How to restricted IP to access my web server that behind a AWS LB

0

Hello, I have an Apache webserver behind a AWS Application LB. As it is only a staging server so would like to have the restricted access as:

  1. **Only some IP addresses are allowed. **
  2. **Username/password in a httpassword file **

If visitors' IPs are out of the IP range (1), username and password will be required.

I already defined these restrictions in Apache config for my server. However, it seems that the config for IP address allowed does not work as I still have to enter username/password even I access from an allowed IP address (and also have the header of X-Forwarded-For in the request)

Note: I already follow the instruction https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html. For X-Forwarded-For header radio button, I already selected Append or Preserve, both ways did not work

Many thanks

son
gefragt vor 7 Monaten308 Aufrufe
2 Antworten
0
Akzeptierte Antwort

Hello.

By configuring the settings as shown below, a specific global IP address can pass basic authentication.
Please enter the IP address in the "aaa" part without changing the escaped part.
For example, if you want to allow the IP address "1.1.1.1", set "SetEnvIf X-Forwarded-For "1\.1\.1\.1.*" allowed_ip".

SetEnvIf User-Agent "^ELB-HealthChecker.*$" healthcheck
SetEnvIf X-Forwarded-For "1\.1\.1\.1.*" allowed_ip
SetEnvIf X-Forwarded-For "aaa\.aaa\.aaa\.aaa.*" allowed_ip
SetEnvIf X-Forwarded-For "bbb\.bbb\.bbb\.bbb.*" allowed_ip

<RequireAny>
    AuthUserFile /etc/httpd/htpasswd
    AuthName "Please enter your ID and password"
    AuthType Basic

    Require env healthcheck allowed_ip
    Require valid-user
</RequireAny>

<Files ~ "^\.(htaccess|htpasswd)$">
    Require all denied
</Files>
profile picture
EXPERTE
beantwortet vor 7 Monaten
profile picture
EXPERTE
überprüft vor 2 Monaten
  • Did you restart Apache after changing the settings? Also, make sure that "X-Forwarded-For" is set to "Append" in the ALB settings.

    sudo systemctl restart httpd
    
  • Thank you for your help, Could you please explain this "Require env healthcheck allowed_ip", eg: where env come from. Also the same variable "allowed_ip" can be used for multi IPs (eg: 1.1.1.1, aaa.aaa.aaa. and bbb.bbb.bbb)??? Thanks, again

  • Could you please explain this "Require env healthcheck allowed_ip", eg: where env come from.

    "Require env" is set to allow the conditions of the set environment variables. For example, in this case, "healthcheck" and "allowed_ip" are environment variables. https://httpd.apache.org/docs/2.4/ja/mod/mod_authz_core.html#require

    Also the same variable "allowed_ip" can be used for multi IPs (eg: 1.1.1.1, aaa.aaa.aaa. and bbb.bbb.bbb)???

    Yes, you can set multiple IP addresses.

0

It works correctly with Riku_Kobayashi's answer

son
beantwortet vor 7 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen