Dear Expert
how to block HTTP from Public IPs
Having NagiosXI 5.x.x
Apache/2.2.15
Centos 6.x
I want to block my NAGIOS/NagiosXI from public IPs, how I can?
i tried via /etc/httpd/conf/httpd.conf but no success
<VirtualHost *:80>
not allowed , not taking the cmd ORDER ALLOW DENY
</VirtualHost>
<Directory *>
Order deny,allow
Deny from all
Allow from 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 100.100.100.100/32
</Directory>
Regards
how to block HTTP from Public IPs
Re: how to block HTTP from Public IPs
Hi zaji_nms,
First create a file calling its:
Add the followings to the "block-ips.conf" file:
Drop the file "block-ips.conf" in the "conf.d" folder of the Apache:
Restart the Apache HTTP Service
Hope this helps!!
Vinh
First create a file calling its:
Code: Select all
block-ips.confCode: Select all
<LocationMatch "/.*">
<RequireAll>
Require ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 100.100.100.100/32
#Let says I want to block "192.168.254.30" as it is part of the allowed IP "192.168.0.0/16" above
Require not ip 192.168.254.30
#Repeat the "Require not ip ..." for each IP you want to block
</RequireAll>
</LocationMatch>
Code: Select all
/etc/httpd/conf.d/Code: Select all
# systemctl restart httpd.serviceVinh
Re: how to block HTTP from Public IPs
Dear Vinh
looks u have sent the solution for new APACHE version
httpd -t
Syntax error on line 2 of /etc/httpd/conf.d/block-ips.conf:
Invalid command '<RequireAll', perhaps misspelled or defined by a module not included in the server configuration
please check my very first thread, I have mentioned the APACHE and CENTOS version
can you please recheck and plz provide the solution accordingly the version i have mentioned
regards
looks u have sent the solution for new APACHE version
httpd -t
Syntax error on line 2 of /etc/httpd/conf.d/block-ips.conf:
Invalid command '<RequireAll', perhaps misspelled or defined by a module not included in the server configuration
please check my very first thread, I have mentioned the APACHE and CENTOS version
can you please recheck and plz provide the solution accordingly the version i have mentioned
regards
Re: how to block HTTP from Public IPs
Thanks Vinh, after your hint, looks it should be as below
<LocationMatch "/.*">
Order deny,allow
Deny from all
Allow from 100.100.100.100
Allow from 200.200.200.200
Allow from 172.16.30.0/24
Allow from 192.168.0.0/16
Allow from 10.0.0.0/8
</LocationMatch>
<LocationMatch "/.*">
Order deny,allow
Deny from all
Allow from 100.100.100.100
Allow from 200.200.200.200
Allow from 172.16.30.0/24
Allow from 192.168.0.0/16
Allow from 10.0.0.0/8
</LocationMatch>
Re: how to block HTTP from Public IPs
Sorry .... my bad!!
/etc/httpd/conf.d/block-ips.conf
Restart service:
/etc/httpd/conf.d/block-ips.conf
Code: Select all
<LocationMatch "/.*">
Order allow,deny
Allow from 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 100.100.100.100/32
Deny from 192.168.254.30
</LocationMatch>
Code: Select all
# service httpd restartRe: how to block HTTP from Public IPs
Great!! ... I was about to upload my block-ips.conf file.
We will close (lock) this ticket then ....
We will close (lock) this ticket then ....
Re: how to block HTTP from Public IPs
Dear Vtrac/Vinh
I was also very excited that long pending issue resolved but......
no, Sorry! cannot close, as we are facing some minor issue after that
ohhh some major issue..........cannot apply Config change
can you please do some lab test and come with solution, it will be great
[img]NagiosXI%20apache%20changes%20block-ips%20before%20and%20after.png[/img]
to eliminate any doubt we allowed all Private IPs and Public IPs of our server, but some minor issue we facing
<LocationMatch "/.*">
Order deny,allow
Deny from all
Allow from 100.100.100.100 <<<<<<<< public IP of our server
Allow from 200.200.200.200 <<<<<<<< another Public IP natted
Allow from 172.16.0.0/12
Allow from 192.168.0.0/16
Allow from 10.0.0.0/8
Allow from 127.0.0.0/24
</LocationMatch>
to eliminate any doubt i have added all private IPs and /etc/hosts updated too but issue not getting resolve
more /etc/hosts
127.0.0.1 localhost localhost.localdomain
192.168.123.123 localhost local2
after blocking only Showing three
Monitoring Engine is Running
Performance Graph is Running
Dabase Backend is Running
and not showing on the top of Search Bar (below)
Active Hosts Check are Enabled
Active Service Checks are Enabled
Notifications are Enabled
Please note we have done previously long back some customization to see Display_Name when we click the Service, that also not showing after the changes (after block-ips.conf)
Regards
I was also very excited that long pending issue resolved but......
no, Sorry! cannot close, as we are facing some minor issue after that
ohhh some major issue..........cannot apply Config change
can you please do some lab test and come with solution, it will be great
[img]NagiosXI%20apache%20changes%20block-ips%20before%20and%20after.png[/img]
to eliminate any doubt we allowed all Private IPs and Public IPs of our server, but some minor issue we facing
<LocationMatch "/.*">
Order deny,allow
Deny from all
Allow from 100.100.100.100 <<<<<<<< public IP of our server
Allow from 200.200.200.200 <<<<<<<< another Public IP natted
Allow from 172.16.0.0/12
Allow from 192.168.0.0/16
Allow from 10.0.0.0/8
Allow from 127.0.0.0/24
</LocationMatch>
to eliminate any doubt i have added all private IPs and /etc/hosts updated too but issue not getting resolve
more /etc/hosts
127.0.0.1 localhost localhost.localdomain
192.168.123.123 localhost local2
after blocking only Showing three
Monitoring Engine is Running
Performance Graph is Running
Dabase Backend is Running
and not showing on the top of Search Bar (below)
Active Hosts Check are Enabled
Active Service Checks are Enabled
Notifications are Enabled
Please note we have done previously long back some customization to see Display_Name when we click the Service, that also not showing after the changes (after block-ips.conf)
Regards
You do not have the required permissions to view the files attached to this post.
Re: how to block HTTP from Public IPs
Hi zaji_nms,
Please add "localhost" to the allowed list, this should fix the issue:
Also, I have brought up this issue to my team and was suggested that it would be better to handle this issue by the firewall (network) team .... which is way more secure!!
Best Regards,
Vinh
Please add "localhost" to the allowed list, this should fix the issue:
Code: Select all
<LocationMatch "/.*">
Order deny,allow
Deny from all
Allow from 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 100.100.100.100 200.200.200.200 127.0.0.0/24 localhost
</LocationMatch>
Best Regards,
Vinh
Re: how to block HTTP from Public IPs
Thanks Vinh
yah...added localhost and ....Great its working fine....plz close this Post.....but sorry I will open another one to give u some more trouble.
Thanks for your advice about Firewall....we do but here some special case so did not apply.
Thanks once again
yah...added localhost and ....Great its working fine....plz close this Post.....but sorry I will open another one to give u some more trouble.
Thanks for your advice about Firewall....we do but here some special case so did not apply.
Thanks once again
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: how to block HTTP from Public IPs
Locking threadzaji_nms wrote:Thanks Vinh
yah...added localhost and ....Great its working fine....plz close this Post.....but sorry I will open another one to give u some more trouble.
Thanks for your advice about Firewall....we do but here some special case so did not apply.
Thanks once again