{"id":7460,"date":"2018-05-11T21:08:35","date_gmt":"2018-05-11T13:08:35","guid":{"rendered":"http:\/\/rmohan.com\/?p=7460"},"modified":"2018-05-12T13:44:44","modified_gmt":"2018-05-12T05:44:44","slug":"mod_proxy-apache-2-4","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=7460","title":{"rendered":"mod_proxy apache 2.4"},"content":{"rendered":"<h1 class=\"page-title\">Using Apache with mod_proxy<\/h1>\n<article class=\"content-with-sidebars\">\n<div class=\"page-sidebars\">\n<div class=\"page-sidebars-wrap\">\n<div class=\"page-sidepanel sidepanel-related-content\">\n<h4>Related content<\/h4>\n<ul>\n<li><a href=\"https:\/\/confluence.atlassian.com\/display\/CONF59\/Using+Apache+with+virtual+hosts+and+mod_proxy\">Using Apache with virtual hosts and mod_proxy<\/a><\/li>\n<li><a href=\"https:\/\/confluence.atlassian.com\/display\/CONF59\/Using+Apache+with+mod_jk\">Using Apache with mod_jk<\/a><\/li>\n<li><a href=\"https:\/\/confluence.atlassian.com\/display\/CONF59\/Installing+Confluence+on+Windows+from+Zip+File\">Installing Confluence on Windows from Zip File<\/a><\/li>\n<li><a href=\"https:\/\/confluence.atlassian.com\/display\/CONF59\/Installing+Confluence+on+Linux+from+Archive+File\">Installing Confluence on Linux from Archive File<\/a><\/li>\n<li><a href=\"https:\/\/confluence.atlassian.com\/display\/CONF59\/Running+Confluence+behind+Apache\">Running Confluence behind Apache<\/a><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<div class=\"ask-a-question-panel fixed\">\n<h4>Still need help?<\/h4>\n<p>The Atlassian Community is here for you.<\/p>\n<p><a href=\"https:\/\/community.atlassian.com\/t5\/custom\/page\/page-id\/create-post-step-1?add-tags=Confluence\">Ask the community<\/a><\/p>\n<\/div>\n<\/div>\n<div class=\"wiki-content\">\n<p>This page describes how to integrate Confluence into an Apache website using mod_proxy.<\/p>\n<p>There are some common situations where you might use the configuration:<\/p>\n<ul class=\"alternate\">\n<li>You have an existing Apache-based website, and want to add Confluence to the mix (for example, <strong><span class=\"nolink\"><a class=\"external-link\" href=\"http:\/\/www.example.com\/confluence\" rel=\"nofollow\">http:\/\/www.example.com\/confluence<\/a><\/span><\/strong>).<\/li>\n<li>You have two or more Java applications, each running in their own application server on different ports, for example, <strong><span class=\"external-link\"><a class=\"external-link\" href=\"http:\/\/example:8090\/confluence\" rel=\"nofollow\">http:\/\/example:8090\/confluence<\/a><\/span><\/strong> and <strong><span class=\"external-link\"><a class=\"external-link\" href=\"http:\/\/example:8080\/jira\" rel=\"nofollow\">http:\/\/example:8080\/jira<\/a><\/span><\/strong>. By setting up Apache with mod_proxy, you can have both available on the regular HTTP port (80) \u2013 for example, at <strong><span class=\"nolink\"><a class=\"external-link\" href=\"http:\/\/www.example.com\/confluence\" rel=\"nofollow\">http:\/\/www.example.com\/confluence<\/a><\/span><\/strong> and <strong><span class=\"nolink\"><a class=\"external-link\" href=\"http:\/\/www.example.com\/jira\" rel=\"nofollow\">http:\/\/www.example.com\/jira<\/a><\/span><\/strong>. This allows each application to be restarted, managed and debugged separately.<\/li>\n<\/ul>\n<p><strong>Note:<\/strong> This page documents a configuration of Apache, rather than of Confluence itself. Atlassian will support Confluence with this configuration, but we cannot guarantee to help you debug problems with Apache. Please be aware that this material is provided for your information only, and that you use it at your own risk.