0

I have a project with ngix as reverse proxy-server and Apache, i'm trying to restrict access to the files contained in a specific folder only to the server ifself. So this is an example:

domain: mysite.test

server ip: 100.100.1.1

hide folder path: /var/www/vhosts/mysite.test/httpdocs/foldertohide

hidden file https://mysite.test/foldertohide/img1234.png

This what i put inside additional https and https directive of Apache:

<Directory "/var/www/vhosts/mysite.test/httpdocs/foldertohide">
    Order deny,allow
    Deny from all
    Allow from 100.100.1.1
</Directory>

At this point I shouldn't be able to reach the URL for the hidden file, but if I enter it into the browser instead of a 403 error i see the image. I have used the same directives in others old projects, why they not work anymore ?

Improve this question
1
  • 1
    Fairly typical is that Apache will only see the IP-address of the reverse proxy and not the actual IP-address of the site visitor. httpd.apache.org/docs/2.4/mod/mod_remoteip.html - In addition httpd.apache.org/docs/2.4/howto/access.html "The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use."
    – HBruijn
    Commented Apr 29 at 7:25

1 Answer 1

Reset to default
1

With apache 2.4 this is the correct version :

<Directory /var/www/vhosts/mysite.test/httpdocs/foldertohide >
    <RequireAny>
        Require ip 100.100.1.1
    </RequireAny>
</Directory>
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .