apache 仅允许来自特定 IP 的请求
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/714332/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Allow request coming from specific IP only
提问by Mutant
I have application hosted Apache UNIX, and I am allowing users to access the application url from citrix environment (from citrix machine).
我有应用程序托管 Apache UNIX,我允许用户从 citrix 环境(从 citrix 机器)访问应用程序 url。
However, currently its possible to access the url from all the connected machines. I would like to put the restriction that it should be only accessed from citrix machine. So if any one needs to access it, he needs access to citrix machine.
但是,目前可以从所有连接的机器访问 url。我想限制它只能从 citrix 机器访问。所以如果有人需要访问它,他需要访问 citrix 机器。
I tried with below:
我试过下面:
<Directory /APP>
Order Deny,Allow
Deny from all
Allow from 160.120.25.65
Allow from 127
</Directory>
it didn't work. Any suggestion?
它没有用。有什么建议吗?
Few replied with iptables solution, however this one loaded on Solaris (it doesn't have builtin firewall to OS as linux).
很少有人回复 iptables 解决方案,但是这个解决方案是在 Solaris 上加载的(它没有像 linux 这样的操作系统的内置防火墙)。
回答by David Schmitt
This should do what you need:
这应该做你需要的:
<Directory /APP>
Order Allow,Deny
Allow from 160.120.25.65
Allow from 127.0.0.0/8
</Directory>
See the mod_authz_hostdocumentation for details.
有关mod_authz_host详细信息,请参阅文档。
回答by Jarret Hardie
What version of Apache are you running? The IP allowing mechanisms are, AFAIK, provided by mod_authz_host, which was introduced in 2.2 (well, 2.1 technically). If you do have 2.2, make sure it wasn't compiled with mod_authz_hostdisabled.
你运行的是什么版本的Apache?IP 允许机制是 AFAIK,由 mod_authz_host 提供,它是在 2.2(技术上是 2.1)中引入的。如果您有 2.2,请确保它不是在禁用mod_authz_host 的情况下编译的。
Generally speaking, though, you may find a simpler and more robust solution is the iptables or other firewalling suggested in the other answers.
不过,一般而言,您可能会发现更简单、更强大的解决方案是其他答案中建议的 iptables 或其他防火墙。
回答by stack programmer
I would suggest Iptables for this purpose. put a rule in the iptables that wherever the destination port is the port number of your apache machine and the source ip is the ip address of critix machine, the linux machine should drop that packet. This way would solve your problem provided there are no other applications hosted on the apache of your machine which ought to be open for all ips. An example of the perspective rule could be :-
为此,我建议使用 Iptables。在 iptables 中放置一条规则,无论目标端口是 apache 机器的端口号,源 ip 是 critix 机器的 ip 地址,linux 机器都应该丢弃该数据包。如果您的机器的 apache 上没有托管其他应该对所有 ip 开放的应用程序,这种方式将解决您的问题。透视规则的一个例子可能是:-
iptables -I INPUT 1 -s 160.120.25.65 -d <port_of_apache_on_your_machine> -j DROP
This should solve your problem, once you replace by its proper value
这应该可以解决您的问题,一旦您替换为其适当的值
回答by Alex Fort
I would probably use an iptables rule for this. I'm not sure what the example you posted is, but you should be able to configure just about any firewall to work like you want it.
我可能会为此使用 iptables 规则。我不确定您发布的示例是什么,但是您应该能够配置几乎任何防火墙以按照您的需要工作。
