XAMPP – Deny Access from Specific External IP Address

I need some help with securing my test XAMPP server as so far nothing I have tried seems to work.
I am running Apache 2.4.7 on Windows 7 machine.

The setup is the following:

I am redirecting all traffic coming on my server IP, port 80 to a java application running on localhost:5000.

The code doing all this in httpd-vhosts.conf file is the following:

<VirtualHost *:80> 
  ProxyPreserveHost On
  ProxyRequests Off
  ServerName demo.website.com
  ServerAlias website.com
  ProxyPass / http://localhost:5000/
  ProxyPassReverse / http://localhost:5000/
  <Proxy *>
        Order deny,allow
        Allow from all
  </Proxy>
</VirtualHost>

The question is, how do I deny traffic from specific external IP address?

It seems I cannot use .htaccess because requests on port 80 are redirected to a java application, not a xampp folder containing web content.

Also, the code below does not do the job either:

<Proxy *>
    order allow,deny
    deny from 193.37.XXX.XX
    allow from all
</Proxy>

What other options are there?

Any suggestions?

EDIT:

After the responses I got, it looks I have been doing the proxy reverse entirely wrong opening exploitable gaps in the server. Based on the answer provided, I have modified my initial code.

Since I am using similar insecure code for port 443 and I cannot get apache to start after the new modifications, I have posted a new question HERE.

<VirtualHost *:80> ServerName demo.website.com ServerAlias website.com <Location /> <RequireAll> # Block IP-addresses from the 193.37.0.0/16 and 10.9.8.0/24 networks Require not ip 193.37 10.9.8 # Allow all other IP's Require all granted </RequireAll> ProxyPass http://localhost:5000/ ProxyPassReverse http://localhost:5000/ </Location> </VirtualHost>

Best Answer

As @MichaelHampton already commented: remove the following settings immediately:

Those are not needed for a reverse proxy but instead used to configure a forward proxy , open to almost anybody, which will allow your server to be abused. ( Fortunately you still also used ProxyRequests off )

BTW when you do need a forward proxy, please don't use Apache httpd but a more specific product.

It seems I cannot use .htaccess ...

IMHO You're already heading the wrong direction with your intention to create a .htaccess files, which is my pet peeve, quoted from from the manual on .htaccess files:

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block in the main Apache configuration file(s), as it will have the same effect with better performance) and combine that with

But the reason that in this case a .htaccess won't work is that they apply settings to a resources on the local file system, from a directory, and with a reverse proxy the content is retrieved from elsewhere by Apache httpd.

The solution to your actual problem, as how to apply additional access controls and IP-addresss white/blacklisting on a reverse proxy URL: You place the ProxyPass directives and additional directives in a <Location> block in your configuration (which also since Apache 2.4 happens to be the configuration syntax that offers the best performance) and add to the IP-address restriction with a Require directive to that location:

Best Answer

Related Solutions

Tomcat cookies not working via the ProxyPass VirtualHost

Linux – Apache Virtual Hosts Not Working

Related Topic