I want to restrict access of admin page on my Apache server. Here is my solution. I set up an openvpn server on the same server. I am connecting to server using openvpn from my client. Server status page is working as expected. However Location for /admin page gives 403 forbidden even when I am connected to vpn. I checked my external and internal ip of client. External ip is exactly the server's ip, internal ip is 10.8.0.0/24. Why I am getting 403 while server-status is working? What am I missing?
Versions:
Apache: httpd-2.4.6-67.el7.centos.6.x86_64
Os: CentOS Linux release 7.4.1708 (Core)
Openvpn: openvpn-2.4.4-1.el7.x86_64
Here are the configuration files.
Openvpn server.conf
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
/etc/httpd/conf.d/project.tld.conf
<VirtualHost 10.8.0.1:8081>
ServerName aaa.bbb.ccc.ddd # server's external ip
ServerAdmin admin@project.tld
<Location /server-status>
SetHandler server-status
Require ip 10.8.0.0/24
</Location>
</VirtualHost>
<VirtualHost 10.8.0.1 aaa.bbb.ccc.ddd:80>
ServerName aaa.bbb.ccc.ddd
ServerAdmin admin@project.tld
Redirect permanent / https://aaa.bbb.ccc.ddd
</VirtualHost>
<VirtualHost 10.8.0.1 aaa.bbb.ccc.ddd:443>
ServerName aaa.bbb.ccc.ddd
ServerAdmin admin@project.tld
Header always set Strict-Transport-Security "max-age=31536000;"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
LoadModule wsgi_module modules/mod_wsgi.so
# Here is the problem
<Location /admin>
Require ip 10.8.0.0/24
Require ip aaa.bbb.ccc.ddd/32
</Location>
# Aliases
Alias /robots.txt /home/user/www/project.tld/statics/robots.txt
Alias /statics /home/user/www/project.tld/statics
<Directory /home/user/www/project.tld/statics>
Require all granted
</Directory>
<Directory /home/user/www/project.tld/project>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess project.tld python-path=/home/user/www/project.tld/venv/bin:/home/user/www/project.tld/venv/lib64/python3.6/site-packages
WSGIProcessGroup project.tld
WSGIScriptAlias / /home/user/www/project.tld/project/wsgi.py
SSLEngine on
SSLCertificateFile /etc/ssl/certs/self_signed.crt
SSLCertificateKeyFile /etc/ssl/private/self_signed.key
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/json
</VirtualHost>
/etc/httpd/conf/httpd.conf
Listen 80
Listen 8081
ServerName aaa.bbb.ccc.ddd # server’s external ip
ServerSignature Off
ServerTokens Prod
DocumentRoot "/var/www/html"
Log entries:
From /var/log/httpd/access_log
10.8.0.6 - - [11/Jan/2018:14:49:08 +0200] "GET /server-status HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
From /var/log/httpd/error_log
client ip is my external ip provided by ISP
[Thu Jan 11 14:49:15.085377 2018] [authz_core:error] [pid 28161] [client aaa.bbb.ccc.xxx:59536] AH01630: client denied by server configuration: /home/user/www/project.tld/project/wsgi.py
Best Answer
Let me answer my own question, someone with similar configuration can solve his problem as well. According to my research; if the apache and open VPN servers are on the same machine. Client connects to VPN and tries to access web server using server's public ip, then the traffic is not sent over the VPN, that's why I was seeing my ISP's public ip at log files. In order to access web server via VPN tunnel, it should be accessed by server's internal ip. To fix my problem, I just separated 2nd virtual host which was redirecting http traffic to https over public ip and the problem is gone.