使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

How to restricted IP to access my web server that behind a AWS LB

0

Hello, I have an Apache webserver behind a AWS Application LB. As it is only a staging server so would like to have the restricted access as:

  1. **Only some IP addresses are allowed. **
  2. **Username/password in a httpassword file **

If visitors' IPs are out of the IP range (1), username and password will be required.

I already defined these restrictions in Apache config for my server. However, it seems that the config for IP address allowed does not work as I still have to enter username/password even I access from an allowed IP address (and also have the header of X-Forwarded-For in the request)

Note: I already follow the instruction https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html. For X-Forwarded-For header radio button, I already selected Append or Preserve, both ways did not work

Many thanks

主題
運算
標籤
Amazon EC2
語言
English
son
已提問 7 個月前檢視次數 308 次
2 個答案
0
已接受的答案

Hello.

By configuring the settings as shown below, a specific global IP address can pass basic authentication.
Please enter the IP address in the "aaa" part without changing the escaped part.
For example, if you want to allow the IP address "1.1.1.1", set "SetEnvIf X-Forwarded-For "1\.1\.1\.1.*" allowed_ip".

SetEnvIf User-Agent "^ELB-HealthChecker.*$" healthcheck
SetEnvIf X-Forwarded-For "1\.1\.1\.1.*" allowed_ip
SetEnvIf X-Forwarded-For "aaa\.aaa\.aaa\.aaa.*" allowed_ip
SetEnvIf X-Forwarded-For "bbb\.bbb\.bbb\.bbb.*" allowed_ip

<RequireAny>
    AuthUserFile /etc/httpd/htpasswd
    AuthName "Please enter your ID and password"
    AuthType Basic

    Require env healthcheck allowed_ip
    Require valid-user
</RequireAny>

<Files ~ "^\.(htaccess|htpasswd)$">
    Require all denied
</Files>
profile picture
專家
Riku_Kobayashi
已回答 7 個月前
profile picture
專家
Gary Mclean
已審閱 2 個月前
  • Riku_Kobayashi 專家
    7 個月前

    Did you restart Apache after changing the settings? Also, make sure that "X-Forwarded-For" is set to "Append" in the ALB settings.

    sudo systemctl restart httpd
  • son
    7 個月前

    Thank you for your help, Could you please explain this "Require env healthcheck allowed_ip", eg: where env come from. Also the same variable "allowed_ip" can be used for multi IPs (eg: 1.1.1.1, aaa.aaa.aaa. and bbb.bbb.bbb)??? Thanks, again

  • Riku_Kobayashi 專家
    7 個月前

    Could you please explain this "Require env healthcheck allowed_ip", eg: where env come from.

    "Require env" is set to allow the conditions of the set environment variables. For example, in this case, "healthcheck" and "allowed_ip" are environment variables. https://httpd.apache.org/docs/2.4/ja/mod/mod_authz_core.html#require

    Also the same variable "allowed_ip" can be used for multi IPs (eg: 1.1.1.1, aaa.aaa.aaa. and bbb.bbb.bbb)???

    Yes, you can set multiple IP addresses.

0

It works correctly with Riku_Kobayashi's answer

son
已回答 7 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容