Apache 作为反向代理并限制允许的主机

Apache 作为反向代理并限制允许的主机

我已经想出了一个 apache 配置,用于内部 owncloud 安装的反向代理。它工作得很好,现在我想通过 IP 限制主机,可以访问这个反向代理主机,但我注意到了两件事(执行代理的主机的示例配置):

<VirtualHost *:443>
  # I put below line here but it seems it isn't used when reverse-proxying
  DocumentRoot "c:/apache/owncloud"
  # this host is going to answer to The World to requests to owncloud
  ServerName cloud.example.com:443
  ServerAdmin [email protected]
  ErrorLog "c:/apache/logs/ssl-owncloud-error.log"
  TransferLog "c:/apache/logs/ssl-owncloud-access.log"
  # the actual host with owncloud is reachable from intranet by this name
  ProxyPass "/" "https://cloud.example.com/"
  ProxyPassReverse "/" "https://cloud.example.com/"
  # This is important, the Directory section, I imagined this would work...
  <Directory "c:/apache/owncloud">
    Options FollowSymLinks
    AllowOverride FileInfo
    Require IP xxx.xxx.xxx.xxx
    Require IP yyy.yyy.yyy.yyy
    Require all denied
  </Directory>
  SSLEngine on
  SSLCertificateFile "c:/apache/ssl/server.pem"
  SSLCertificateKeyFile "c:/apache/ssl/privkey.decr.key"
  SSLProxyEngine On
</VirtualHost>

1)我已经添加了目录部分并认为它会受到尊重,但事实并非如此。

2)当然,代理机器(owncloud 主机)不知道实际上我们 LAN 外部的主机拉动了页面,在访问日志中它只显示代理的 IP,所以我无法在那里进行限制。

请分享您的知识,我应该在哪里设置基于 IP 的限制,因为上述方法不起作用,而且实际上全世界都可以看到 owncloud。

答案1

由于 ProxyPass 不会将请求映射到本地文件系统,因此在Directory块中设置访问控制不起作用。您需要在Location容器中设置它们,即使用类似以下内容:

<Location />
    ProxyPass  "https://cloud.example.com/"
    ProxyPassReverse "https://cloud.example.com/"
    <RequireAll>
       Require IP xxx.xxx.xxx.xxx
       Require IP yyy.yyy.yyy.yyy
       Require all denied
    </RequireAll>
</Location>

相关内容