Apache ProxypassMatch configure to only match requests from self (127.0.0.1)

ajfbiw.s

12/20/22, 5:41 PM

This is what I have now. I'm trying to only allow / do proxy'ing for requests from the localhost, meaning anyone else shouldn't be able to visit /ha_proxy and be directed to, say, the 169.25 IP. Is there a way to do this?

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
ProxyTimeout 3600
ProxyPassMatch "^/ha_proxy/([0-9])/(.*)$" "https://169.25.0.$1:43/$2"
ProxyPassMatch "^/manager_proxy/(.*?)/(.*)$" "https://$1/$2"
ProxyPassMatch "^/rest_proxy/(.*)$" "https://127.0.0.1:9/$1"

150

2 + 0

apache-2.4

Score:0

Server

Robben

12/22/22, 11:40 PM

It's been while since I've managed Apache servers but I think you can use location tags as below to specify the path. Choose to deny from all and then allow from loopback address.

<Location /foo> 
  Order Deny,Allow
  Deny from all
  Allow from 127.0.0.1
  ProxyPass http://example.com/foo
  ProxyPassReverse http://example.com/foo 
</Location>

Writing this on my phone so I've copied an example from elsewhere as opposed to copying your code. You can add your config in between the location tags and use LocationMatch for regex as mentioned here LocationMatch. Hope that helps.

0 + 2

ajfbiw.s

12/27/22, 5:22 PM

Thanks, but doesn't quite work because it seems like when proxy'ing happens, the new source ip is not 127.0.0.1. So basically when I tried this, the internal request (supposedly during proxy'ing) is denied as well

Robben

12/27/22, 5:52 PM

The IP in the logs on your backend that you proxy to will probably show the IP of your Apache unless you forward the x-forwarded-for header but if you send the request to Apache from the same machine Apache is running on, the source IP that Apache sees should be it's own IP or localhost. You should be able to see this in your Apache access log.

Score:0

Server

Robben

12/27/22, 5:38 PM

Infact, what I pasted previously was changed in Apache 2.4. The below should work if sending a request to Apache from localhost.

<Location /foo>
  Require local
  ProxyPass http://example.com/foo
  ProxyPassReverse http://example.com/foo 
</Location>

Or you can use the below:

<Location /foo>
  Require ip 127.0.0.1
  ProxyPass http://example.com/foo
  ProxyPassReverse http://example.com/foo
</Location>

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Apache ProxypassMatch configure to only match requests from self (127.0.0.1)

TH: Apache ProxypassMatch กำหนดค่าให้จับคู่เฉพาะคำขอจากตนเอง (127.0.0.1)

RO: Apache ProxypassMatch configurat pentru a potrivi numai cererile de la sine (127.0.0.1)

RU: Настройка Apache ProxypassMatch для соответствия запросам только от себя (127.0.0.1)

VI: Cấu hình Apache ProxypassMatch để chỉ khớp các yêu cầu từ chính bản thân (127.0.0.1)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.