apache2 configuration question

I run apache2 on my home network. I don't want apache2 to accept requests
from outside this network. However, not all the machines in the network are
switched on at any given moment.

I have Listen 127.0.0.1:80, which is fine for the machine that runs apache2,
but if I add the address of a machine that is not actually on, apache2
won't start.

How do I configure apache2 so that, other machines will be listened to, when
switched on, without my having to reconfigure and restart each time? Or am
I misunderstanding what's involved?

- Richard.

Richard Kimber wrote:

> I run apache2 on my home network. I don't want apache2 to accept requests
> from outside this network. However, not all the machines in the network
> are switched on at any given moment.
>
> I have Listen 127.0.0.1:80, which is fine for the machine that runs
> apache2, but if I add the address of a machine that is not actually on,
> apache2 won't start.
>
> How do I configure apache2 so that, other machines will be listened to,
> when
> switched on, without my having to reconfigure and restart each time? Or
> am I misunderstanding what's involved?

You do not need to reconfigure Apache2. What you need is for the other
machines in your network to know how to address the server.

127.0.0.1 is always the localhost, meaning the machine on which you are
running. On the machine running your Apache2 server, you can access the
server through that IP address. But on one of your other machines,
127.0.0.1 refers to THAT machine, not the one running the Apache2 server.

You need to know the IP address on your LAN for the Apache2 server. If it
happens to be 192.168.1.4, for example, then you could use this IP address
to access the server from any machine on your LAN (including the server
itself).

If you are using DHCP to get dynamic IP addresses, of course, then the IP
address of the server could/will change each time you restart the network
on that machine. On my network, I assign a static IP address on the
machine running the server (one within the subnet, but excluded from the
DHCP server's range), and then use the hostnames file (see YaST->Network
Services->Hostnames) to associate a *Name* with that IP address. It's sort
of like running a poor man's DNS.

HTH

--
Larry Bristol --- The Double Luck
http://www.doubleluck.com

On Sun, 03 Sep 2006 14:09:40 GMT, Richard Kimber <rkimber@ntlworld.com>
wrote:

> I run apache2 on my home network. I don't want apache2 to accept
> requests from outside this network. However, not all the machines in
> the network are switched on at any given moment.
>
> I have Listen 127.0.0.1:80, which is fine for the machine that runs
> apache2, but if I add the address of a machine that is not actually
> on, apache2 won't start.

Uh, the Listen directive doesn't do what you seem to think it does. It
specifies what network interfaces to listen on (bind to), not what
machines on the network are able to connect. I'm not sure why it makes
any difference which machines are turned on since Listen is about the
network interfaces on the machine that is running Apache. I think you
forgot to tell us something. Anyway, read this for what Listen does:

<http://httpd.apache.org/docs/2.2/bind.html>

You want Apache to listen on the IP address of the machine's network
adapter, or all local interfaces (Listen 0.0.0.0:80). Then all of the
machines on that network will be able to connect.

I would hope that your home network is connected through some kind of
router/firewall device. If so, then you're done, nobody from outside
will be able to connect to your Apache server. If not, then you should
get one today.

Or read this about the Allow and Deny directives:

<http://httpd.apache.org/docs/2.2/howto/access.html>
<http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow>


--
-| Bob Hauck
-| A proud member of the unhinged moonbat horde.
-| http://www.haucks.org/

Larry Bristol wrote:

> 127.0.0.1 is always the localhost, meaning the machine on which you are
> running. Â*On the machine running your Apache2 server, you can access the
> server through that IP address. Â*But on one of your other machines,
> 127.0.0.1 refers to THAT machine, not the one running the Apache2 server.
>
> You need to know the IP address on your LAN for the Apache2 server. Â*If it
> happens to be 192.168.1.4, for example, then you could use this IP address
> to access the server from any machine on your LAN (including the server
> itself).
>

Thanks. I had assumed that Listen 127.0.0.1:80 meant that apache would only
serve pages to a user on that machine, and that that was a way of
preventing any other machine from accessing the pages, and that to allow
any other machine to access them I had to include that machine's address,
or allow everyone by not specifying an IP.

So, do I block external access just with the firewall, and simply allow
local machines in the firewall rules, rather than doing it via apache
configuration?

- Richard

At Sun, 03 Sep 2006 14:09:40 GMT Richard Kimber <rkimber@ntlworld.com> wrote:

>
> I run apache2 on my home network. I don't want apache2 to accept requests
> from outside this network. However, not all the machines in the network are
> switched on at any given moment.
>
> I have Listen 127.0.0.1:80, which is fine for the machine that runs apache2,
> but if I add the address of a machine that is not actually on, apache2
> won't start.
>
> How do I configure apache2 so that, other machines will be listened to, when
> switched on, without my having to reconfigure and restart each time? Or am
> I misunderstanding what's involved?

You are misunderstanding what's involved -- thew Listen statement
defines the IP and port numbers on the *server* machine. Your server
machine actually has (at least) two IP numbers: the loopback device
(127.0.0.1) and your LAN (ethernet) address. It may also have a
(dynamic) IP number for PPP (if you use PPP dialup). You might also have
a second NIC connected to your broadband, which will have its own
(dynamic) IP number.

