Allow reverse proxy access only from the host server

Question

I have two servers A) frontend server (ip 11.22.33.44), B) backend server (ip 22.33.44.55). Both use Debian Linux and Apache server.

A) frontend server uses reverse proxy to show content of B) backend server. I would like to restrict Apache access of backend server to ip 11.22.33.44 (should be accessible only from A) frontend server). Backend server listens on SSL enabled ports 1111 and 2222 (to serve two different reverse proxied sites).

I tried on backend server:

<Proxy "*">
    Require ip 11.22.33.44
</Proxy>

and

<Proxy "*">
    order deny,allow
    Deny from from all
    Allow from 11.22.33.44
</Proxy>

but I had no success. Still accessible by me from a web browser with URL https://22.33.44.55:1111.

Any other idea to restrict access of backend server to ip address of frontend server?

score 1 · Accepted Answer · answered Oct 14 '20 at 16:51

1

So the backend server is the target of the proxy, so the Proxy directive is not relevant there.

To restrict access to the backend, something like this in the virtualhost of your backend conf file would limit access to only the front-end server making proxied requests...

<VirtualHost *:80>
    DocumentRoot "/var/www/example.com"
    ServerName example.com
...
    <Location "/">
       Require ip 11.22.33.44
    </Location>
...
</VirtualHost>

You can add more granular controls with other directives from the manual:
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

answered Oct 14 '20 at 16:51

Tom

10,886
5
39
62

Can I use within Directory directive, too? – klor Oct 14 '20 at 16:56
yep, that would work as well – Tom Oct 14 '20 at 16:56
I tried in Directory directive, but it still was accessible. But Location worked fine! Accepting as solution. Thanks! – klor Oct 14 '20 at 17:02
Thank you very much! Works perfectly! – klor Oct 14 '20 at 18:11

Allow reverse proxy access only from the host server

1 Answers1