我已经想出了一个 apache 配置,用于内部 owncloud 安装的反向代理。它工作得很好,现在我想通过 IP 限制主机,可以访问这个反向代理主机,但我注意到了两件事(执行代理的主机的示例配置):
<VirtualHost *:443>
# I put below line here but it seems it isn't used when reverse-proxying
DocumentRoot "c:/apache/owncloud"
# this host is going to answer to The World to requests to owncloud
ServerName cloud.example.com:443
ServerAdmin [email protected]
ErrorLog "c:/apache/logs/ssl-owncloud-error.log"
TransferLog "c:/apache/logs/ssl-owncloud-access.log"
# the actual host with owncloud is reachable from intranet by this name
ProxyPass "/" "https://cloud.example.com/"
ProxyPassReverse "/" "https://cloud.example.com/"
# This is important, the Directory section, I imagined this would work...
<Directory "c:/apache/owncloud">
Options FollowSymLinks
AllowOverride FileInfo
Require IP xxx.xxx.xxx.xxx
Require IP yyy.yyy.yyy.yyy
Require all denied
</Directory>
SSLEngine on
SSLCertificateFile "c:/apache/ssl/server.pem"
SSLCertificateKeyFile "c:/apache/ssl/privkey.decr.key"
SSLProxyEngine On
</VirtualHost>
1)我已经添加了目录部分并认为它会受到尊重,但事实并非如此。
2)当然,代理机器(owncloud 主机)不知道实际上我们 LAN 外部的主机拉动了页面,在访问日志中它只显示代理的 IP,所以我无法在那里进行限制。
请分享您的知识,我应该在哪里设置基于 IP 的限制,因为上述方法不起作用,而且实际上全世界都可以看到 owncloud。
答案1
由于 ProxyPass 不会将请求映射到本地文件系统,因此在Directory块中设置访问控制不起作用。您需要在Location容器中设置它们,即使用类似以下内容:
<Location />
ProxyPass "https://cloud.example.com/"
ProxyPassReverse "https://cloud.example.com/"
<RequireAll>
Require IP xxx.xxx.xxx.xxx
Require IP yyy.yyy.yyy.yyy
Require all denied
</RequireAll>
</Location>