htaccess: is "Allow from 127.0.0.1" safe - .htaccess

I have a website where I keep a dev copy on my local computer, and a live copy on my webhost.
I want to ip-whitelist a particular subdirectory to allow only me to access it. However, if I am working on my local copy via my home network, my ip is 127.0.0.1, whereas when I am working on the live site via the internet my ip address is 184.255.27.13.
So I added both ip's to my .htaccess (identical copy on local server and webhost server):
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 184.255.27.13
Is there any danger to upload the htaccess to the webserver with that generic 127.0.0.1 included?

Is there any danger to upload the htaccess to the webserver with that generic 127.0.0.1 included?
No, since if someone malicious is connecting to your webhosted server from 127.0.0.1, they've already got access to the server itself.

Most likely not, but there could be a security risk, depending on your server configuration.
If you are running beside apache, nginx or stunnel or haproxy or similar software that act as a reverse proxy, and configure it as reverse proxy for the apache server, the apache server could see all incomming connections coming from 127.0.0.1.
But that is not going to happen to a basic LAMP configuration.

Related

Unsure how to change Root Directory to point away from my HTTP sites content

I am currently SSH'd into my AWS VM IP address on Ubuntu.
I've installed the Apache SSL module, copied my server certificate and private key to /etc/pki/tls/certs and /etc/pki/tls/private. Changed the configuration within /etc/httpd/conf.d/ssl.conf so that it would be listening for port 4443.
From here, I need to change the document root to something different than my nginx HTTP site or else both HTTPS and HTTP will point to the same content.
I was told to use independent directory trees but unsure how to set it up.
I attempted by going to /etc/httpd/conf/httpd.conf and changed the document root to a directory I setup to separate them within /etc/ but still gives me the same message when trying to access the website as shown in the screenshot.
url of test page HTTPS
test page HTTPS
Does your site show up if you add the port? For example, https://yoursite.com:4443. Port 4443 isn't the default https port (that's 443), so you'll need to reference it explicitly.
You might want to, instead, consider using an ALB in front of the EC2 instance and terminate SSL there, leaving the httpd/nginx server on the EC2 instance only running on port 80 (default). This offloads the SSL handling to the load balancer and also enables you to do things like rolling upgrades to a new EC2 instance instead of keeping a "pet" web server.

Hosting a web site in IIS accessible from any web client?

Trying to host a web site on my local Win 10 Pro machine withing IIS, provided I share the IP to my friends. My host file contains something like:
127.0.0.1 site1.com
127.0.0.2 site2.com
127.0.0.3 site3.com
127.0.0.1:1 site4.com
127.0.0.1:2 site4.com
123.45.5.6 site5.com
123.45.5.6:33 site5.com
They all work as expected except for the imaginary external ip (only for example), and adding the port or not makes not difference. Seems i've tried what makes sense, say my external is '1.2" Creating a host entry like
1.2 # or
1.2:Port # the external IP with port
Also attempted adding an exclusion for he firewall to help ensure the traffic is allowed by doing:
netsh advfirewall firewall add rule name="Open Port" dir=in action=allow protocol=TCP localport=81
Kind of lost what might be missing, any suggestions?
Thanks for he help.
First. There is no need to add port after IP address in hosts file. Port can be configured on IIS by setting binding.
Second. If you want to allow any web client can access the site host on local WIN10 pro, you need to make sure WIN10 pro and web client are in the same LAN. Otherwise it is need to buy a public domain and bind to WIN10 pro device.
Using Ping command is a great way to test traffic between devices. It can help you make sure if web client can create connection with WIN10 pro.

Restrict access to directory based on protocol

I know .htaccess can be used to restrict access to specific directories based on domain, IP address, etc. but is there a way I can restrict access based on protocol?
I have some scripts I want to be able to run remotely on an Apache server only from SSH.
Ssh and http(s) are completely different protocols and usually different server-side programs are responsible for them.
The Apache httpd serves http and if configured https requests. Restricting access can be done with .htaccess files. In a .htaccess https usage can be forced with the SSLRequireSSL directive. The Apache httpd has nothing to do with ssh.
For ssh connections generally the sshd is responsible and therefor if you want to access and execute your scripts only over ssh, move them out of httpd access.

deploying a node.js on a new domain

I have a server that runs different websites on different ports. All of them (but one) are Apache servers and thanks to webmin, I managed to have, for instance, example.com point to 123.123.123.123:80 and example.fr to 123.123.123.123:8000, somehow automatically
I am now running a nodejs server on the same machine, so the 80, 8000, and many other ports are already taken. My nodejs listens on 8008. I have another domain name, say example.org, and I want it to point to my nodejs website, but I simply don't know how to do that! I have updated the DNS and everything is pointing to 123.123.123.123 (my server's IP). I want to avoid using an ugly example.org:8008/ for everything on this node server. How can I make it point implicitly to the 8008 port?? I must add that I cannot afford to take down the apache servers ;)
DNS only provides name to ip address mapping. It cannot handle ports. What you can do instead is to set up a proxy server listening on port 80. The proxy server can then return data based on the host header.
Your best option is to just redirect the request from Apache. Otherwise you can use a reverse proxy like Nginx. Also, you can write a lightweight proxy in node... check out this page

How can I access a website configured with host headers in IIS on the local machine?

When using host headers to host multiple websites on the same IP address in IIS, is there any way of accessing that website from a browser running on the local machine?
This is normally required when a given web component only allows configuration from the local machine. It's also useful when things like ASP.Net's built in error handling isn't working and you can only view the error in the browser but don't want to allow remote users to see it.
This has baffled me for a while and everytime I come across it I end up giving up in frustration and reconfigure stuff so I can accomplish such tasks remotely.
Added: #Ishmaeel - modifying hosts doesn't seem to help - you either get a 400 error (if all websites have host headers) or whichever site is configured without a host header.
Just an idea: Mapping the hostname to 127.0.0.1 in the hosts ($WINDOWS$\system32\drivers\etc) file may help. This way you should be able to pull up the local IIS site by typing the hostname as if it's a remote server
Maybe I am not understanding the question, but what's wrong with just typing in the URL for the website? If it's the matter of domain name resolution, you can point to the right DNS or put it in hosts file.
eed3si9n -- if you are trying to access a url locally and you use host headers you cant just type in the url: for example you have 2 websites (website1.com website2.com) on 1 server using host headers. the local ip of the web server is 192.168.1.50 --> if you type in 192.168.1.50 you will get a 'page cannot found'. if you put in the url website1.com or website2.com you will be accessing the sites from the outside (not locally).
so the problem is how to access the sites locally not from the outside -- for example i need this ability so that i can access locally as the test sites are only available locally. not from the outside...
You can try telnetting to the server.
$ telnet localhost 80
(type these lines manually)
GET / HTTP/1.1
Host: www.example.com
(exchange www.example.com for the host name your server is mapped to)
I would assume the only way you can do this is assigning a custom port to the specific website you want to monitor and just access it as "localhost:CustomPort".

Resources