Apache, mod_authz_host, ineffective 'Allow from' clause

Question

I am trying to restrict access to a part of my website to only a specific machine within the local network using mod_authz_host. https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html

My config looks like this:

<LocationMatch "/export.*">
  Order allow,deny
  Allow from 192.168.1.207
</LocationMatch>

where 192.168.1.207 is the IP address of the machine I want to allow access.

The problem is that the access from the machine is still denied.

In the log the access looks like this:

fvs318gv2 - - [27/Mar/2018:15:42:28 +0200] "GET /export/ HTTP/1.1" 403 209

EDIT: The corresponding log format used is: "%h %l %u %t \"%r\" %>s %b"

which makes me wonder what fvs318gv2 means, it doesn't even look like an IP address? Obviously, Apache is not seeing the machine as coming from its IP address, where could be the problem?

If I do ipconfig /all on that machine, I get:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ****
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter PýipojenĄ k mĄstnĄ sĄti:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : EC-A8-6B-81-87-60
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c4be:bf88:60e3:f97b%7(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.207(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : pondŘlĄ 26. býezna 2018 16:10:21
   Lease Expires . . . . . . . . . . : stýeda 28. býezna 2018 10:49:43
   Default Gateway . . . . . . . . . : 192.168.1.2
   DHCP Server . . . . . . . . . . . : 192.168.1.2
   DHCPv6 IAID . . . . . . . . . . . : 250390635
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4B-5D-B6-EC-A8-6B-81-87-60
   DNS Servers . . . . . . . . . . . : 192.168.1.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Belkin Wireless Adapter
   Physical Address. . . . . . . . . : EC-1A-59-D8-1F-18
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter PýipojenĄ k mĄstnĄ sĄti* 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : EC-1A-59-D8-1F-18
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter PýipojenĄ k mĄstnĄ sĄti* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
   Physical Address. . . . . . . . . : EC-1A-59-D8-1F-18
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:850:262d:2a57:4513(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::850:262d:2a57:4513%3(Preferred) 
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 167772160
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4B-5D-B6-EC-A8-6B-81-87-60
   NetBIOS over Tcpip. . . . . . . . : Disabled

score 2 · Answer 1 · answered Apr 02 '18 at 11:10

2

Stop using 2.2 directives please:

<Location /export>
  Require ip 192.168.1.207
</Location>

Note: I also modified your location for a less complicated method without regex since you seem to request /export/kkk

answered Apr 02 '18 at 11:10

ezra-s

2,215
1
7
13

Thanks, but this didn't make any difference. – Martin Vlk Apr 06 '18 at 16:43
@MartinVlk didn't make a difference to what, what do you get? This is the only way to allow only a specific ip. – ezra-s Apr 10 '18 at 21:59
I have explained the problem above - do I need to improve the question so that the problem is more clearly laid out? – Martin Vlk Apr 12 '18 at 09:37
You could share the log format you are using for example to find out what those weird values are. – ezra-s Apr 13 '18 at 10:43

Apache, mod_authz_host, ineffective 'Allow from' clause

1 Answers1