Make apache only accessible via 127.0.0.1, is this possible?
The easiest way to do this is through the Listen
directive. By defaults, there's a line in our httpd.conf that reads:
Listen *:80
Meaning it will respond ro requests on port 80 on all of your computer's network addresses. Changing it to:
Listen 127.0.0.1:80
Will tell apache only to only respond to requests on the local adaptor, thus ignoring anything else.
The listen option is probably best, but just as an FYI, you can do it using allow/deny like this
<Directory /www/vhosts/localhost/>
Options All
AllowOverride All
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
Order deny,allow
tells Apache to "Deny all requests unless specifically allowed" (Order allow,deny
is the opposite, I.E. allow all requests unless specifically blocked)Deny from all
does a similar thing to Order deny,allow
in that it'll block all requests from all IPs unless you specifically open them. It seems to be general practice to use both Order deny,allow
and Deny from all
but I'm not 100% sure why when they both do the same thingAllow from 127.0.0.1
says "Allow all requests from 127.0.0.1". 127.0.0.1 will map to localhost so you can use http://127.0.0.1/ or http://localhost/ and it'll be allowed
That will serve a 403 (Forbidden) error to anyone who requests the site no on localhost
Some other useful stuff;Allow from 192.168.0.
will allow request from anyone on your network (Providing your network is 192.168.0.0-192.168.0.255)
Allow/deny rules are processed in order, so
Deny from 192.168.0.2
Allow from 192.168.0.2
would allow requests and
Allow from 192.168.0.2
Deny from 192.168.0.2
would deny requests from 192.168.0.2
So
Deny from 192.168.0.2
Allow from all
Would allow requests from 192.168.0.2, even though it had specifically been denied.
You can also use Allow/Deny rules in .htaccess files or on a per-directory basis
I made changes to ports.conf in /etc/apache2 so that each reference to Listen to a port was only listening to localhost. No other files seem to have listen command in. After restarting apache these changes seemed to have desired effect.
/etc/apache2/ports.conf
NameVirtualHost *:80
########################## Listen 80
Listen 127.0.0.1:80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
###############################Listen 443
Listen 127.0.0.1:443
</IfModule>
<IfModule mod_gnutls.c>
##################################Listen 443
Listen 127.0.0.1:443
</IfModule>