CODEWITHSUNDEEP
apacheapache2.4
dav
dav

Reputation: 9267

Prevent access to files through ip address - apache 2.4

I have asked a similar question before Restrict access to directories through ip address

at that time the problem was solved for apache 2.2. Recently I re-installed the OS (to Debian 8) and it comes with apache 2.4.

I want to restrict access to files - when the request comes "by" IP. Mainly if in the browser I try to open http://192.168.252.178/test/image.jpg it should show error - 403 forbidden. Directory test is in www directory of apache. However I should be able to access that image if I type http://www.example.com/image.jpg - considering that example.com points to that test directory.

With apache version 2.2 I would simply put this lines in my default site config file - and the problem was solved

<Files ~ ".+">
  Order allow,deny
  Deny from all
</Files>

Now, trying the same thing does not work: I am getting 403 forbidden even if I try to open any site by the domain name.

Considering the changes in 2.4 I also tried this, but again getting the the same 403 forbidden when trying to open some site.

<Files ~ ".+">
       Require all denied
</Files>

My goal is to prevent any kind of access to directories and files - if they are being accessed through ip address. I have also this lines in my default site's config to prevent the directory access and this works fine.

<Directory /home/username/www>
        Options -Indexes
        AllowOverride All
        Require all granted
</Directory>

So, the question is - how to prevent file access through IP address. Also I need to achieve this by apache config, by htaccess is not a solution for me. And I need to achieve this for all the directories/files inside www recursively, so specifying the exact file names and/or directories is not a solution either.

Thanks

Upvotes: 1

Views: 5733

Answers (1)

Zimmi
Zimmi

Reputation: 1599

When you use name based virtual hosts, the main server goes away. Apache will choose which virtual host to use according to IP address (you may have more than one) and port first, and only after this first selection it will search for a corresponding ServerName or ServerAlias in this subset of candidates, in the order in which the virtual hosts appear in the configuration.

If no virtual host is found, then the first VHost in this subset (also in order of configuration) will be choosen. More.

I mention this because it will be important you have only one type of VirtualHost directive:

<VirutalHost *:80>

or

<VirtualHost 123.45.67.89:80>

I'll use the wildcard in the example. You need a directory like /var/www/catchall with a file index.html or similar, as you prefer.

<VirtualHost *:80>
    # This first-listed virtual host is also the default for *:80
    # It will be used as the catchall.

    ServerName 123.45.67.89

    # Giving this DocRoot will avoid any request based on IP or any other
    # wrong request to get to the other users directories.

    DocumentRoot "/var/www/catchall"

    <Directory /var/www/catchall>
        ...
    </Directory>
</VirtualHost>

# Now you can add as usuall the configuration for any other VHost you need.
<VirtualHost *:80>
    ServerName site1.com
    ServerAlias www.site2.com

    DocumentRoot "/home/username1/www"
    <Directory /home/username1/www>
        ...
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName site2.com
    ServerAlias www.site2.com

    DocumentRoot "/home/username2/www"
    <Directory /home/username2/www>
        ...
    </Directory>
</VirtualHost>

Debian specific :

For Debian, you ideally put one VHost configuration per file, and put the file in the /etc/apache2/sites-available directory. Name the files as you like, only the file containing the catchall vhost should be named something like 000-catchall, because they will be read in alphabetic order from the /etc/apache2/sites-enabled directory.

Then you disable Debian's usual default site :

a2dissite 000-default

and you enable the new catchall site and the other VHosts if needed :

a2ensite 000-catchall

An ls /etc/apache2/sites-enabled command should show the catchall as the first of list, if not change its file name so that it will always be the first. Restart Apache: service apache2 restart

Of course you could do all this changes in the original default VHost config file, but I usually prefer keep an original model.

Upvotes: 2

Related Questions