I'm running a small web server with Ubuntu 12.05.5 LTS and Apache 2.2.22 and ran into this problem recently:
For an IIS server on a virtual machine I have the following reverse proxy config:
<VirtualHost *:443>
SSLEngine on
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
allow from 192.168.
allow from 10.8.0
</Directory>
...
ProxyRequests Off
ProxyPreserveHost On
ProxyVia On
SSLProxyEngine on
<Location /AutodeskDM>
Order Deny,Allow
Deny from all
Allow from 192.168.
ProxyPass https://10.8.0.131/AutodeskDM
ProxyPassReverse https://10.8.0.131/AutodeskDM
</Location>
<Location /autodeskdm>
Order Deny,Allow
Deny from all
Allow from 192.168.
ProxyPass https://10.8.0.131/autodeskdm
ProxyPassReverse https://10.8.0.131/autodeskdm
</Location>
....
</VirtualHost>
This works perfectly well and only allows connections from the 192.168. subnet, as expected.
Now when I use the same config minus SSLProxyEngine on and http instead of https in the ProxyPass directives, I get the following error:
[error] [client 127.0.0.1] client denied by server configuration: proxy:http://10.8.0.131/AutodeskDM/
If I add
Allow from 127.0.
it works of course, but access is granted from anywhere.
Playing with the Proxy directive, as suggested elsewhere (e.g. Apache reverse proxy access control) has no effect either.
<Proxy *>
Order deny,allow
Deny from all
Allow from 192.168.
</Proxy>
Still allows access from anywhere.
What am I missing here? Is this expected behaviour? If so, why is it different with and without SSL?
Best Answer
As always, another program was getting in the way. I have OpenVPN listening on port 80 and proxying http requests to apache on port 8080. So, naturally, http requests look like they're coming from localhost to apache.