What you want to do is add a 'Listen <serveripnumber>:80' statement. Or
just 'Listen 80'. Then you need to configure your *firewall* to block
connects from off your LAN. Either set it to block connections from
your ppp network device (if you are using PPP) or to block connections
from the other side of your local router. If you are on a broadband
connection and are using an extern broadband router, you configure this
on the broadband router, since it is your firewall. If you are using
your main server box as the broadband router (and firewall) and you
have two NICs,one connecting to the broadband and one to the home LAN,
you just block http connections from the NIC connecting to the
broadband service (cable or DSL or sat modem).

>
> - Richard.
>
>

--
Robert Heller -- 978-544-6933
Deepwoods Software -- Linux Installation and Administration
http://www.deepsoft.com/ -- Web Hosting, with CGI and Database
heller@deepsoft.com -- Contract Programming: C/C++, Tcl/Tk

At Sun, 03 Sep 2006 16:02:26 GMT Richard Kimber <rkimber@ntlworld.com> wrote:

>
> Larry Bristol wrote:
>
> > 127.0.0.1 is always the localhost, meaning the machine on which you are
> > running. Â*On the machine running your Apache2 server, you can access the
> > server through that IP address. Â*But on one of your other machines,
> > 127.0.0.1 refers to THAT machine, not the one running the Apache2 server.
> >
> > You need to know the IP address on your LAN for the Apache2 server. Â*If it
> > happens to be 192.168.1.4, for example, then you could use this IP address
> > to access the server from any machine on your LAN (including the server
> > itself).
> >
>
> Thanks. I had assumed that Listen 127.0.0.1:80 meant that apache would only
> serve pages to a user on that machine, and that that was a way of
> preventing any other machine from accessing the pages, and that to allow
> any other machine to access them I had to include that machine's address,
> or allow everyone by not specifying an IP.
>
> So, do I block external access just with the firewall, and simply allow
> local machines in the firewall rules, rather than doing it via apache
> configuration?

Yep.

>
> - Richard
>
>
>

--
Robert Heller -- 978-544-6933
Deepwoods Software -- Linux Installation and Administration
http://www.deepsoft.com/ -- Web Hosting, with CGI and Database
heller@deepsoft.com -- Contract Programming: C/C++, Tcl/Tk

Richard Kimber wrote:

> Thanks. I had assumed that Listen 127.0.0.1:80 meant that apache would
> only serve pages to a user on that machine, and that that was a way of
> preventing any other machine from accessing the pages, and that to allow
> any other machine to access them I had to include that machine's address,
> or allow everyone by not specifying an IP.

No, that is merely to address:port to which the Apache2 server is going to
listen for requests to service. It has nothing to do with the IP address
of the machine(s) requesting service.

> So, do I block external access just with the firewall, and simply allow
> local machines in the firewall rules, rather than doing it via apache
> configuration?

Essentially, the answer is yes. Whether you need to have an active firewall
depends on whether your local network is visible to the Internet.

For example, my local network uses a private subnet (192.168.1.*/24). There
is a large set of subnets that are treated as private; 192.168.*.*/16 are
all private IP addresses, and there are several other ranges that are
considered private as well. As I understand it, no router will forward
data packets in or out of a private subnet unless it is doing some sort of
network address translation (NAT). What this means, in essence, is that
the only data packets coming out of your network onto the Internet are
those that have been translated (by NAT running in your router) into some
public IP address (typically the one assigned to your router by your ISP
when you first connect). The only data pockets coming into your network
are those that are translated (again by NAT running on your router) into
your private subnet. In such an environment, your router is acting as a
firewall, screening out all incoming traffic other than responses to
packets the router sent out in the first place. It also means that your
Apache2 server is invisible to the Internet, and can be accessed only by
machines running within your private subnet.

In some cases, your local network may be assigned a subnet of static public
IP addresses. [Not too many ordinary ISPs do this for home networks
because public IP addresses must be unique across the entire Internet,
making them valuable (and expensive) commodities.] Since this makes every
machine on your LAN visible to the Internet, you would be well advised to
run a firewall.

[See Bob Hauck's reply, also.]

--
Larry Bristol --- The Double Luck
http://www.doubleluck.com

Thanks for all the advice. I understand now.

- Richard

Bob Hauck <postmaster@localhost.localdomain> addressed the congregation thusly:

>
> Or read this about the Allow and Deny directives:
>

This was the advice I was going to give.

I run apache bound to 0.0.0.0:80 and let it listen on that port. I have my router
forwarding port80 to the webserver, so sites can be seen from outside.

BUT... I have admin pages locked down using ALLOW/DENY so that they're only
available from within my LAN. I also have quite a number of virtual sites so that
people can only access them via FQDN.

And yes, if someone tries sniffing the IP on port80 or bringing up the default
index page, they get a somewhat nasty surprise.

Richard: I can send you some example configs if you get stuck.