3

So I am running apache 2.4.54 on a redhat centos 7 machine. I am using the below configuration to run my django application with mod_wsgi:

# create new
#LoadModule wsgi_module modules/mod_wsgi.so
LoadModule wsgi_module "/home/ec2-user/.virtualenvs/myproj_prod/lib/python3.9/site-packages/mod_wsgi/server/mod_wsgi-py39.cpython-39-x86_64-linux-gnu.so"
WSGIPythonHome "/home/ec2-user/.virtualenvs/myproj_prod"

#LogLevel Info


<VirtualHost *:80>


LogLevel Info
#LogLevel Error
ServerName www.mysite.com
ServerAlias mysite.com
ServerAdmin webmaster@mysite.com

#DocumentRoot /usr/local/www/documents
#Alias /robots.txt /usr/local/www/documents/robots.txt
#Alias /favicon.ico /usr/local/www/documents/favicon.ico
#Alias /media/ /usr/local/www/documents/media/

#Alias /robots.txt /path/to/mysite.com/static/robots.txt
Alias /favicon.ico /var/www/mysite.com/static/favicon.ico
#Alias /media/ /path/to/mysite.com/media/
Alias /static/ /var/www/mysite.com/static/

&lt;Directory &quot;/var/www/mysite.com/static&quot;&gt;
    &lt;RequireAll&gt;
        Require not ip 47.222.213.25
        Require not ip 34.207.41.127
        Require not ip 54.209.63.240
        Require not ip 44.196.220.146
        Require not ip 34.206.83.67
        Require not ip 34.194.232.56
        Require not ip 44.194.69.200
        Require all granted
    &lt;/RequireAll&gt;
&lt;/Directory&gt;

WSGIDaemonProcess mysite.com processes=1 threads=5 display-name=%{GROUP} home=/home/ec2-user/DjangoProjects/myproj python-path=/home/ec2-user/.virtualenvs/myproj
WSGIProcessGroup mysite.com
WSGIScriptAlias / /home/ec2-user/DjangoProjects/myproj/myproj/wsgi.py process-group=mysite.com application-group=%{GLOBAL}

&lt;Directory &quot;/home/ec2-user/DjangoProjects/myproj&quot;&gt;
    &lt;RequireAll&gt;
        #Require not ip 47.222.213.25
        Require not ip 34.207.41.127
        Require not ip 54.209.63.240
        Require not ip 44.196.220.146
        Require not ip 34.206.83.67
        Require not ip 34.194.232.56
        Require not ip 44.194.69.200
        Require all granted
    &lt;/RequireAll&gt;
    &lt;Files &quot;wsgi.py&quot;&gt;
        &lt;RequireAll&gt;
            #Require not ip 47.222.213.25
            Require not ip 34.207.41.127
            Require not ip 54.209.63.240
            Require not ip 44.196.220.146
            Require not ip 34.206.83.67
            Require not ip 34.194.232.56
            Require not ip 44.194.69.200
            Require all granted
        &lt;/RequireAll&gt;
    &lt;/Files&gt;
&lt;/Directory&gt;




</VirtualHost>

I would like to block the ip addresses marked in the <RequireAll></RequireAll> tags - however it is not blocking the ip addresses. When I insert mine to test, it allows me to go straight through. When I was using deny from it would at least block my ip, but I read that it was deprecated. So I thought while I am trying to prevent these ips I might as well fix the configuration file.

It will run, I can access the site (which ironically is the problem since I am trying to test this by blocking my ip), so I think it could be a logical configuration problem, but I am too much of an amatuer to know what that is, so guidance would be greatly appreciated! Thank you.

I've googled up and down and have tried many of the suggested answers, so that is why I think it has to be a configuration problem on my end - but seeing that the documentation has it like so in my config file, I'm at a loss. I've seen someone mention that aliases in the file could potentially bypass any ip restrictions a config file would have, but I think I can rule that out in this situation - I have 1 alias for static files and if I could block just the main site, I wouldn't necessarily care about what static files the blocked ips could find.

I haven't tried a .htaccess file yet, but I might start working on that. I read somewhere that it is slower than just configuring it in the .conf file.

UPDATE .htaccess file - I don't know why anyone would expect for this to be any different, but it didn't work.

EDIT - I am uncertain as to how pertinent this is, but I get this error in my error logs:

[Thu Oct 13 16:53:59.234764 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port] Invalid HTTP_HOST header: 'x.x.x.x'. You may need to add 'x.x.x.x' to ALLOWED_HOSTS.
[Thu Oct 13 16:53:59.234764 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port] Traceback (most recent call last):
[Thu Oct 13 16:53:59.234769 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port]   File "/home/ec2-user/django/django/core/handlers/exception.py", line 55, in inner
[Thu Oct 13 16:53:59.234772 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port]     response = get_response(request)
[Thu Oct 13 16:53:59.234776 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port]   File "/home/ec2-user/django/django/utils/deprecation.py", line 136, in __call__
[Thu Oct 13 16:53:59.234779 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port]     response = self.process_request(request)
[Thu Oct 13 16:53:59.234783 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port]   File "/home/ec2-user/django/django/middleware/common.py", line 48, in process_request
[Thu Oct 13 16:53:59.234786 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port]     host = request.get_host()
[Thu Oct 13 16:53:59.234789 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port]   File "/home/ec2-user/django/django/http/request.py", line 148, in get_host
[Thu Oct 13 16:53:59.234793 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port]     raise DisallowedHost(msg)
[Thu Oct 13 16:53:59.234796 2022] [wsgi:error] [pid 4234] [remote y.y.y.y:port] django.core.exceptions.DisallowedHost: Invalid HTTP_HOST header: 'x.x.x.x'. You may need to add 'x.x.x.x' to ALLOWED_HOSTS.

I don't get this error when I try to access an invalid route and my ip isn't in ALLOWED_HOSTS, which is interesting to me. It may not mean anything.

Shmack
  • 141

1 Answers1

2

I wonder if you can simplify your configuration to figure exactly what isn't working? The following seems to work exactly as expected:

<VirtualHost *:80>
    ServerName www.mysite.com

&lt;Directory /var/www/html/protected&gt;
    &lt;RequireAll&gt;
        Require not ip 192.168.1.200
        Require not ip 192.168.1.201
        Require all granted
    &lt;/RequireAll&gt;
&lt;/Directory&gt;



</VirtualHost>

If I access that from a an address not in the deny list, it works just fine:

$ curl -H 'Host: www.mysite.com' 192.168.122.67/protected/
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <title>Root</title>
  </head>

<body>
This is the protected document.
  </body>
</html>

But if I access from a forbidden IP, I get a 403 Forbidden response:

$ curl -H 'Host: www.mysite.com' 192.168.122.67/protected/ --interface 192.168.1.200
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Are you able to reproduce that behavior? Try that first, and if it works, then start introducing additional parts of your configuration until the behavior changes.

If your web server is behind a proxy, you need a slightly different solution. First, you need to ensure that your frontend proxy provides you with the original client address in an HTTP header such as X-Forwarded-For or Forwarded.

You have a couple of options:

  1. You can match directly against the header. For example, if the original client IP is in X-Forwarded-For, we could prevent access from a specific client like this:

    <Directory "/usr/local/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None

    Require expr %{HTTP:X-Forwarded-For} != '172.25.0.1'

    

    </Directory>

  2. You can tell Apache to treat an IP address in header as the client address for the purposes of access control using the mod_remoteip module.

    In that case, you might have:

    LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader X-Forwarded_for

    <Directory "/usr/local/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    

    Require not ip 172.25.0.1

    

    </Directory>
larsks
  • 47,453