Skip to main content

'Require host' doesn't work

Comments

13 comments

  • rpvw
    From the Apache docs mod_authz_host - Apache HTTP Server Version 2.4 Require host The host provider allows access to the server to be controlled based on the host name of the remote client. When Require host host-name is specified, then the request is allowed access if the host name matches. A (partial) domain-name Require host example.org Require host .net example.edu Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will match foo.example.org but it will not match fooexample.org. This configuration will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed.
    You might want to check if Require ip works, and that your reverse lookup for the host being called works as expected as Apache apparently checks both direct and reverse lookups.
    0
  • DennisMidjord
    I've tested with Require ip as well, but no luck. It seems to work just fine: [root@server9 ~]# host nonexistinghostcPanel.com Host nonexistinghostcPanel.com not found: 3(NXDOMAIN)
    Am I missing something obvious?
    0
  • rpvw
    I would have expected something like [root@server9 ~]# host nonexistinghostcPanel.com nonexistinghostcPanel.com has address 123.456.789.123 nonexistinghostcPanel.com mail is handled by 10 mail.nonexistinghostcPanel.com
    0
  • DennisMidjord
    Not when nonexistinghostcPanel.com is not existing, right?
    0
  • rpvw
    If the domain does not exist, it wont resolve and the require will fail ! The requirement is for a domain that is, or ends in, a record that resolves both forward and backwards. If you can't make the require by ip work either, that might indicate a more systematic failure of the require directive. Perhaps you need to ensure you have mod_authz_host enabled ?
    0
  • DennisMidjord
    Oh, you're right. I'm sorry. I've just tried with Require host cpanel.net, and I'm still able to access the website. [root@server9 ~]# host cpanel.net cpanel.net has address 208.74.123.68 cpanel.net has address 208.74.121.51 cpanel.net mail is handled by 20 mx2.cpanel.net. cpanel.net mail is handled by 0 mx1.cpanel.net. [root@server9 ~]# dig cpanel.net ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> cpanel.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 415 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;cpanel.net. IN A ;; ANSWER SECTION: cpanel.net. 74 IN A 208.74.123.68 cpanel.net. 74 IN A 208.74.121.51 ;; Query time: 13 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Aug 10 14:20:24 CEST 2017 ;; MSG SIZE rcvd: 71
    authz_host_module is enabled (checked using httpd -M)
    0
  • rpvw
    Are any of your htaccess rules working ? do you have allow override on ?
    0
  • rpvw
    You might try the following in the htaccess file :
    Require host example.org
    0
  • cPanelMichael
    Hello, Could you provide some more information about how you are expecting that entry to work, and an example of the path where that .htaccess file exists (e.g. /home/$username/path/to/.htaccess)? Also, what's configured for "Optimize .htaccess (AllowOverride)" in "WHM >> Apache Configuration >> Global Configuration"? Thank you.
    0
  • DennisMidjord
    Are any of your htaccess rules working ?

    Yes, Require all denied works perfectly fine.
    You might try the following in the htaccess file :
    Require host example.org

    Still doesn't work. @cPanelMichael, the customer wants to deny all access to a folder (public_html/test/) from anyone, except from a PHP script that's running from another folder on the same account. The .htaccess is located here: /home/$username/public_html/test/.htaccess. "Optimize .htaccess" is currently set to "Search Home Directory and below", but I've also tried with "Search "/" and below" with no luck.
    0
  • rpvw
    How about
    order deny,allow deny from all allow from 127.0.0.1
    0
  • DennisMidjord
    Hi, That works perfectly fine. The customer wants to use Require host, however.
    0
  • rpvw
    Well........ all I can suggest is that you ensure that Apache can perform a reverse DNS lookup on the IP address to find the associated hostname works, and that a subsequent a forward lookup on the hostname to assure that it matches the original IP address. I would guess that the lookup of the domain name returns a shared IP and that a reverse lookup of that IP will return the hostname of the server - NOT the domain name you started with. You might need the domain on a dedicated IP with full host name and PTR records for this to work. Have you considered trying Require forward-dns that allows access to the server to be controlled based on simple host names ? The forward-dns provider allows access to the server to be controlled based on simple host names. When Require forward-dns host-name is specified, all IP addresses corresponding to host-name are allowed access. In contrast to the host provider, this provider does not rely on reverse DNS lookups: it simply queries the DNS for the host name and allows a client if its IP matches. As a consequence, it will only work with host names, not domain names. However, as the reverse DNS is not used, it will work with clients which use a dynamic DNS service. Require forward-dns bla.example.org A client the IP of which is resolved from the name bla.example.org will be granted access. The forward-dns provider was added in 2.4.19.
    Do be aware this is for host names - not domain names ! It probably wont be restrictive enough for your client if they don't allow you to use a simple localhost ip rule.
    0

Please sign in to leave a comment.