is an href
> inside an html page that does nothing until clicked on by the client.
>
> This is all assuming that the access denied he is getting is from http://
> $(hostname>>-i)/server-status and "server-status" is the html page of the
> code he posted. Not when clicking on the healthcheck.php href link.
>
>
> Robert
>
>
> On Thu, 19 Mar 2015 17:57:09 +0100
> Daniel <df...@gmail.com> wrote:
>
>> 2015-03-19 17:41 GMT+01:00 Tim Dunphy <bl...@gmail.com>:
>>
>> Hey all,
>>>
>>> I'm attempting to setup the server-status module and limit access to it
>>> by IP.
>>>
>>> So I have this block in my apache configuration file:
>>>
>>> #Mod_status config
>>> ExtendedStatus on
>>> <Location /server-status>
>>> SetHandler server-status
>>> Require ip 10.10.10.5 127.0.0.1
>>> </Location>
>>>
>>> And if I do a GET by IP, I'm getting permission denied
>>>
>>> [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status
>>> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
>>> <html>
>>> <head>
>>> <title>Index of /</title>
>>> </head>
>>> <body>
>>> <h1>Index of /</h1>
>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>> </ul>
>>> </body></html>
>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>> <html><head>
>>> <title>403 Forbidden</title>
>>> </head><body>
>>> <h1>Forbidden</h1>
>>> *<p>You don't have permission to access /server-status*
>>> on this server.<br />
>>> </p>
>>> </body></html>
>>>
>>> Can someone please let me know where I'm going wrong?
>>>
>>> Thanks
>>> Tim
>>>
>>> --
>>> GPG me!!
>>>
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>
>>>
>>> Hello,
>>
>> This shoud give you a tip:
>> <h1>Index of /</h1>
>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li> <-------------
>> which has nothing to do with server-status
>>
>> make sure you are accessing the correct virtualhost
>>
>> --
>> *Daniel Ferradal*
>> IT Specialist
>>
>> email dferradal@gmail.com
>> linkedin es.linkedin.com/in/danielferradal
>>
>
>
>
Should that be the case he still needs to check the error.log
--
*Daniel Ferradal*
IT Specialist
email dferradal@gmail.com
linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] apache 2.4 allow by IP
Posted by Robert Webb <rw...@ropeguru.com>.
I don't agree with your analysis.
<ul><li><a href="healthcheck.php"> healthcheck.php</a></li> is an href
inside an html page that does nothing until clicked on by the client.
This is all assuming that the access denied he is getting is from
http://$(hostname>>-i)/server-status and "server-status" is the html page of
the code he posted. Not when clicking on the healthcheck.php href link.
Robert
On Thu, 19 Mar 2015 17:57:09 +0100
Daniel <df...@gmail.com> wrote:
> 2015-03-19 17:41 GMT+01:00 Tim Dunphy <bl...@gmail.com>:
>
>> Hey all,
>>
>> I'm attempting to setup the server-status module and limit access
>>to it
>> by IP.
>>
>> So I have this block in my apache configuration file:
>>
>> #Mod_status config
>> ExtendedStatus on
>> <Location /server-status>
>> SetHandler server-status
>> Require ip 10.10.10.5 127.0.0.1
>> </Location>
>>
>> And if I do a GET by IP, I'm getting permission denied
>>
>> [root@uszwslp00031la apache2]# GET http://$(hostname
>>-i)/server-status
>> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
>> <html>
>> <head>
>> <title>Index of /</title>
>> </head>
>> <body>
>> <h1>Index of /</h1>
>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>> </ul>
>> </body></html>
>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>> <html><head>
>> <title>403 Forbidden</title>
>> </head><body>
>> <h1>Forbidden</h1>
>> *<p>You don't have permission to access /server-status*
>> on this server.<br />
>> </p>
>> </body></html>
>>
>> Can someone please let me know where I'm going wrong?
>>
>> Thanks
>> Tim
>>
>> --
>> GPG me!!
>>
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>
>>
> Hello,
>
> This shoud give you a tip:
> <h1>Index of /</h1>
> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
><-------------
> which has nothing to do with server-status
>
> make sure you are accessing the correct virtualhost
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal@gmail.com
> linkedin es.linkedin.com/in/danielferradal
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.4 allow by IP
Posted by Daniel <df...@gmail.com>.
2015-03-19 17:41 GMT+01:00 Tim Dunphy <bl...@gmail.com>:
> Hey all,
>
> I'm attempting to setup the server-status module and limit access to it
> by IP.
>
> So I have this block in my apache configuration file:
>
> #Mod_status config
> ExtendedStatus on
> <Location /server-status>
> SetHandler server-status
> Require ip 10.10.10.5 127.0.0.1
> </Location>
>
> And if I do a GET by IP, I'm getting permission denied
>
> [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
> <html>
> <head>
> <title>Index of /</title>
> </head>
> <body>
> <h1>Index of /</h1>
> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
> </ul>
> </body></html>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>403 Forbidden</title>
> </head><body>
> <h1>Forbidden</h1>
> *<p>You don't have permission to access /server-status*
> on this server.<br />
> </p>
> </body></html>
>
> Can someone please let me know where I'm going wrong?
>
> Thanks
> Tim
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>
Hello,
This shoud give you a tip:
<h1>Index of /</h1>
<ul><li><a href="healthcheck.php"> healthcheck.php</a></li> <-------------
which has nothing to do with server-status
make sure you are accessing the correct virtualhost
--
*Daniel Ferradal*
IT Specialist
email dferradal@gmail.com
linkedin es.linkedin.com/in/danielferradal