使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

How to restricted IP to access my web server that behind a AWS LB

0

Hello, I have an Apache webserver behind a AWS Application LB. As it is only a staging server so would like to have the restricted access as:

  1. **Only some IP addresses are allowed. **
  2. **Username/password in a httpassword file **

If visitors' IPs are out of the IP range (1), username and password will be required.

I already defined these restrictions in Apache config for my server. However, it seems that the config for IP address allowed does not work as I still have to enter username/password even I access from an allowed IP address (and also have the header of X-Forwarded-For in the request)

Note: I already follow the instruction https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html. For X-Forwarded-For header radio button, I already selected Append or Preserve, both ways did not work

Many thanks

主题
计算
标签
亚马逊 EC2
语言
English
son
已提问 7 个月前307 查看次数
2 回答
0
已接受的回答

Hello.

By configuring the settings as shown below, a specific global IP address can pass basic authentication.
Please enter the IP address in the "aaa" part without changing the escaped part.
For example, if you want to allow the IP address "1.1.1.1", set "SetEnvIf X-Forwarded-For "1\.1\.1\.1.*" allowed_ip".

SetEnvIf User-Agent "^ELB-HealthChecker.*$" healthcheck
SetEnvIf X-Forwarded-For "1\.1\.1\.1.*" allowed_ip
SetEnvIf X-Forwarded-For "aaa\.aaa\.aaa\.aaa.*" allowed_ip
SetEnvIf X-Forwarded-For "bbb\.bbb\.bbb\.bbb.*" allowed_ip

<RequireAny>
    AuthUserFile /etc/httpd/htpasswd
    AuthName "Please enter your ID and password"
    AuthType Basic

    Require env healthcheck allowed_ip
    Require valid-user
</RequireAny>

<Files ~ "^\.(htaccess|htpasswd)$">
    Require all denied
</Files>
profile picture
专家
Riku_Kobayashi
已回答 7 个月前
profile picture
专家
Gary Mclean
已审核 2 个月前
  • Riku_Kobayashi 专家
    7 个月前

    Did you restart Apache after changing the settings? Also, make sure that "X-Forwarded-For" is set to "Append" in the ALB settings.

    sudo systemctl restart httpd
  • son
    7 个月前

    Thank you for your help, Could you please explain this "Require env healthcheck allowed_ip", eg: where env come from. Also the same variable "allowed_ip" can be used for multi IPs (eg: 1.1.1.1, aaa.aaa.aaa. and bbb.bbb.bbb)??? Thanks, again

  • Riku_Kobayashi 专家
    7 个月前

    Could you please explain this "Require env healthcheck allowed_ip", eg: where env come from.

    "Require env" is set to allow the conditions of the set environment variables. For example, in this case, "healthcheck" and "allowed_ip" are environment variables. https://httpd.apache.org/docs/2.4/ja/mod/mod_authz_core.html#require

    Also the same variable "allowed_ip" can be used for multi IPs (eg: 1.1.1.1, aaa.aaa.aaa. and bbb.bbb.bbb)???

    Yes, you can set multiple IP addresses.

0

It works correctly with Riku_Kobayashi's answer

son
已回答 7 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容