<\/p>\n<h2 id=\"UsingApachewithmod_proxy-Baseconfiguration\">Base configuration<\/h2>\n<div class=\"admonition-block info-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-richtextbody-block\">\n<p>In these examples, we use the following:<\/p>\n<p><strong>http:\/\/www.example.com\/confluence<\/strong> &#8211; your intended URL<\/p>\n<p><strong>http:\/\/example:8090<\/strong> &#8211; the hostname and port Confluence is currently installed to<\/p>\n<p><strong>\/confluence<\/strong> &#8211; the intended context path (the part after hostname and port)<\/p>\n<p>Please substitute the examples below with your intended URL&#8217;s in your own server. Copy\/pasting these suggestions will not work on your server.<\/p>\n<\/div>\n<h3 id=\"UsingApachewithmod_proxy-Setthecontextpath\">Set the context path<\/h3>\n<p>Set your Confluence application path (the part after hostname and port). To do this in Tomcat (bundled with Confluence), edit <code>conf\/server.xml<\/code>, locate the &#8220;Context&#8221; definition:<\/p>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<pre class=\" language-none\"><code class=\" language-none\">&lt;Context path=\"\" docBase=\"..\/confluence\" debug=\"0\" reloadable=\"true\"&gt;<\/code><\/pre>\n<\/div>\n<p>and change it to:<\/p>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<pre class=\" language-none\"><code class=\" language-none\">&lt;Context path=\"\/confluence\" docBase=\"..\/confluence\" debug=\"0\" reloadable=\"true\"&gt;<\/code><\/pre>\n<\/div>\n<p>Then restart Confluence, and ensure you can access it at <strong><span class=\"external-link\">http:\/\/example:8090\/confluence<\/span><\/strong><\/p>\n<h3 id=\"UsingApachewithmod_proxy-SettheURLforredirection\">Set the URL for redirection<\/h3>\n<p>Set the URL for redirection. In the same <code>conf\/server.xml<\/code> file, locate this code segment:<\/p>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<pre class=\" language-none\"><code class=\" language-none\">    &lt;Connector port=\"8090\" maxHttpHeaderSize=\"8192\"\r\n               maxThreads=\"150\" minSpareThreads=\"25\" maxSpareThreads=\"75\"\r\n               enableLookups=\"false\" redirectPort=\"8443\" acceptCount=\"100\"\r\n               connectionTimeout=\"20000\" disableUploadTimeout=\"true\" \/&gt;\r\n<\/code><\/pre>\n<\/div>\n<p>And append the last line:<\/p>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<pre class=\" language-none\"><code class=\" language-none\">    &lt;Connector port=\"8090\" maxHttpHeaderSize=\"8192\"\r\n               maxThreads=\"150\" minSpareThreads=\"25\" maxSpareThreads=\"75\"\r\n               enableLookups=\"false\" redirectPort=\"8443\" acceptCount=\"100\"\r\n               connectionTimeout=\"20000\" disableUploadTimeout=\"true\"\r\n               proxyName=\"www.example.com\" proxyPort=\"80\" \/&gt;\r\n<\/code><\/pre>\n<\/div>\n<p>If this isn&#8217;t working for you and you&#8217;re using SSL, try adding a scheme attribute to your Connector tag: <strong>scheme=&#8221;https&#8221;<\/strong>.<\/p>\n<p>&nbsp;<\/p>\n<p>Now we have two options:<\/p>\n<ul>\n<li>If you want a URL like\u00a0<span class=\"external-link\"><strong><a class=\"external-link\" href=\"http:\/\/www.example.com\/confluence\" rel=\"nofollow\">http:\/\/www.example.com\/confluence<\/a><\/strong><\/span>, follow the simple configuration.<\/li>\n<li>If you want a URL like\u00a0<strong><span class=\"external-link\"><a class=\"external-link\" href=\"http:\/\/confluence.example.com\/\" rel=\"nofollow\">http:\/\/confluence.example.com<\/a><\/span><\/strong>, go to the\u00a0<a class=\"conf-macro output-inline\" href=\"https:\/\/confluence.atlassian.com\/conf59\/using-apache-with-mod_proxy-792499652.html#UsingApachewithmod_proxy-complex\" data-macro-name=\"sp-plaintextbody-link\" data-hasbody=\"true\">complex configuration<\/a>.