You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Reis Markus <Ma...@abv.at> on 2009/02/19 16:20:58 UTC
[users@httpd] block ip address for certain (server) context
Hi,
We want to block certain ip addresses from accessing a certain (server)
context - e.g. ip address 10.1.13.25 shouldn't be able to access
(server) context (not a directory) 'myapplication'.
[*NOTE*] We use mod_jk in order to "forward" certain contexts to a JBoss
AS instance.
Therefore we added the following lines to Apache's httpd.conf (we simply
adapted some useful examples from the mod_rewrite documentation):
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^10\.1\.13\.25
RewriteRule .* - [F]
This rule is even more restrictive - it should restrict access to all
resources served from our Apache (and/or the JBoss behind it) for
clients with ip address 10.1.13.25.
Unfortunately this rule has no effect - all resources are available for
ip 10.1.13.25 - Why?
[*NOTE*] Server: Apache/2.2.9 (Unix) mod_jk/1.2.26 mod_ssl/2.2.9
OpenSSL/0.9.8d
[*NOTE*] The above configuration represents the last statements in
httpd.conf - the mod_jk module is loaded before
Many thanks for your help,
Kind regards,
Markus
AW: AW: [users@httpd] block ip address for certain (server) context
Posted by Reis Markus <Ma...@abv.at>.
No it isn't - sorry - should have been: <Location /my_jboss_app_context>
cheers,
Markus
-----Ursprüngliche Nachricht-----
Von: Peter Schober [mailto:peter.schober@univie.ac.at]
Gesendet: Montag, 23. Februar 2009 09:14
An: users@httpd.apache.org
Betreff: Re: AW: [users@httpd] block ip address for certain (server) context
* Reis Markus <Ma...@abv.at> [2009-02-23 09:09]:
> Could you explain to me why this Location-Directive does NOT work:
> <Location /my_jboss_app_context">
not having read the rest of the thread, but is the trailing " intentional?
cheers,
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: AW: [users@httpd] block ip address for certain (server) context
Posted by Peter Schober <pe...@univie.ac.at>.
* Reis Markus <Ma...@abv.at> [2009-02-23 09:09]:
> Could you explain to me why this Location-Directive does NOT work:
> <Location /my_jboss_app_context">
not having read the rest of the thread, but
is the trailing " intentional?
cheers,
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
AW: AW: [users@httpd] block ip address for certain (server) context
Posted by Reis Markus <Ma...@abv.at>.
We've tried Location-Directives before, but without any success ...
... Following your advice I tried it again and found this one:
<Location ~ "/my_jboss_app_context.*">
Order Deny,Allow
Deny from all
Allow from 10.1.13.25
</Location>
This Location-Directive based on a regular expression works!
Could you explain to me why this Location-Directive does NOT work:
<Location /my_jboss_app_context">
Order Deny,Allow
Deny from all
Allow from 10.1.13.25
</Location>
Anyway, many thanks ...
-----Ursprüngliche Nachricht-----
Von: Tom Evans [mailto:tevans.uk@googlemail.com]
Gesendet: Freitag, 20. Februar 2009 15:07
An: users@httpd.apache.org
Betreff: Re: AW: [users@httpd] block ip address for certain (server) context
On Fri, 2009-02-20 at 14:21 +0100, Reis Markus wrote:
> We already tried something like:
>
> <Directory /my_jboss_app_context>
> Order Deny,Allow
> Deny from 10.1.13.25
> </Directory>
>
> But this also didn't work - We got the impression that this directive only works with "real" directories and NOT with "contexts" (i.e. a path defined in uriworkermap.properties for mod_jk which corresponds to a jboss web application context). Is that correct?
>
> Any further ideas?
>
>
> Kind regards,
> Markus
>
<Directory> is for physical on disk directories, and the path referenced is a file system path <Location> is for URI locations, and the path referenced is the URI.
<Directory /my_jboss_app_context> will only match files that are loaded from the physical on disk directory /my_jboss_app_context/
Also, :set tw=78, because your emails are hideously formatted..
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: questions on TCP connections and Sessions
Posted by Nicholas Sherlock <n....@gmail.com>.
