Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOW-TO Apache, vhosts, mod_access & include
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
HeXiLeD
l33t
l33t


Joined: 20 Aug 2005
Posts: 946
Location: online

PostPosted: Wed Mar 29, 2006 9:30 am    Post subject: HOW-TO Apache, vhosts, mod_access & include Reply with quote

What is mod_access ?

http://httpd.apache.org/docs/1.3/mod/mod_access.html
http://httpd.apache.org/docs/2.0/mod/mod_access.html

How to make it work for the full http server root using several vhosts
http://httpd.apache.org/docs/1.3/mod/core.html#include

There are a few ways of using mod_access to prevent ips to access your server or to allow them.
in these examples i will be using mostly the deny access option.

If you are using just the apache 'httpd.conf' and no vhosts; all you have to do
is to specify which ips you allow or deny to access the server in 'Order allow,deny'
or 'Order deny,allow'

EXAMPLE 1 (only using httpd.conf)

Code:
  Order allow,deny
  Allow from all
  Deny from 207.46.0.0/16
  Deny from 207.68.128.0/207.68.207.255


If you are using VHOSTS note that by specifying which ips to block or allow in httpd.conf
They will be blocked or allowed for regular port:80 and ssl port:433 access for ALL your VHOSTS
Unless you also had set individual 'Order allow,deny' or Order deny,allow' for each one of them.
If you do that than the modified VHOST will override the the mod_access settings in httpd.conf

This is usefull when you wish to block some one from access all the pages in your server execpt
a specified VHOST


EXAMPLE 2 (using Include)

Another way of doing all this without having to edit httpd.conf everytime you wish to add or remove
an ip is by using 'Include' - http://httpd.apache.org/docs/1.3/mod/core.html include
if you use 'Include'; all you have to do is to create a blacklist.conf or allowlist.conf and add the
following line to httpd.conf : Include /etc/apache2/vhosts.d/blacklist.conf

In 'blacklist.conf' you will add your 'DocumentRoot' and 'directory' path as well as the rules
and ips like the next example:

Code:
  DocumentRoot "/home/www"
  <Directory "/home/www">
  Order allow,deny
  Allow from all
  Deny from 207.46.0.0/16
  Deny from 207.68.128.0/207.68.207.255
  </Directory>


Again this example is pretty much as if you were editing your your httpd.conf and specifying the rules there
However it is prefered to be used insted of adding your access/block ip list to httpd.conf

Once again it will be overridden by any VHOST in which you decide to create some mod_access rules
so if you wish to control your mod_access rules in 'httpd.conf' or by 'Include' conf file, you need to remove
or comment any mod_access 'Order deny,allow' or 'Order allow,deny' in your VHOSTS, or they will ignore your
blacklist.conf which maybe usefull when for example we want to block everyone from accessing the website, but
we wish to allow a few for individual VHOSTS.

Using this example you can by default for example block everyone and allow lets say 5 different countries to access
each own VHOST and nothing else.

you can also have different blacklists.conf . Lets say you wish to block 2 contries from accessing 2 vhosts but
you allow them to see the rest of the website or vhosts.

EXAMPLE 3 (using more than one Include rule)

In your httpd.conf add : Include /etc/apache2/vhosts.d/blacklist-US.conf

and create a new blacklist

Code:
  DocumentRoot "/home/www/site1"
  <Directory "/home/www/site1">
  Order allow,deny
  Allow from all
  Deny from <ip range>


In your httpd.conf add : Include /etc/apache2/vhosts.d/blacklist-ENGLAND.conf

and create a new blacklist

Code:
 DocumentRoot "/home/www/site2"
  <Directory "/home/www/site2">
  Order allow,deny
  Allow from all
  Deny from <ip range>


Quick notes:
Note that using 'Include' for a small server which, lets say it only has a few VHOSTS in just one port and the number of VHOSTS to block
is almost the same as the ones you have in total; then you dont need to use 'Include' and you can just edit the specific
VHOST.conf and block or allow access there by using only :

Code:
  Order allow,deny
  Allow from all
  Deny from <ip range>


However if each VHOST is also serving on port:433 this would mean editing 2 conf files for each website you want to add mod_access
rules. In this case 'include' saves us some extra editing work.


Some conclusions

When not to use 'include' ?

When you have as many VHOSTS as the ones you wish to create the same mod_access rules and you are only serving in one port (80) or 443)
In this case its not really worthy because you can edit each vhost the way you want.

Why use 'include' if for each VHOST if you are serving on port 80 and port 433 or more at the same time ?
Because with 'include' each VHOST will get the de same mod_access rules at the same time and from the same blacklist ip conf file
This will avoid you having to edit each VHOST.conf for the same website and create/copy or add the same rules as the other one.

Lets say that you are running VHOST-canada.conf on port 80 and VHOST-SSl-canada.conf on port 443. If you use 'Include' pointing
to one blacklist.conf; both VHOSTS for the same site will use the same mod_access rules. If you dont use 'Include' you will need
to edit both confs for the same site and add the same rules.


EXAMPLE 4

Another option is to use 'Include' in each VHOST.conf either serving on port:80 and or more ports.
In this example we are not going to touch httpd.conf and we are only going to edit the VHOSTS to use 'Include'
You can use 'Include' in each VHOST deppending on what you wish to do. In this case we are using several VHOSTS all pointing to port:80
and each one of them using 1 default blacklist ip conf file or more.
Lets say 1 blacklist.conf and/or 1 allowlist.conf

Edit your VHOST.conf and add something like:
Code:
  'Include /etc/apache2/vhosts.d/blacklist-1.conf'
  'Include /etc/apache2/vhosts.d/allowlist-1.conf'


note that these confs will be different in some settings.
Since the VHOST already has its own 'DocumentRoot' and 'Directory' all you need to add to the .confs' is:

This is for the blacklist:

Code:
  Order allow,deny
  Allow from all
  Deny from <ip range>


This is for allowlist

Code:
  Order deny,allow
  Deny from all
  allow from <ip range>


In these examples i focused in blocking access but as you can see it can be done to allow access too.
There are more options that can be used with this. For more info refer to apache mod_access docs.


cheers

update 14/04/2012 @ http://nixbits.net/wiki/Apache_mod_access
_________________
443640, Questioning, Unsolved, Configs, BinHost


Last edited by HeXiLeD on Sat Apr 14, 2012 8:04 pm; edited 2 times in total
Back to top
View user's profile Send private message
ats2
Apprentice
Apprentice


Joined: 22 Apr 2005
Posts: 297

PostPosted: Fri Jul 21, 2006 9:11 pm    Post subject: Reply with quote

Hi,
Nice idea.
what about Apache2 ?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum