I'm using a apache2 on ubuntu, in front of a tomcat8 webserver.
I want to restrict access to localhost/manager to only a specific ip address.
The server is in my internal network and has the ip 102.168.139.111. I want to be able to access the /manager endpoint only from my local machine 192.168.128.222, and from nowhere else.
But the following does not work and I'm always getting a 403 Permission denied. Why?
apache2.conf:
<Location /manager/*>
Order Allow,Deny
Deny from all
Allow from 192.168.128.197
</Location>
With:
/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
Sidenote: taking the <Location...> out will allow access to my local IP as expected. So the server configuration in general seems to be fine. Just restricting does not work.
It's probably an order of statements issue. The following works (on root path):
<Location />
Order Deny,Allow
Deny from all
Allow from 192.168.
</Location>