Qingshan Xie wrote:
> Hello,
>
> I am pretty confused about the TCP connections and sessions in the case of proxy server in the middle. Here is the case,
>
> Browser -> SSL-Proxy Server -> SSL WebServer
>
> there are two parts in this SSL communication,
> 1. Browser -> SSL-Proxy Server. Browser sends a HTTPS request, SSL-Proxy server terminates the SSL connection.
> 2. SSL-Proxy Server -> HTTPS WebServer. SSL-Proxy server as a client re-encrypts the request, sends it to backend HTTPS webServer.
>
> How many sessions will be, one or two? Can someone help?
The only SSL proxy I know of is a HTTP proxy that supports the CONNECT
method. Basically, the browser connects to the proxy, sends "CONNECT"
and the name of the host to connect to. The proxy connects to the
webserver. The proxy relays any bytes sent from the client to the
webserver, and vice versa. If the client closes the connection, the
proxy disconnects from the web server, and vice versa. The only thing
that the proxy gets to see is the call to "CONNECT", everything else it
cannot view because it is encrypted and it does not have the key.
Cheers,
Nicholas Sherlock
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: AW: [users@httpd] block ip address for certain (server) context
Posted by Tom Evans <te...@googlemail.com>.
On Fri, 2009-02-20 at 14:21 +0100, Reis Markus wrote:
> We already tried something like:
>
> <Directory /my_jboss_app_context>
> Order Deny,Allow
> Deny from 10.1.13.25
> </Directory>
>
> But this also didn't work - We got the impression that this directive only works with "real" directories and NOT with "contexts" (i.e. a path defined in uriworkermap.properties for mod_jk which corresponds to a jboss web application context). Is that correct?
>
> Any further ideas?
>
>
> Kind regards,
> Markus
>
<Directory> is for physical on disk directories, and the path referenced
is a file system path
<Location> is for URI locations, and the path referenced is the URI.
<Directory /my_jboss_app_context> will only match files that are loaded
from the physical on disk directory /my_jboss_app_context/
Also, :set tw=78, because your emails are hideously formatted..
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
AW: [users@httpd] block ip address for certain (server) context
Posted by Reis Markus <Ma...@abv.at>.
We already tried something like:
<Directory /my_jboss_app_context>
Order Deny,Allow
Deny from 10.1.13.25
</Directory>
But this also didn't work - We got the impression that this directive only works with "real" directories and NOT with "contexts" (i.e. a path defined in uriworkermap.properties for mod_jk which corresponds to a jboss web application context). Is that correct?
Any further ideas?
Kind regards,
Markus
-----Ursprüngliche Nachricht-----
Von: Eric Covener [mailto:covener@gmail.com]
Gesendet: Freitag, 20. Februar 2009 12:53
An: users@httpd.apache.org
Betreff: Re: [users@httpd] block ip address for certain (server) context
On Thu, Feb 19, 2009 at 10:20 AM, Reis Markus <Ma...@abv.at> wrote:
> Hi,
>
> We want to block certain ip addresses from accessing a certain
> (server) context - e.g. ip address 10.1.13.25 shouldn't be able to
> access (server) context (not a directory) 'myapplication'.
> [*NOTE*] Server: Apache/2.2.9 (Unix) mod_jk/1.2.26 mod_ssl/2.2.9
> OpenSSL/0.9.8d [*NOTE*] The above configuration represents the last
> statements in httpd.conf - the mod_jk module is loaded before
Rewrite rules aren't inherited by virtual hosts.
You should use allow/deny for this.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] block ip address for certain (server) context
Posted by Eric Covener <co...@gmail.com>.
On Thu, Feb 19, 2009 at 10:20 AM, Reis Markus <Ma...@abv.at> wrote:
> Hi,
>
> We want to block certain ip addresses from accessing a certain (server)
> context - e.g. ip address 10.1.13.25 shouldn't be able to access (server)
> context (not a directory) 'myapplication'.
> [*NOTE*] Server: Apache/2.2.9 (Unix) mod_jk/1.2.26 mod_ssl/2.2.9
> OpenSSL/0.9.8d
> [*NOTE*] The above configuration represents the last statements in
> httpd.conf - the mod_jk module is loaded before
Rewrite rules aren't inherited by virtual hosts.
You should use allow/deny for this.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org