login community faq

Allowing access to single IP with authz module not working.

0

I set up a Django app on WebFaction (using mod_wsgi) and I'm having trouble configuring apache. I'm trying to make it so the site is only accessible from my own IP address (I'm trying to restrict access while I'm setting up and testing the site). In ~/webapps/django/apache2/httpd.conf I included the authz_host module and then added the following configuration:

1
2
3
4
5
6
7
WSGIScriptAlias / /home/user/webapps/django/mysite/apache/mysite.wsgi

<Directory /home/user/webapps/django/mysite/apache>
    Order deny,allow
    Deny from all
    Allow from 123.123.123.123
</Directory>

The site works fine when I don't try to restrict the incoming IPs, but I get a 403 (Forbidden) when I try to include the above (or any variation on it that would restrict the clients address). According to all the apache documentation I've seen this should work. Any ideas; is there something strange about webfaction or am I just doing something stupid?

asked Nov 06 '10 at 13:50

ron's gravatar image

ron
315
One Answer:
oldestnewestmost voted
1

The problem is that, since your Apache is proxied behind our front-end server, when the requests get to your Apache they all come from 127.0.0.1, so you can't do IP checking the normal way.

Instead, you can use SetEnvIf to check the X-Forwarded-For header and set an environment variable if the IP matches a regular expression.

First, add setenvif_module and authz_host_module to your modules in httpd.conf, if you've not done so already:

1
2
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule authz_host_module modules/mod_authz_host.so

Then, set a variable ('let_in' for example, but you can call it anything you want):

1
2
3
# "xxx\.xxx\.xxx\.xxx" is a regular expression.
# You can modify it to allow multiple IPs, ranges of IPs, etc.
SetEnvIf X-Forwarded-For xxx\.xxx\.xxx\.xxx allowed

Finally, allow access based on the variable:

1
2
3
4
5
<Location "/">
  Order Deny,Allow
  Deny from all
  Allow from env=allowed
</Location>

Hope that helps!

answered Nov 06 '10 at 14:34

seanf's gravatar image

seanf ♦♦
56291220

edited Jul 04 '11 at 13:29

Thanks, that was a huge help!

(Nov 06 '10 at 15:32) ron ron's gravatar image
Your answer
If you have an answer to the above question, then use the form below. Otherwise, use the appropriate 'add new comment' button above to post your feedback.
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×16
×3
×1

Asked: Nov 06 '10 at 13:50

Seen: 925 times

Last updated: Jul 04 '11 at 13:29

Related questions

PuTTY obvious mistakes?

Running webapps under a different user

Access an app/website without pointing a domain

Access problems with alternate FTP acount

Help importing an SQL flat file to a new DB. "Access denied" issue in terminal.

assigning root access to another sign on

How can I get write access with PHP files which upload by not-main account

Restrict remote db access by IP

Create user without webapps access

Allowing access to a MySQL database

Plans & prices    Sign up    Why WebFaction?    Contact us    Affiliate program    Support    Legal    Jobs    Blog    Control panel login
Powered by OSQA
© Copyright 2003-2012 Swarma Limited - WebFaction is a service of Swarma Limited