Allowing access to an Apache virtual host from the local network only
Solution 1
Easy. Just set something like this within your main configuration or your virtual configuration:
<Directory /var/www/path/to/your/web/documents>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 192.168
Allow from 10
Satisfy Any
</Directory>
The <Directory></Directory> statement basically says, “Use these rules for anything in this directory. And by “this directory” that refers to the /var/www/path/to/your/web/documents which I have set in this example but should be changed to match your site’s local directory path.
Next within the <Directory></Directory> area you are changing the default Apache behavior which Allow’s all by default to Order Deny,Allow. Next, you set Deny from all from denies access from everyone. Follwing that are the Allow from statements which allows access from 127.0.0.1 ::1 (localhost IP address), localhost (the localhost itself). That’s all the standard stuff. Since access from localhost is needed for many internal system processes.
What follows is the stuff that matters to you.
The Allow from for 192.168 as well as 10 will allow access from any/all network addresses within the network range that is prefixed by those numbers.
So by indicating 192.168 that basically means if a user has an address like 192.168.59.27 or 192.168.1.123 they will be able to see the website.
And similarly using the Allow from for the 10 prefix assures that if someone has an IP address of 10.0.1.2 or even 10.90.2.3 they will be able to see the content.
Pretty much all internal networks in the world use either the 192.168 range or something in the 10 range. Nothing external. So using this combo will achieve your goal of blocking access to the outside world but only allow access from within your local network.
Solution 2
People landing in this answer, please note that this is specific for Apache 2.2.
Apache 2.4 has deprecated these directives.
The new way is using the module mod_authz_host and the Require directives. (link)
In Apache 2.4 you should do
<Directory /var/www/ncp-web/>
Require host localhost
Require ip 127.0.0.1
Require ip 192.168
Require ip 10
</Directory>
, and remove all Allow directives.
Solution 3
Add this section inside your virtual host directive:
<Location /mypathurl>
Order deny,allow
Deny from all
Allow from 192.168.1.10
</Location>
Replace your IP above. This should not be used for financial level security, FYI.
Related videos on Youtube
10 : 55
08 : 58
40 : 20
10 : 51
03 : 05
Btz
Updated on September 18, 2022Comments
-
Btz almost 2 years
I have a web page on a Linux server I administer, running Apache 2.2. This server is visible to the outside world for some other services.
I would like to configure Apache so that a given virtual host is only visible from inside the local network, so I can deploy a web application to get feedback from other people in my organization. I reckon this has to do with the Allow directive, but my experiments are not going well.
How can I alter my config file to achieve that? Should I change the firewall configuration as well?
-
Btz over 10 yearsThe server has a public IP address, and I can connect to it from outside the work network - from home, for example. The colleagues' computers all have local IP addresses of the 10.*.*.* type.
-
-
Btz over 10 yearsI thought about it, but it's not a practical solution. There are services on that machine that have to remain visible to the outside, and in any case I plan to make the web application visible again in a few days - no point in revolutionizing the network layout just for a few days. What I can work on, however, is things like the Apache configuration.
-
closetnoc over 10 yearsIf you have a firewall, then you can close some ports to that IP address. -
Giacomo1968 almost 10 yearsFirewall settings could be used, but that is really overkill. Apache has built in functionality to deny or allow based on IP address & other related criteria. See my answer for more details. -
closetnoc almost 10 years@JakeGould Firewalls are not necessarily an overkill solution. I do know Apache really really well. However, there are HTTP filtering options in most good firewalls that help without putting a load on the server itself. As well, while Apache is excellent, it is not without fault. As well, port accesses including alternative port accesses can be manipulated using a firewall so that some web services remain public and others are only accessible within the LAN.
-
Giacomo1968 almost 8 years@liamnichols As explained here: “Allows the request if any requirement is met (authentication OR access).”