I'm trying to get a Django application running on my shared web server (hosted with DreamHost). There's one interface I'd like to lock down based on a white-list of IP addresses, but I'm having trouble figuring out how to do it. This interface lives at a virtual URL (in other words, there are no physical files on the server that correspond to the URL; the Django internals serve up the right thing based on the URL passed in). My shared host uses Apache as the web server, which then passes all necessary requests to Passenger.
I currently have an .htaccess file with the following contents in the root of my site:
SetEnvIf Request_URI ^/manage require_auth=true
AuthUserFile /home/myuser/.htpasswd
AuthName "Who Goes There?"
AuthType Basic
order deny,allow
deny from all
Satisfy any
Require user my_web_user
Allow from env=!require_auth
When I visit the /manage URL at my site, I get prompted for credentials just like I would expect. Visiting any other URL doesn't prompt me, so this rule set seems to work.
However, I can't figure out how to add the IP address white list into the mix. I'm aware that the Satisfy any directive is essentially a logical OR of the statements below it. Ideally, I'd like to be able to restrict access to this URL based on IP and require the user to login. But only for that particular path.
Is there something simple I'm missing here, or could the Apache / Passenger setup prevent me from being able to have my cake and eat it too?
You could specify the ranges you allow with "Allow from iprange" CIDR notation works fine, so that all those which do not match will be required to authenticate.
For example:
AuthUserFile /home/myuser/.htpasswd
AuthName "Who Goes There?"
AuthType Basic
Order deny,allow
Allow from 192.168.0.0/16
Satisfy any
Require user my_web_user
This means that all not in range 192.168.0.0 will have to authenticate.
Related
Can anyone help me correct my regex?
My hosting provides IP geolocation and I want to redirect US clients to another sub-directory of my website.
The website runs on a Nginx server and the hosting provides an interface where one can add redirection rules. The interface consists of Domain, Redirect from, Redirect To, Traffic from (country) and HTTP status code 301 or 302.
Example:
for all non-US clients website.com/blog/article/really-good-book
only for US clients website.com/us/blog/article/really-good-book
I currently have:
Redirect from ^/(?!us/)(.*)$
Redirect to /us/$1
This currently redirects me to website.com/us/index.php and nothing else. So the redirect is applied, it only appends index.php instead of blog/article/really-good-book.
Thank you for your help.
Eventually I found my own solution:
Redirect from ^(?!(/us|/index.php|/wp-admin|/wp-login.php))(.*)$
Redirect to /us/$1
I also added a rule for my wordpress backend, otherwise it would always redirect me back to website.com/us while trying to access website.com/us/wp-admin.
We have a need to allow a user of our internal Django site to send an anonymous email via a contact form to an internal email box. I have all of the framework in place and the messages arrive and are not obviously traceable. However, the Django logs do record the IP address along with a timestamp of all requests.
I am curious if it would be possible to some how hide or perhaps proxy the client IP when the form is submitted to help protect their anonymity?
I have found many articles on how to get the client IP but my searches have not hit upon anything that does the reverse.
I could perhaps alter the Django Logging format to exclude the client IP but it would be good to leave it on for the rest of the site for debugging etc.
thank you in advance.
The answer for me was to modify the Apache CustomLog entry to exclude specific content from being logged in the Access log based on the URI. I made an entry similar to the following in my vhost config file based on numerous examples and the Apache Logging documentation.
SetEnvIf Request_URI "^/staff/contact" dontlog
CustomLog /var/log/apache2/access.log combined env=!dontlog
EDIT: The reason of my problem is mod_userdir. So if your host has enabled mod_userdir like Hostgator reseller package for example http://support.hostgator.com/articles/specialized-help/technical/apache-htaccess/mod_userdir then be sure that you host can disable this. Apparently Hostgator refused to disable this for the specific hosting package
Recently I received a phishing warning from google related to a file that doesn't exist in my server. The reason that it appears as it is hosted on my server is because I'm on a shared/reseller Apache hosting package. So I discovered that I can access any file of another website which is hosted on the same server as my site if I know the username of the owner of the website.
