OK - so I have a developer that does not want our REST endpoints to be accessible externally with the only access allowed is localhost and the internal network scheme. Our internal network scheme is 10.10.x.x.
The way we did this is with the < LocationMatch > switch in the .conf file as follows:
<LocationMatch "/foo/bar/*">
Order deny,allow
Deny from all
Allow from 10.10
Allow from 127
</LocationMatch>
Now, the challenge we are having is that the AWS Load Balancer has an X-Forward-Host rule on it so all original source IPs and if I do Allow from 10 - obviously, will allow access to all endpoints externally because of this.
As stated before, our internal IP is 10.10 so I can do allow from 10.10 and that would resolve it but if I make more regions then the network scheme could be 10.20.x. 10.30.x.x 10.40.x.x and then it becomes a bit of an administrative nightmare.
So, what makes sense is someone mentioned to do something on the http.conf level:
<Directory />
#Example..
SetEnvIF X-Forwarded-For "(,| |^)192\.168\.1\.1(,| |$)" DenyIP
SetEnvIF X-Forwarded-For "(,| |^)10\.1\.1\.1(,| |$)" DenyIP
Order allow,deny
Deny from env=DenyIP
Allow from all
</Directory>
So, I am unsure how to follow this format and ensure that it denies all external IPs to these directories.
Would the http.conf file have something like:
<VirtualHost>
#Example..
SetEnvIF X-Forwarded-For "(,| |^)*\.*\.*\.*(,| |$)" DenyIP
</VirtualHost>
and my other conf file with the < LocationMatch > rules have:
<LocationMatch "/foo/bar/*">
Order deny,allow
Deny from env=DenyIP
Allow from 10.
Allow from 127
</LocationMatch>
Thanks for your help!
Rather than modifying apache, use Security Groups!
0.0.0.0/0 for ports 80 & 443.That's it! The security groups will block traffic that attempts to access your apache server(s) without passing through the Load Balancer.
See: