Why did my VPN changes to my Apache2 httpd.conf make our server public?

Question

I want our server to be available without LDAP login if the client is requesting through our intranet. It appears that all intranet traffic comes through 10.0* IPs. I modified our VirtualHost based on other httpd.confs I found online to the following:

<VirtualHost *>

    ServerName <REDACTED>

    WSGIScriptAlias / <REDACTED>

    <Directory /var/server/server>
        AuthType Basic
        AuthName "<REDACTED>"
        AuthBasicProvider ldap
        AuthLDAPBindDN "uid=<REDACTED>,ou=<REDACTED>,dc=<REDACTED>"
        AuthLDAPBindPassword "<REDACTED>"
        AuthLDAPURL "<REDACTED>"
        AuthzLDAPAuthoritative On
        Require valid-user
        # I added/modified the following lines when I wanted to get rid of LDAP authentication for internal users
        Order deny,allow
        Deny from all 
        Allow from 10.0
        Satisfy any
     </Directory>

</VirtualHost>

However, when I did this it make our server available from the internet without LDAP access! Any ideas what I'm doing wrong?

score 0 · Answer 1 · edited Apr 13 '17 at 12:13

0

You'll want to have your proxy set a header like X-Forwarded-For (which might already be set, depending on what's doing the proxying), then use it for the access control check instead, as covered here.

Something like this..

Require valid-user
SetEnvIf X-Forwarded-For 10\.0\.\d+\.\d+$ proxy_env
Order allow,deny
Allow from env=proxy_env
Satisfy any

edited Apr 13 '17 at 12:13

Community

1

answered Jul 30 '15 at 20:54

Shane Madden

116,404
13
187
256

Why did my VPN changes to my Apache2 httpd.conf make our server public?

1 Answers1