Meaning I can access
http://mywebsite.com/~somebodyelsesusername/any_path_to_their_files.php
Well this behavior is undesirable, so I want to deny access to other's websites through my domain using .htaccess
How can I block every root folder for instance mydomain.com/~somefolder/ starting with ~ without knowing what follows next? Of course I have to block access to any files or folders of that folder. I tried
<DirectoryMatch "^\~|\/\~">
Order allow,deny
Deny from all
</DirectoryMatch>
But I guess I'm not doing it right.
The answer below answers in fact the question however it doesn't fix my problem due to special circumstances. So I marked it as correct and I will further investigate the issue
<DirectoryMatch> can only be used in the server configuration file, or virtual host context, not through .htaccess.
You can possibly block access using mod_rewrite. Make sure the module is enabled, then use the following directives:
RewriteEngine on
RewriteRule ^~ - [F,L]
I have an interesting problem. My company is hosting a small application server for a client, and they want to restrict access to only a few IPs. The client is a large company with many divisions, and each division has their own networking structure.
I won't go into the details, but because of my company's internal structure for web servers, we can't use the conventional allow,deny syntax in Apache. We have load balancers which forward to web servers which then forward to the application server itself. Instead, we use something like the following in our Apache configurations:
RewriteCond %{HTTP:X-Forwarded-For} !^213.212.45.54
We make use of the X-Forwarded-For header to match external IPs. The problem is that one of our client's divisions (call it division A) has their Internet setup to go through an internal proxy. Their internal proxy forwards the workstation IP of each user to our web server. This means that the X-Forwarded-For header for those users looks something like this:
10.123.16.23, 213.212.45.54, 172.20.162.2
The 10 address is the workstation IP of each user in their network, the 213 is the WAN IP of that division, and the 172 is my company's load balancer.
My company has confirmed that if we add the workstation IP of a user to the Apache configuration, they are able to access the page without problem. However, to add every single IP would be tedious.
Is there a way to tell Apache to only pay attention to the middle IP (the WAN IP) using regular expressions? Or is there a better way to configure Apache?
I haven't tested this, but you could construct a regex that searches for your IP string anywhere in the field. The first ^ in your regex means it must match the beginning of the string, which is not the case here.
Something as simple as this could work:
RewriteCond %{HTTP:X-Forwarded-For} !213\.212\.45\.54
The backslashes are necessary in front of the dots because otherwise the . matches any numer of any characters, including matching nothing, it's the equivalent of a * in wildcard syntax.
Like this, if the string 213.212.45.54 is found anywhere in the X-Forwarded-For header, the regex will match.
I have a Django applciation running on Apache with mod_wsgi, but I would like to create a development server on the same machine.
I can reach my website by http://IP_ADD and I would like to reach the development server from http://IP_ADD:8080 or another port.
But as you notice, I would like to prevent accessing to 8080 port from users who do not enter predetermined username/password.
How can I achive such protection? I may allow only certain IP address but it is not a solution.
Another question is also about the chosen port. I hace choice 8080 port but I will also setup issue tracking system, SVN etc. and I am not sure which ports should I open for them.
Thank you
For each of the sites you want to host, you could create a separate Apache site with a VirtualHost file along the following lines:
<VirtualHost *:8080>
ServerName www.example.com:8080 // Your name (if available)
ServerAlias 12.23.34.45 // Your IP
DocumentRoot /var/www/mydjangoapp // Your folder
<Directory />
Order deny,allow
Deny from all
Allow from 127
AuthName "Restricted area"
AuthType Basic
AuthUserFile /etc/apache2/users_mydjangoapp // Allowed users file
require valid-user
</Directory>
The userfile itself can be generated using Apache's authentication system. For each site, you could add a seperate user file to contain the access for that part of your system. For IP based access, just add lines like Allow from 123.123.123.123 below the Allow from 127 line.
Finally, additional sites can be created by creating more of these Apache sites (see for example here for more details). Just adapt the port (8080 in my example) to the one you want to host the additional sites under.
you can add basic authentication
http://djangosnippets.org/snippets/1304/