On Wed, 5 Apr 2000, Stefan Becker wrote:
Hi, If your Webserver is practicaly open to public (like Apache running on the ISDN Router) and you need to deny access to that interface but still want your internal users to see the webserver - you can consider the following:
put this in the httpd.conf # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the <VirtualHost> # directive. # #Listen 3000 Listen 192.168.80.99:80
This will handle requests directed the www-servers interface (for example using apache as a proxy server) - but will be totally deaf to rest of the world!
This should do fine!
No, this is actually not right. The Listen directive only specifies which interface/port Apache listens on if a server has multiple IP interfaces or listens on multiple or non-standard ports. It will accept an HTTP request to that interface from anywhere. The correct way to limit where Apache will accept requests from is to use the Allow and Deny directives within a Directory container. For example: To limit Apache to only respond to requests from itself (i.e. help docs on a standalone machine, not served to anyone else) put the following within the default directory container: <Directory /> [yada yada - other default directives] Order deny,allow Deny from all Allow from localhost </Directory> This is the first thing I do with Apache when I install it on a workstation so that people can't try all the exploits against me that the previous poster noted. :) You can also specify IP address subnets, individual IP addresses, hostnames or network names, or use userid/passwords with the Allow command. Take a look at http://www.apache.org/docs-1.2/mod/mod_access.html#allow for help (this is 1.2 docs, so it's outdated), or look at the apache docs that get installed by default (SuSE 6.3 anyway). Hope this helps, John Ritchie