• Home
• Blog
• Downloads
• Info
• Reviews
• Virus Warnings
• Search Site

Restricting Access to an Apache Virtual Host

To restrict access to an Apache Virtual Host by IP address, you will need to have the mod_authz_host module loaded in the Apache configuration file httpd.conf, which can usually be found at /etc/httpd/conf/httpd.conf on a Linux system. To determine if it is loaded, look for a line similar to the following in the configuration file:

LoadModule authz_host_module modules/mod_authz_host.so

You can restrict access to a website that is set up as a virtual host by including information on what IP addresses should have access to documents on the website in a directory section Directory as shown below.

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin webmaster@example.com
    DocumentRoot /home/www/example
    ErrorLog /home/www/example/logs/error.log
    CustomLog /home/www/example/logs/transfer.log common
    <Directory /home/www/example>
      Order Deny,Allow
      Deny from all
      Allow from 192.168 127.0.0.1
    </Directory>
</VirtualHost>

In the case above, access to the document root of the website, i.e., all documents on the website, is restricted to allow access only from IP addresses beginning with 192.168 and 127.0.0.1, which is the "localhost" address, meaning the address of the server itself. Anyone trying to access example.com from any other IP address would see the default webpage for the server, if any, not the example.com website.

References:

1. Access Control
   The Apache HTTP Server Project
2. Apache Module mod_authz_host
   The Apache HTTP Server Project
3. Learn how to configure Apache
   Date: September 29, 2003
   TechRepublic Articles

[/network/web/server/apache] permanent link

Active Log Monitor

If you want to view access to your website in realtime, i.e. see what pages are being accessed as they are being accessed, you can use the Active Log Monitor PHP script.

[ More Info ]

[/network/web/server/apache] permanent link

Apache Access Log Format

If you use the common log format for websites that reside on an Apache webserver, you may not see the referer and agent, e.g. information on visitors' web browsers, logged. You can switch to the combined log format to have the additional information logged.

[ More Info ]

[/network/web/server/apache] permanent link

Default Virtualhost in Apache

The first virtualhost section in Apache's httpd.conf file will be used as the default for any domain that doesn't have its own virtualhost section in the configuration file, if you use *:80 in the virtualhost section. E.g., suppose the very first virtualhost listed in httpd.conf is dummp-host.example.com as shown below.

<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /www/docs/dummy-host.example.com
    ServerName dummy-host.example.com
    ErrorLog logs/dummy-host.example.com-error_log
    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

If the IP address for another.example.com, points to the same webserver, but there is no virtualhost section for another.example.com, then anyone who uses http://another.example.com will see whatever homepage was set up for dummy-host.example.com.

References:

1. VirtualHost Examples
   Apache HTTP Server Version 2.0
   The Apache HTTP Server Project

[/network/web/server/apache] permanent link

Adding a MIME Type for Cab Files to Apache

I placed a .cab file on the website for downloading, but I found that, when I clicked on it, I got a screen full of garbled text, rather than being presented with the option to download it. I fixed the problem by adding another MIME type to the Apache webserver configuration file, httpd.conf file. I edited /etc/httpd/conf/httpd.conf and added an AddType line for the .acs file extension.

#
# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
#AddType application/x-tar .tgz
AddType application/octet-stream .cab

I then restarted the Apache webserver with apachectl restart. When I visited the URL again, I was prompted as to whether I wanted to download the file.

References:

1. Adding Another MIME Type to Apache
   MoonPoint Support
2. Apache Module mod_mime
   The Apache Server Project
3. Help: Unable to serve XBAP from Apache?
   Posted: August 29, 2006
   Vista Forums

[/network/web/server/apache] permanent link

Configuring Apache as a Proxy Server

I needed to configure an Apache (version 2.0.59) server to act as a proxy server. I also needed it to continue to act as a web server. To do so, I added the 3 LoadModule directives shown below to the LoadModule section of Apache's httpd.conf, which is located in /usr/local/apache2/conf on this particular system, which is a Solaris 2.7 server (it will likely be in /etc/httpd/conf/httpd.conf, if you are running Apache on a Linux system).

# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so

The following lines, except for the comment lines, are also needed in httpd.conf:

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#

ProxyRequests On
#

    Order deny,allow
    Deny from all
    Allow from 192.168.1.3 192.168.1.4 127.0.0.1

In this case I wanted to limit access to the proxy server to access from the system itself, e.g. from the loopback address, 127.0.0.1, and two other IP addresses, 192.168.1.3 and 192.168.1.4. I could have also used 192.168.1 to allow access from any 192.168.1.x address.

After modifying the httpd.conf file, I restarted Apache with /usr/local/apache2/bin/apachectl restart. For a Linux system apachectl restart should suffice, though it is likely located in /usr/sbin, if you need to specify the full path.

After restarting Apache I was able to configure a browser on the system at the 192.168.1.4 address to use the Apache server as a proxy server. I used the IP address of the Apache server, 192.168.1.1 as the HTTP proxy server address with 80 as the port. I verified that the browser was using the Apache server as a proxy server by pointing the browser on the 192.168.1.4 system to www.showmyip.com. That site showed the address for the system as 192.168.1.1, i.e. it showed the connection as originating from the proxy server rather than the actual system on which the browser was being used.

I was also still able to access webpages on the website I host on the Apache server on the default HTTP port.

If you want to turn the proxy service off, you need only change the ProxyRequests On line to ProxyRequests Off and restart Apache.

References:

1. Configuring Apache 2.0 as a Forward Proxy Server
   By: Martin Brown
   Date: January 4, 2008
   ServerWatch
2. Configuring mod_proxy support for Apache
   IBM

[/network/web/server/apache] permanent link

Apache AllowOverride AuthConfig Directive

You can control access to directories on an Apache webserver by placing .htaccess files in those directories and creating .htpasswd files containing userids and passwords required to access the directories. But Apache won't use those .htaccess and .htpasswd files unless you modify Apache's httpd.conf configuration file, which will likely be at /etc/httpd/conf/httpd.conf on a Linux system.

To permit usage of those files to control access to directories on the webserver, edit httpd.conf and replace the AllowOverride None in the <Directory /> section with AllowOverride AuthConfig.

#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

You can use the .htaccess and .htpasswd method without changing the AllowOverride None line in the following section of httpd.conf.

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#
    AllowOverride None

References:

1. Authentication, Authorization and Access Control
   The Apache HTTP Server Project
2. Using Apache realms to password-protect your website
   Last modified: January 09 2006
   Linux/Mac Web, Database, Email, DNS Server Administration and Security Howtos
3. USING .HTACCESS & HTPASSWD TO PROTECT YOUR FILES FROM UNAUTHORIZED ACCESS
   BigNoseBird.Com

[/network/web/server/apache] permanent link

Adding Another MIME Type to Apache

I posted a Microsoft Agent .acs file on my Apache webserver. I tried to download the file to a Windows XP system with a web browser, but when I opened the URL, the browser attempted to display the file rather than giving me the option to download it.

To rectify the problem, I had to add another MIME type to the Apache webserver httpd.conf file. I edited /etc/httpd/conf/httpd.conf and added an AddType line for the .acs file extension.

#
# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
#AddType application/x-tar .tgz
AddType application/octet-stream .acs

I then restarted the Apache webserver with apachectl restart. Afterwards when I visited the URL again, I was prompted as to whether I wanted to download the file.

References:

1. Apache Module mod_mime
   The Apache Server Project
2. Help: Unable to serve XBAP from Apache?
   Posted: August 29, 2006
   Vista Forums

[/network/web/server/apache] permanent link