Apache: Allow only certain http requests, deny all else

apache-2.2httphttps

We have an Apache server, on a Windows Server 2008 machine, that is used for specific secure traffic for our customers, like a gateway.

Now, I only want to allow traffic for a certain range of secure URLs, defined by a wildcard uri: ****secure.mysite.com****, and deny all other http or https request to Apache

How do you set that up in the Apache httpd conf file?

Thank you

Best Answer

You can allow access via an environment variable that is only set via request URI patterns you want to match with SetEnvIf.

In your host, or virtualhost configure the following with the URI's you want to allow:

SetEnvIf Request_URI ^/requests/you/want/.* allow 
SetEnvIf Request_URI ^/requests/you/want/.+?\.php$ allow

If you are serving the requests from Apache:

<Location /> 
 Order Deny,Allow
 Deny from all
 Allow from env=allow
</Location>

Or if proxying via mod_proxy, you probably want to combine the URI match with with some IP restrictions so you don't have an open proxy.

SetEnvIf Remote_Addr ^10\..+ deny

<Proxy *>
 Order Allow,Deny
 Deny from env=deny
 Allow from env=allow
</Proxy>

In this case, if the IP is not in the 10.0.0.0/8 range deny, Order being important

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Apache Access Control – How to Deny from All, Allow from Subnet, but Deny from IP Within Subnet

I haven't tested, but I think you are almost there.

<Location /server-status>
    SetHandler server-status
    Order Allow,Deny
    Deny from  192.168.16.100
    Allow from 192.168.16.0/24
</Location>

Deny from all is not needed. In fact it will screw up because everything will match all, and thus denied (and I think Apache is trying to be smart and do something stupid). I have always found Apache's Order, Allow and Deny directives confusing, so always visualize things in a table (taken from the docs):

Match      | Allow,Deny result   | Deny,Allow result
-------------------------------------------------------
Allow only | Allowed             | Allowed
Deny only  | Denied              | Denied
No match   | Default: Denied     | Default: Allowed
Match both | Final match: Denied | Final match: Allowed

With the above settings:

Requests from 192.168.16.100 get "Match both" and thus denied.
Requests from 192.168.16.12 get "Allow only" and thus allowed.
Requests from 123.123.123.123 get "No match" and thus denied.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Apache Access Control – How to Deny from All, Allow from Subnet, but Deny from IP Within Subnet

Related Topic