<\/li>\n<\/ul>\n<h3 id=\"UsingApachewithmod_proxy-SimpleConfiguration\">Simple Configuration<\/h3>\n<h4 id=\"UsingApachewithmod_proxy-Configuremod_proxy\">Configure mod_proxy<\/h4>\n<p>Now enable mod_proxy in Apache, and proxy requests to the application server by adding the example below to your Apache httpd.conf (note: the files may be different on your system; See\u00a0<a class=\"conf-macro output-inline\" href=\"https:\/\/confluence.atlassian.com\/adminjiraserver070\/integrating-jira-with-apache-749383658.html\" data-macro-name=\"sp-nobody-link\" data-hasbody=\"false\">Integrating JIRA with Apache<\/a>\u00a0for\u00a0the process for Ubuntu\/Debian layout):<\/p>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<div class=\"code-block-title\">Apache 2.2<\/div>\n<pre class=\" language-none\"><code class=\" language-none\"># Put this after the other LoadModule directives\r\nLoadModule proxy_module \/usr\/lib\/apache2\/modules\/mod_proxy.so\r\nLoadModule proxy_http_module \/usr\/lib\/apache2\/modules\/mod_proxy_http.so\r\n\r\n# Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)\r\nProxyRequests Off\r\nProxyPreserveHost On\r\n\r\n&lt;Proxy *&gt;\r\n    Order deny,allow\r\n    Allow from all\r\n&lt;\/Proxy&gt;\r\n\r\nProxyPass \/confluence http:\/\/app-server.internal.example.com:8090\/confluence\r\nProxyPassReverse \/confluence http:\/\/app-server.internal.example.com:8090\/confluence\r\n&lt;Location \/confluence&gt;\r\n    Order allow,deny\r\n    Allow from all\r\n&lt;\/Location&gt;<\/code><\/pre>\n<\/div>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<div class=\"code-block-title\">Apache 2.4<\/div>\n<pre class=\" language-none\"><code class=\" language-none\"># Put this after the other LoadModule directives\r\nLoadModule proxy_module \/usr\/lib\/apache2\/modules\/mod_proxy.so\r\nLoadModule proxy_http_module \/usr\/lib\/apache2\/modules\/mod_proxy_http.so\r\n\r\n# Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)\r\nProxyRequests Off\r\nProxyPreserveHost On\r\n\r\n&lt;Proxy *&gt;\r\n\t# Auth changes in 2.4 - see http:\/\/httpd.apache.org\/docs\/2.4\/upgrading.html#run-time\r\n    Require all granted\r\n&lt;\/Proxy&gt;\r\n\r\nProxyPass \/confluence http:\/\/app-server.internal.example.com:8090\/confluence\r\nProxyPassReverse \/confluence http:\/\/app-server.internal.example.com:8090\/confluence\r\n&lt;Location \/confluence&gt;\r\n\t# Auth changes in 2.4 - see http:\/\/httpd.apache.org\/docs\/2.4\/upgrading.html#run-time\r\n    Require all granted\r\n&lt;\/Location&gt;<\/code><\/pre>\n<\/div>\n<div class=\"expand-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-richtextbody-block\">\n<p><a class=\"expand-block-expand-button\" href=\"https:\/\/confluence.atlassian.com\/conf59\/using-apache-with-mod_proxy-792499652.html#\"> Click here to expand&#8230; <\/a><\/p>\n<div class=\"expand-block-content-wrapper\">\n<div class=\"expand-block-content\">\n<p>It is recommended that you specify the absolute path to the <code>mod_proxy.so<\/code> and <code>mod_proxy_http.so<\/code> files.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<h3 id=\"UsingApachewithmod_proxy-Complexconfiguration\">Complex configuration<\/h3>\n<p>Complex configuration involves using the mod_proxy_html filter to modify the proxied content en-route. This is required if the Confluence path differs between Apache and the application server. For example:<\/p>\n<div class=\"table-wrap\">\n<div class=\"table-block\">\n<table class=\"confluenceTable\">\n<tbody>\n<tr>\n<th class=\"confluenceTh\">Externally accessible (Apache) URL<\/th>\n<td class=\"confluenceTd\"><a class=\"external-link\" href=\"http:\/\/confluence.example.com\/\" rel=\"nofollow\">http:\/\/confluence.example.com\/<\/a><\/td>\n<\/tr>\n<tr>\n<th class=\"confluenceTh\">Application server URL<\/th>\n<td class=\"confluenceTd\"><a class=\"external-link\" href=\"http:\/\/app-server.internal.example.com:8090\/confluence\/\" rel=\"nofollow\">http:\/\/app-server.internal.example.com:8090\/confluence\/<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Notice that the application path in the URL is different in each. On Apache, the path is \/, and on the application server the path is \/confluence.<\/p>\n<div class=\"admonition-block info-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-richtextbody-block\">\n<p>For this configuration, you need to install the <a class=\"external-link\" href=\"http:\/\/apache.webthing.com\/mod_proxy_html\/\" rel=\"nofollow\">mod_proxy_html module<\/a>, which is not included in the standard Apache distribution.<\/p>\n<p>Alternative solutions are discussed below.<\/p>\n<\/div>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<div class=\"code-block-title\">Apache 2.2<\/div>\n<pre class=\" language-none\"><code class=\" language-none\"># Put this after the other LoadModule directives\r\nLoadModule proxy_module modules\/mod_proxy.so\r\nLoadModule proxy_http_module modules\/mod_proxy_http.so\r\nLoadModule proxy_html_module modules\/mod_proxy_html.so\r\n\r\n&lt;VirtualHost *&gt;\r\n    ServerName confluence.example.com\r\n    \r\n    # Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)\r\n    ProxyRequests Off\r\n    ProxyPreserveHost On\r\n\r\n    &lt;Proxy *&gt;\r\n        Order deny,allow\r\n        Allow from all\r\n    &lt;\/Proxy&gt;\r\n    \r\n    ProxyPass \/ http:\/\/app-server.internal.example.com:8090\/confluence\r\n    ProxyPassReverse \/ http:\/\/app-server.internal.example.com:8090\/confluence\r\n    \r\n    ProxyHTMLURLMap \/ \/confluence\/\r\n    \r\n    &lt;Location \/&gt;\r\n        Order allow,deny\r\n        Allow from all\r\n    &lt;\/Location&gt;\r\n&lt;\/VirtualHost&gt;<\/code><\/pre>\n<\/div>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<div class=\"code-block-title\">Apache 2.4<\/div>\n<pre class=\" language-none\"><code class=\" language-none\"># Put this after the other LoadModule directives\r\nLoadModule proxy_module modules\/mod_proxy.so\r\nLoadModule proxy_http_module modules\/mod_proxy_http.so\r\nLoadModule proxy_html_module modules\/mod_proxy_html.so\r\n\r\n&lt;VirtualHost *&gt;\r\n    ServerName confluence.example.com\r\n    \r\n    # Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)\r\n    ProxyRequests Off\r\n    ProxyPreserveHost On\r\n\r\n    &lt;Proxy *&gt;\r\n\t\t# Auth changes in 2.4 - see http:\/\/httpd.apache.org\/docs\/2.4\/upgrading.html#run-time\r\n    \tRequire all granted\r\n    &lt;\/Proxy&gt;\r\n    \r\n    ProxyPass \/ http:\/\/app-server.internal.example.com:8090\/confluence\r\n    ProxyPassReverse \/ http:\/\/app-server.internal.example.com:8090\/confluence\r\n    \r\n    ProxyHTMLURLMap \/ \/confluence\/\r\n    \r\n    &lt;Location \/&gt;\r\n\t\t# Auth changes in 2.4 - see http:\/\/httpd.apache.org\/docs\/2.4\/upgrading.html#run-time\r\n    \tRequire all granted\r\n    &lt;\/Location&gt;\r\n&lt;\/VirtualHost&gt;<\/code><\/pre>\n<\/div>\n<p>The ProxyHTMLURLMap configuration can become more complex if you have multiple applications running under this configuration. The mapping should also be placed in a Location block if the web server URL is a subdirectory and not on a virtual host. The <a class=\"external-link\" href=\"http:\/\/www.apacheweek.com\/features\/reverseproxies\" rel=\"nofollow\">Apache Week tutorial<\/a> has more information how to do this.<\/p>\n<h2 id=\"UsingApachewithmod_proxy-FinalConfigurationSteps\">Final Configuration Steps<\/h2>\n<h3 id=\"UsingApachewithmod_proxy-RestartyourApacheserver\">Restart your Apache server<\/h3>\n<p>This is needed to pick up on the new configuration. This can be done by running the following on your command line\/terminal\/shell:<\/p>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<pre class=\" language-none\"><code class=\" language-none\">sudo apachectl graceful<\/code><\/pre>\n<\/div>\n<h3 id=\"UsingApachewithmod_proxy-DisableHTTPCompression\">Disable HTTP Compression<\/h3>\n<p>Having compression run on both the proxy and Tomcat can cause problems integrating with other Atlassian applications, such as JIRA. Please disable HTTP compression as per our\u00a0<a class=\"conf-macro output-inline\" href=\"https:\/\/confluence.atlassian.com\/conf59\/compressing-an-http-response-within-confluence-792499813.html\" data-macro-name=\"sp-nobody-link\" data-hasbody=\"false\">Compressing an HTTP Response within Confluence<\/a>\u00a0docs.