0

I have a collection of debugging scripts in /var/www that display useful information that helps with investigating issues on the server, however that same information is potentially sensitive, so I do not want it publicly available.

The DocumentRoot is /var/www/, which looks like this:

$ ls -1 /var/www/
apc.php
index.php
linux-dash
opcache.php
phpinfo.php

To secure this information I'm trying to configure apache to only accept requests from my IP address (which for the sake of this example is 192.168.33.1).

The complication is that I want requests to www.example.com and www.example.com/index.php to respond with a 200 regardless of which IP they originate from.

My status.conf virtual host config currently looks like this:

ServerName      www.example.com

<VirtualHost *:80>
    ServerName      www.example.com

    DocumentRoot    /var/www
    <Directory      /var/www>
        Options FollowSymLinks
        AllowOverride All
        Require ip 192.168.33.1
    </Directory>

    <LocationMatch ^/(index.php)?$>
        Require all granted
    </LocationMatch>

    <Location /server-status>
        SetHandler server-status
    </Location>
</VirtualHost>

This is partially working, as it's allowing responding with a 200 to requests to www.example.com and www.example.com/index.php from any request IP address, however it's incorrectly responding with a 403 to all other requests even when requested from the whitelisted IP address:

$ curl -I -H 'Host: www.example.com' 192.168.33.10
HTTP/1.1 200 OK

$ curl -I -H 'Host: www.example.com' 192.168.33.10/index.php
HTTP/1.1 200 OK

$ curl -I -H 'Host: www.example.com' 192.168.33.10/phpinfo.php
HTTP/1.1 403 Forbidden

$ curl -I -H 'Host: www.example.com' 192.168.33.10/opcache.php
HTTP/1.1 403 Forbidden

$ curl -I -H 'Host: www.example.com' 192.168.33.10/server-status
HTTP/1.1 403 Forbidden

From access.log:

192.168.33.1 - - [15/Jun/2015:09:59:13 +0000] "HEAD / HTTP/1.1" 200 148 "-" "curl/7.37.1"
192.168.33.1 - - [15/Jun/2015:09:59:32 +0000] "HEAD /index.php HTTP/1.1" 200 148 "-" "curl/7.37.1"
192.168.33.1 - - [15/Jun/2015:09:59:47 +0000] "HEAD /phpinfo.php HTTP/1.1" 403 139 "-" "curl/7.37.1"
192.168.33.1 - - [15/Jun/2015:10:00:03 +0000] "HEAD /opcache.php HTTP/1.1" 403 139 "-" "curl/7.37.1"
192.168.33.1 - - [15/Jun/2015:10:00:22 +0000] "HEAD /server-status HTTP/1.1" 403 139 "-" "curl/7.37.1"

What changes do I need to make to my Apache config in order to achieve the desired behaviour?

tommarshall
  • 423
  • 1
  • 4
  • 7
  • For starters, try reloading Apache in case there is a config change that hasn't taken effect. If that doesn't work, try commenting out the `Require` line and reloading Apache and confirm the 403 goes away and it's not something else causing the 403. – sa289 Jun 16 '15 at 17:12
  • Thanks for your help. I was using ansible to provision the host, and it turns out the task to restart apache was silently failing due to a config error elsewhere. The config in the question was working correctly for all cases except `/server-status`, which needed it's own `Require ip 192.168.33.1` in order to get the desired behaviour. – tommarshall Jun 18 '15 at 09:39
  • Glad to hear it - I've posted this as an answer on the question. – sa289 Jun 18 '15 at 16:09

2 Answers2

1

Your config looks good - try reloading Apache in case there is a config change that hasn't taken effect.

sa289
  • 1,308
  • 2
  • 17
  • 42
  • @tommarshall - Since this was helpful to you, I'd appreciate an upvote and/or mark the answer as accepted so I can get credit. Thanks – sa289 Jul 13 '15 at 20:19
0

That's because you are inserting the LocationMatch just for index.php. LocationMatch can be defined like a regexp, so you can try to add a regular expression for all the files you would need.

Somthing like:

<LocationMatch ^/(index.php|phpinfo.php|opcache.php)?$>
        Require all granted
</LocationMatch>
sebix
  • 4,175
  • 2
  • 25
  • 45
test
  • 1