2

I am using directory listing from specific IP ranges. Recently, we moved the web server to AWS and using ELB. Now, even I am in IP range the Apache say's forbidden access. Anyone can help me?

vishnupanati
  • 43

2 Answers2

2

If you have any proxy or ELB between Client and WebServer the visible IP to WebServer will be that proxy/ELB IP. In that scenario you can limit access through X-Forwarded-For IP.

Here are some example:

Apache 2.4 

SetEnvIf X-Forwarded-For "202.12.32.1" allowed_list
SetEnvIf X-Forwarded-For "202.32.32." allowed_list 
Require env allowed_list

Apache 2.2 

SetEnvIf X-Forwarded-For "202.12.32.1" allowed_list
SetEnvIf X-Forwarded-For "202.32.32." allowed_list
Order deny,allow
Deny from all
Allow from env=allowed_list
Sourav
  • 1,343
0

Enable and configure mod_remoteip. You will need to identify the IP addresses used by ELB. (Or you could allow anyone to spoof X-Forwarded-For, but use some firewall facility to block accesses to your webserver which do not come from the ELBs. Maybe Amazon has such a feature).

sourcejedi
  • 50,249
  • Through AWS security group he can allow/block traffic. His requirement is something different. He has DirectoryIndex enabled for a specific Directory and he want to limit access to that directory. – Sourav Jun 20 '17 at 20:20
  • @SouravMaity great! mod_remoteip will allow vishnupanati to achieve their aim based on the X-Forwarded-For header set by the ELB. But, if vishnupanati allows mod_remoteip to work for connections which didn't go through the ELB, then anyone can bypass the protection by sending an X-Forwarded-For which specifies one of the allowed IPs. – sourcejedi Jun 21 '17 at 07:54
  • @SouravMaity this will allow to continue using the native IP-matching features. This should be clearer if you have to match IPv6, for example. – sourcejedi Jun 21 '17 at 07:59