I meant a VirtualHost with:
<Location "/">
Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
</Location>
On Mon, 27 Apr 2020 at 15:44, baptx <baptx...@gmail.com> wrote:
> By the way, I noticed that a VirtualHost with:
> <Location "/>
> Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
> </Location>
> has a dangerous behaviour that I did not notice directly.
> It made my .htaccess files visible publicly by accessing them in a web
> browser when using the reverse proxy (Cloudflare).
> This also resulted in my private folders requiring HTTP authentication, to
> be accessible publicly since the .htaccess files were not working anymore.
> The issue did not happen when setting the direct server IP address for my
> domain name in the /etc/hosts file of my computer to bypass the reverse
> proxy.
> Do you know why it happened? The other solution using mod_rewrite does not
> have this problem:
> RewriteEngine on
> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
> RewriteRule ^ - [F]
>
>
> On Sun, 26 Apr 2020 at 10:39, baptx <baptx...@gmail.com> wrote:
>
>> Is there a way to display an error with a different message than the 403
>> Forbidden page configured with "ErrorDocument 403"?
>> This would improve the privacy, otherwise if a website displays a 403
>> error on an admin login page restricted by IP address, someone trying to
>> bypass the reverse proxy will see the same error page and could know that a
>> domain name is used on the IP address.
>>
>>
>> On Sat, 25 Apr 2020 at 18:16, baptx <baptx...@gmail.com> wrote:
>>
>>> It worked when using Require in a location, thanks!
>>>
>>>
>>> On Sat, 25 Apr 2020 at 13:41, Yann Ylavic <ylavic....@gmail.com> wrote:
>>>
>>>> On Sat, Apr 25, 2020 at 1:24 PM baptx <baptx...@gmail.com> wrote:
>>>> >
>>>> > @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR}
>>>> != %{CONN_REMOTE_ADDR}":
>>>> > I want to restrict access on some virtualhosts only because I want to
>>>> use some domain names without Cloudflare.
>>>> > It looks like your previous solution with mod_rewrite is better in my
>>>> case, since Require does not work in virtualhosts (I got the error:
>>>> "Require not allowed in <VirtualHost> context").
>>>>
>>>> Ah yes, correct, it should be enclosed in a location like:
>>>>
>>>> <VirtualHost ...>
>>>> ...
>>>> RemoteIP...
>>>> <Location "/">
>>>> Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>>>> </Location>
>>>> ...
>>>> </VirtualHost>
>>>>
>>>> >>>
>>>> >>> Thanks Yann, it worked.
>>>>
>>>> Great!
>>>>
>>>> Regards,
>>>> Yann.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>>
>>>>
