We got an Apache 2, working as Reverse Proxy to some Docker instances (we won't talk about the nginx vs Apache stuff here for the same reasons we won't talk about vi vs emacs vs xyz ;)) - and somehow we realized that our apps are a little bit too sensitive to allow them from any ip.
First, we want to activate the needed modules. Normally that should not be necessary, but for sake of completeness:
sudo a2enmod mod_authz_core
sudo a2enmod mod_authz_host
Secondly, we want to allow them only from trusted ips. We do redirect them to the docker instances via ProxyPass - but need to create an Location / "catcher" - otherwise we could not use the mod_authz to deny other ips :).
<VirtualHost *:80> ServerAdmin johndoe@example.com ServerName hex.example.com ServerAlias hex RedirectMatch ^/$ https://example.com <Location / > <RequireAll> Require ip 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 </RequireAll> </Location> ProxyPass "/" "http://127.0.0.1:8020/" ProxyPassReverse "/" "http://127.0.0.1:8020/" </VirtualHost> <VirtualHost *:443> ServerAdmin johndoe@example.com ServerName hex.example.com ServerAlias hex <Location / > <RequireAll> Require ip 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 </RequireAll> </Location> ProxyPass "/" "http://127.0.0.1:8020/" ProxyPassReverse "/" "http://127.0.0.1:8020/" # Alias /static /srv/example_sw/sw/public_html/ SSLEngine on SSLCertificateFile /etc/ssl/certs/hex.example.com.pem SSLCertificateKeyFile /etc/ssl/private/hex.example.com.key SSLCertificateChainFile /etc/ssl/chains/example-ca-chain.pem </VirtualHost>
That way, hosts from other subnets than 192.168.1.0, 2.0 and 3.0 won't be able to access the proxy and therefore our app :)!