I need some help with securing my test XAMPP server as so far nothing I have tried seems to work.
I am running Apache 2.4.7 on Windows 7 machine.
The setup is the following:
I am redirecting all traffic coming on my server IP, port 80 to a java application running on localhost:5000
.
The code doing all this in httpd-vhosts.conf
file is the following:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName demo.website.com
ServerAlias website.com
ProxyPass / http://localhost:5000/
ProxyPassReverse / http://localhost:5000/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
The question is, how do I deny
traffic from specific external IP address?
It seems I cannot use .htaccess
because requests on port 80 are redirected to a java application, not a xampp folder containing web content.
Also, the code below does not do the job either:
<Proxy *>
order allow,deny
deny from 193.37.XXX.XX
allow from all
</Proxy>
What other options are there?
Any suggestions?
EDIT:
After the responses I got, it looks I have been doing the proxy reverse entirely wrong opening exploitable gaps in the server. Based on the answer provided, I have modified my initial code.
Since I am using similar insecure code for port 443 and I cannot get apache to start after the new modifications, I have posted a new question HERE.
Best Answer
As @MichaelHampton already commented: remove the following settings immediately:
Those are not needed for a reverse proxy but instead used to configure a forward proxy , open to almost anybody, which will allow your server to be abused. ( Fortunately you still also used
ProxyRequests off
)BTW when you do need a forward proxy, please don't use Apache httpd but a more specific product.
IMHO You're already heading the wrong direction with your intention to create a
.htaccess
files, which is my pet peeve, quoted from from the manual on .htaccess files:But the reason that in this case a .htaccess won't work is that they apply settings to a resources on the local file system, from a directory, and with a reverse proxy the content is retrieved from elsewhere by Apache httpd.
The solution to your actual problem, as how to apply additional access controls and IP-addresss white/blacklisting on a reverse proxy URL: You place the
ProxyPass
directives and additional directives in a<Location>
block in your configuration (which also since Apache 2.4 happens to be the configuration syntax that offers the best performance) and add to the IP-address restriction with aRequire
directive to that location: