On Thu, Nov 11, 2010 at 8:47 PM, Bryan O'Neal <Bryan.ONeal@theonealandassociates.com> wrote:
Ok - let us review what you are acomplishing here -
You deny from everyone (Check)
You Allow from your local lan 192.168.25.x (Check)
You allow from some WAN ip (Fail)
If you web ip is say 72.168.54.32 then that should work - What do you
have in your error logs? If nothing else it should give you the ip
address of what is being blocked so you can compare what you think is
the correct IP - I would say make sure that you do not have a latter
allow / deny statement set as Apache belies the last set always wins -
And make sure you restart the service on every conf change ;)


If you give me the errors I will look at those too.




On Thu, Nov 11, 2010 at 4:00 PM, Mark Phillips
<mark@phillipsmarketing.biz> wrote:
> I have a web server at webIP off site. I have a second server for photos
> running a php photo gallery app behind apache at photoIP on my local LAN. I
> have a page on the web server that uses iframes to the photo server's
> images.
>
> I am trying to restrice access to the photo server to requests from the web
> server using apache Allowoverride on the photo server. Here is what I have:
>
> <VirtualHost photoIP:8080>
>
>         DocumentRoot /var/www/gallery
>
>         <Directory />
>                 Options FollowSymLinks
>                 AllowOverride None
>         </Directory>
>
>         <Directory /var/www/gallery>
>                 Options Indexes FollowSymLinks MultiViews
>                 AllowOverride All FileInfo Options
>                 Order allow,deny
>                 Deny from all
>                 # internal access
>                 Allow from 192.168.25.0/24
>                 Allow from 127
>                 # Web server
>                 Allow from webIP
>         </Directory>
>
>         ErrorLog /var/log/apache2/hammerhead/error.log
>
>         # Possible values include: debug, info, notice, warn, error, crit,
>         # alert, emerg.
>         LogLevel debug
>
>         CustomLog /var/log/apache2/access.log combined
>
> </VirtualHost>
>
> I can access the photos from a machine on my local LAN, but not from hosts
> off my LAN. The only way to get it to work is to change Deny from all to
> Allow from all. What am I doing wrong?
>
> Thanks!
>
> Mark
>


Hi Mark;

Verify via your access logs after accessing from externally with the Allow all on, that you are presenting with a truely EXTERNAL source address.  Some configurations might strip off source address and rewrite header for NAT. 

Your external address IP's (matching the logs) should be added to your configuration file:

VirtualHost photoIP:8080>

         DocumentRoot /var/www/gallery

         <Directory />
                 Options FollowSymLinks
                 AllowOverride None
         </Directory>

         <Directory /var/www/gallery>
                 Options Indexes FollowSymLinks MultiViews
                 AllowOverride All FileInfo Options
                 Order allow,deny
                 Deny from all
                 # internal access
                 Allow from 192.168.25.0/24
                 Allow from 127
                 # Web server
                 Allow from 69.50.203.0/24
         </Directory>

AND verify:
 
a)  That your Cox or DSL connection does not limit inbound port 8080 addresses.
b)  Port 8080 is forwarded inbound on your router, like 80 would need to be.

Make sense?
--
Network Operations Center Engineer
Atjeu Hosting

(503) 754-4452
(623) 688-3392

http://www.it-clowns.com | http://www.obnosis.com