Apache 2.4 - How to restrict traffic (by IP address) to all requests except the base path?

Question

I have a collection of debugging scripts in /var/www that display useful information that helps with investigating issues on the server, however that same information is potentially sensitive, so I do not want it publicly available.

The DocumentRoot is /var/www/, which looks like this:

$ ls -1 /var/www/
apc.php
index.php
linux-dash
opcache.php
phpinfo.php

To secure this information I'm trying to configure apache to only accept requests from my IP address (which for the sake of this example is 192.168.33.1).

The complication is that I want requests to www.example.com and www.example.com/index.php to respond with a 200 regardless of which IP they originate from.

My status.conf virtual host config currently looks like this:

ServerName      www.example.com

<VirtualHost *:80>
    ServerName      www.example.com

    DocumentRoot    /var/www
    <Directory      /var/www>
        Options FollowSymLinks
        AllowOverride All
        Require ip 192.168.33.1
    </Directory>

    <LocationMatch ^/(index.php)?$>
        Require all granted
    </LocationMatch>

    <Location /server-status>
        SetHandler server-status
    </Location>
</VirtualHost>

This is partially working, as it's allowing responding with a 200 to requests to www.example.com and www.example.com/index.php from any request IP address, however it's incorrectly responding with a 403 to all other requests even when requested from the whitelisted IP address:

$ curl -I -H 'Host: www.example.com' 192.168.33.10
HTTP/1.1 200 OK

$ curl -I -H 'Host: www.example.com' 192.168.33.10/index.php
HTTP/1.1 200 OK

$ curl -I -H 'Host: www.example.com' 192.168.33.10/phpinfo.php
HTTP/1.1 403 Forbidden

$ curl -I -H 'Host: www.example.com' 192.168.33.10/opcache.php
HTTP/1.1 403 Forbidden

$ curl -I -H 'Host: www.example.com' 192.168.33.10/server-status
HTTP/1.1 403 Forbidden

From access.log:

192.168.33.1 - - [15/Jun/2015:09:59:13 +0000] "HEAD / HTTP/1.1" 200 148 "-" "curl/7.37.1"
192.168.33.1 - - [15/Jun/2015:09:59:32 +0000] "HEAD /index.php HTTP/1.1" 200 148 "-" "curl/7.37.1"
192.168.33.1 - - [15/Jun/2015:09:59:47 +0000] "HEAD /phpinfo.php HTTP/1.1" 403 139 "-" "curl/7.37.1"
192.168.33.1 - - [15/Jun/2015:10:00:03 +0000] "HEAD /opcache.php HTTP/1.1" 403 139 "-" "curl/7.37.1"
192.168.33.1 - - [15/Jun/2015:10:00:22 +0000] "HEAD /server-status HTTP/1.1" 403 139 "-" "curl/7.37.1"

What changes do I need to make to my Apache config in order to achieve the desired behaviour?

Answer 1

Your config looks good - try reloading Apache in case there is a config change that hasn't taken effect.

Answer 2

That's because you are inserting the LocationMatch just for index.php. LocationMatch can be defined like a regexp, so you can try to add a regular expression for all the files you would need.

Somthing like:

<LocationMatch ^/(index.php|phpinfo.php|opcache.php)?$>
        Require all granted
</LocationMatch>