I was ask how to secure an apache 2 webserver, so that the web page is only available for the local network. I need this for an BETA environment and for my Debian Router Project.
Here are some simple examples: (192.168.5.0/24 is the LAN you may have to change it)
1. Allow only local network
<Directory /var/www/htdocs> Options FollowSymLinks AllowOverride None DirectoryIndex index.htm Order deny,allow Deny from all Allow from 192.168.5.0/24 </Directory>
2. Allow local network, require password from all other
<Directory /var/www/htdocs> Options FollowSymLinks AllowOverride None DirectoryIndex index.htm Order deny,allow Deny from all Allow from 192.168.5.0/24 AuthUserFile /var/www/.htpasswd AuthName "Private" AuthType Basic Require valid-user Satisfy Any </Directory>
With „Satisfy“ you can use more than one auth method at the same time. With „Statisfy All“ both conditions are required, with „Statisfy Any“ one of the conditions is required.
Perhaps you have some webservice requests to localhost, than you have to add 127.0.0.1 to the allowed networks:
Allow from 192.168.5.0/24 127.0.0.1
Note:
This method is not very secure. You can use it for low security environments like an BETA webserver. It is very simple to break this protection with SNAT.
iptables -t nat -A POSTROUTING -s REALIP -o eth0 -p tcp -m tcp -j SNAT --to-source 192.168.5.224
This iptables command, change the source IP of all TCP Pakets from REALIP to 192.168.5.224 on the interface eth0.
