Apache HTTPD Whitelist Access Control via X-Forwarded-For Header

apache-2.4httpd

I have the following httpd.conf file which I am using to test X-Forwarded-For header IP whitelisting. Note that the conf.d directory is empty:

Include conf.modules.d/*.conf
ServerRoot "/etc/httpd"
Listen 80
Listen 443

User dev
Group dev
ServerAdmin root@localhost
ServerName my-httpd-server

<Directory />
AllowOverride none
Require all denied
</Directory>

<Files ".ht*">
Require all denied
</Files>

<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>


AddDefaultCharset UTF-8

<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html">
    Options -Indexes +FollowSymLinks
    AllowOverride None
    LogLevel debug
    Order deny,allow
    Deny from all
    #Satisfy any


    SetEnvIf X-Forwarded-For ^171.159.192.10 letmein

    Allow from env=letmein

     Satisfy any
</Directory>


IncludeOptional conf.d/*.conf

When I cURL to get the local page with this server, it works regardless of the XFF header:

curl -H 'X-Forwarded-For: 8.8.8.8' http://localhost

curl http://localhost

These work, but print the following in the error log (These requests should not work):

[Mon Dec 17 10:24:53.346021 2018] [access_compat:error] [pid 12] [client 172.17.0.1:49010] AH01797: client denied by server configuration: /var/www/html/
[Mon Dec 17 10:24:53.346614 2018] [authz_core:debug] [pid 12] mod_authz_core.c(809): [client 172.17.0.1:49010] AH01626: authorization result of Require all granted: granted
[Mon Dec 17 10:24:53.347603 2018] [authz_core:debug] [pid 12] mod_authz_core.c(809): [client 172.17.0.1:49010] AH01626: authorization result of <RequireAny>: granted

The following request from the whitelisted IP works but without the logging noise:

curl -H 'X-Forwarded-For: 171.159.192.10' http://localhost:8181/

What is causing the requests that should fail to return the web page? I get the message that it should be denied based on the config?

Best Answer

I think you need the satisfy any bit to be changed to satisfy all. That refers to allowing a user if they meet the authentication OR access requirements. Since I don't see an authtype set, it's defaulted to AuthType none which I think allows them to pass in. satisfy all means Authentication AND Access are required to be met.

Related Solutions

Apache – How to Fix ‘Logjam’ Vulnerability in Apache (httpd)

From the article you linked, there are three recommended steps to protect yourself against this vulnerability. In principle these steps apply to any software you may use with SSL/TLS but here we will deal with the specific steps to apply them to Apache (httpd) since that is the software in question.

Disable Export Cipher Suites

Dealt with in the configuration changes we'll make in 2. below (!EXPORT near the end of the SSLCipherSuite line is how we'll disable export cipher suites)

Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)

For this, you need to edit a few settings in your Apache config files - namely SSLProtocol, SSLCipherSuite, SSLHonorCipherOrder to have a "best-practices" setup. Something like the following will suffice:

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on

Note: as for which SSLCipherSuite setting to use, this is always changing, and it is a good idea to consult resources such as this one to check for the latest recommended configuration.

3. Generate a Strong, Unique Diffie Hellman Group

To do so, you can run

openssl dhparam -out dhparams.pem 2048.

Note that this will put significant load on the server whilst the params are generated - you can always get around this potential issue by generating the params on another machine and using scp or similar to transfer them onto the server in question for use.

To use these newly-generated dhparams in Apache, from the Apache Documentation:

To generate custom DH parameters, use the openssl dhparam command. Alternatively, you can append the following standard 1024-bit DH parameters from RFC 2409, section 6.2 to the respective SSLCertificateFile file:

(emphasis mine)

which is then followed by a standard 1024-bit DH parameter. From this we can infer that the custom-generated DH parameters may simply be appended to the relevant SSLCertificateFile in question.

To do so, run something similar to the following:

cat /path/to/custom/dhparam >> /path/to/sslcertfile

Alternatively, as per the Apache subsection of the article you originally linked, you may also specify the custom dhparams file you have created if you prefer not to alter the certificate file itself, thusly:

SSLOpenSSLConfCmd DHParameters "/path/to/dhparams.pem"

in whichever Apache config(s) are relevant to your particular SSL/TLS implementation - generally in conf.d/ssl.confor conf.d/vhosts.conf but this will differ depending on how you have configured Apache.

It is worth noting that, as per this link,

Before Apache 2.4.7, the DH parameter is always set to 1024 bits and is not user configurable. This has been fixed in mod_ssl 2.4.7 that Red Hat has backported into their RHEL 6 Apache 2.2 distribution with httpd-2.2.15-32.el6

On Debian Wheezy upgrade apache2 to 2.2.22-13+deb7u4 or later and openssl to 1.0.1e-2+deb7u17. The above SSLCipherSuite does not work perfectly, instead use the following as per this blog:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

You should check whether your Apache version is later than these version numbers depending on your distribution, and if not - update it if at all possible.

Once you have performed the above steps to update your configuration, and restarted the Apache service to apply the changes, you should check that the configuration is as-desired by running the tests on SSLLabs and on the article related to this particular vulnerability.

Httpd – Cannot get HTTPD 2.4 to start when using the Require IP command for access control

Require ip $CIDR ~ is not proper in the Options directive. The documentation is very clear about what may be in an Options directive.

Require is its own directive, which can be in a Container, but certainly not within an Options directive.

When you get past that, your next problem will probably be the Require ip $CIDR ~. Where are you getting this $CIDR ~ bit? You need to follow proper specification for access control by host and specification of Require ip directives.

If in fact, you actually have Require ip $CIDR ~ on its own config line, as opposed to what you put in the question, then refer to the last part of this answer now (i.e. use proper host/ip specification with the Require ip) and also see the following notes.

NOTE: You must have mod_authz_core loaded to use the Require (and related) directives.

NOTE ALSO: You should be running apachectl -t to check config changes BEFORE trying to restart Apache, rather than finding these problems by crashing Apache.

Best Answer

Related Solutions

Apache – How to Fix ‘Logjam’ Vulnerability in Apache (httpd)

Httpd – Cannot get HTTPD 2.4 to start when using the Require IP command for access control

Related Topic