Apache Security - Ivan Ristic [96]
Put the Allow and Deny directives in the order you want them executed. This will not affect the execution order (you control that via the Order directive), but it will give you one less thing to think about.
Use explicit Allow from all or Deny from all instead of relying on the implicit behavior.
Always test the configuration to ensure it works as expected.
Using environment variables
Allow and Deny support a special syntax that can be used to allow or deny access based not on the request IP address but on the information available in the request itself or on the contents of an environment variable. If you have mod_setenvif installed (and you probably do since it is there by default), you can use the SetEnvIf directive to inspect incoming requests and set an environment variable if certain conditions are met.
In the following example, I use SetEnvIf to set an environment variable whenever the request uses GET or POST. Later, such requests are allowed via the Allow directive:
# Set the valid_method environment variable if
# the request method is either GET or POST
SetEnvIf Request_Method "^(GET|POST)$" valid_method=1
# Then only allow requests that have this variable set
Order Deny,Allow
Deny from all
Allow from env=valid_method
Proxy Access Control
Restricting access to a proxy server is very important if you are running a forward proxy, i.e., when a proxy is used to access other web servers on the Internet. A warning about this fact appears at the beginning of the mod_proxy reference documentation (http://httpd.apache.org/docs-2.0/mod/mod_proxy.html). Failure to properly secure a proxy will quickly result in spammers abusing the server to send email. Others will use your proxy to hide their tracks as they perform attacks against other servers.
In Apache 1, proxy access control is done through a specially named directory (proxy:), using network access control (as discussed in the Section 7.3.5):
# Allow forward proxy requests
ProxyRequests On
# Allow access to the proxy only from
# the internal network
Order Deny,Allow Deny from all Allow from 192.168.254.
In Apache 2, the equivalent # Allow forward proxy requests ProxyRequests On # Allow access to the proxy only from # the internal network Order Deny,Allow Deny from all Allow from 192.168.254. Proxying SSL requests requires use of a special CONNECT method, which is designed to allow arbitrary TCP/IP connection tunneling. (See Chapter 11 for examples.) Apache will allow connection tunneling to target only ports 443 (SSL) and 563 (SNEWS) by default. You should not allow other ports to be used (using the AllowCONNECT directive) since that would allow forward proxy users to connect to other services through the proxy. One consequence of using a proxy server is transfer of trust. Instead of users on the internal network, the target server (or application) is seeing the proxy as the party initiating communication. Because of this, the target may give more access to its services than it would normally do. One common example of this problem is using a forward proxy server to send email. Assuming an email server is running on the same machine as the proxy server, this is how a spammer would trick the proxy into sending email: POST http://localhost:25/ HTTP/1.0 Content-Length: 120 MAIL FROM: aspammer RCPT TO: ivanr@webkreator.com DATA Subject: Please have some of our spam Spam, spam, spam... . QUIT This works because SMTP servers are error tolerant. When receiving the above request, the proxy opens a connection to port 25 on the same machine (that is, to the SMTP server) and forwards the request to that server. The