How do I setup apache to only allow local devices to connect to my website/app?

networking server apache2 webapps intranet

20,499

Solution 1

Allow, Satisfy and related directives have been deprecated, and they only still work for backwards compatibility as part of the module mod_access_compat

The new way is using the module mod_authz_host and the Require directives. (link)

Mixing the two is discouraged. Quoting this official source

The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.

If you want to restrict to local network, you can do something like

<Directory /var/www/ncp-web/>
  Require host localhost
  Require ip 127.0.0.1
  Require ip 192.168
  Require ip 10
</Directory>

Remove all Allow directives.

Solution 2

You can use - Listen Directive option to accept connections on two specified interfaces and port numbers

Change ports.conf so that it contains:

Listen 127.0.0.1:80 Listen 127.0.0.1:8000

refer link for detailed info : http://httpd.apache.org/docs/2.0/mod/mpm_common.html#listen

{OR}

in your site-enabled site.

Should limit apache serving to anyone but localhost for anything under

Order Deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128

Solution 3

Just create a VirtualHost restricting the access to it in your apache configuration. This is a sample:

<VirtualHost *:80>
    DocumentRoot "/var/www/"
    ServerName www.example.com      

   <Directory "/var/www/">
      Options Indexes FollowSymLinks
      AllowOverride all
      Order deny,allow
      Allow from all
      Require 192.168.0.1/24
   </Directory>    
</VirtualHost>

The Require provides a variety of different ways to allow or deny access to resources. In my sample, it restricts the access for the subnet 192.168.0.1/24 only.

20,499

Pav Dis

Updated on September 18, 2022

Comments

Pav Dis almost 2 years

Hey guys I'm really new to this please forgive me if I butcher all the terminology. I've managed to get a lamp-server running for my small business and have created a small webapp that runs on the server. How do configure apache to only allow other devices in the same network to connect and restrict access for everyone else? Is what I'm trying to achieve called an Intranet server? If so what are the security aspect I should be aware of?

Thanks in advance! I'm looking forward to learn from you guys.
- Organic Marble over 8 years
  
  You could configure your router to block incoming connection attempts to your server.
- Pav Dis over 8 years
  
  Is there a way to achieve this via apache or is it better to just block it via router?
- Organic Marble over 8 years
  
  I'm no expert but on my system I had to forward port 80 in my router to the webserver computer to allow requests from the internet to reach it. I would think that if you block incoming requests on port 80 (or don't forward it) then the internet can't reach your webserver (assuming it is listening on port 80). But someone smarter will likely post a definite answer.
- Pav Dis over 8 years
  
  Thanks, I will try that for now. But I will definitely keep an eye out for a more definitive answer.
- Anders over 8 years
  
  It actually depends on what you want to allow and deny on your server. If you don't want any access at all, just set up a firewall on the server and block any access except from your LAN to port 80. You can also block in your routers firewall. It all depends on how your network looks like. If you want to allow some access, you have to allow access from all machines to your web server and then in Appache block access, as Tung Tran shown you. Security aspects? What if someone missconfigure something or a bug in the software.