<\/p>\n<h3 id=\"UsingApachewithmod_proxy-SettheConfluenceBaseURL\">Set the Confluence Base URL<\/h3>\n<p>The last stage is to set the\u00a0<a class=\"conf-macro output-inline\" href=\"https:\/\/confluence.atlassian.com\/conf59\/configuring-the-server-base-url-792499673.html\" data-macro-name=\"sp-plaintextbody-link\" data-hasbody=\"true\">Base URL<\/a>\u00a0to the address you&#8217;re using within the proxy. In this example, it would be\u00a0<strong><a class=\"external-link\" href=\"http:\/\/www.example.com\/confluence\" rel=\"nofollow\">http:\/\/www.example.com\/confluence<\/a><\/strong><\/p>\n<h2 id=\"UsingApachewithmod_proxy-AddingSSL\">Adding SSL<\/h2>\n<p>If you&#8217;re running Apache in front of Tomcat, it&#8217;s a good idea to terminate your SSL configuration at Apache, then forward the requests to Tomcat over HTTP. You can set up Apache to terminate the SSL connection and use the ProxyPass and ProxyPassReverse directives to pass the connection through to Tomcat (or the appropriate application server) which is running Confluence.<\/p>\n<ol>\n<li>Create a new SSL host by creating a virtual host on 443<\/li>\n<li>The standard http connection on apache could be used to redirect to https if you want or it could just be firewalled.<\/li>\n<li>Within the VirtualHost definition:\n<ol>\n<li>define the SSL options (SSLEngin and SSLCertificateFile)<\/li>\n<li>define the ProxyPass and ProxyPassReverse directives to pass through to Tomcat.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>Most of the relevant Apache Config:<\/p>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<pre class=\" language-none\"><code class=\" language-none\">Listen 443\r\n\r\nNameVirtualHost *:443\r\n&lt;VirtualHost *:443&gt;\r\n    SSLEngine On\r\n    SSLCertificateFile \/etc\/apache2\/ssl\/apache.pem\r\n    ProxyPass \/ http:\/\/localhost:8090\/\r\n    ProxyPassReverse \/ http:\/\/localhost:8090\/\r\n&lt;\/VirtualHost&gt;\r\n\r\n<\/code><\/pre>\n<\/div>\n<p>Apart from the Apache configuration there are a couple of things you will need to do before you get your server working:<\/p>\n<ol>\n<li>You will have to change your base URL to point to https addresses. See the documentation on <a class=\"external-link\" href=\"http:\/\/confluence.atlassian.com\/display\/DOC\/Configuring+the+Server+Base+URL\" rel=\"nofollow\">configuring the server base URL<\/a>.<\/li>\n<li>We need to set up the connector to use https. In your installation directory, edit the file server.xml and add this attributes to your connector:<\/li>\n<\/ol>\n<div class=\"code-block conf-macro output-block\" data-hasbody=\"true\" data-macro-name=\"sp-macrooverride-plaintextbody-block\">\n<pre class=\" language-none\"><code class=\" language-none\">proxyName=\"proxy.example.com\" proxyPort=\"443\" scheme=\"https\" secure=\"true\" <\/code><\/pre>\n<\/div>\n<h3 id=\"UsingApachewithmod_proxy-Moreinformation\">More information<\/h3>\n<ul>\n<li>The <a class=\"external-link\" href=\"http:\/\/apache.webthing.com\/mod_proxy_html\/\" rel=\"nofollow\">mod_proxy_html site<\/a> has documentation and examples on the use of this module in the complex configuration.<\/li>\n<li><a class=\"external-link\" href=\"http:\/\/www.apacheweek.com\/features\/reverseproxies\" rel=\"nofollow\">Apache Week has a tutorial<\/a> that deals with a complex situation involving two applications and ProxyHTMLURLMap.<\/li>\n<li><a class=\"conf-macro output-inline\" href=\"https:\/\/confluence.atlassian.com\/conf59\/using-apache-with-virtual-hosts-and-mod_proxy-792499654.html\" data-macro-name=\"sp-nobody-link\" data-hasbody=\"false\">Using Apache with virtual hosts and mod_proxy<\/a> shows how to configure the special case where you want JIRA and Confluence running on separate application servers on virtual host subdomains.<\/li>\n<\/ul>\n<\/div>\n<\/article>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Control File Access by IP in Apache 2.4<\/p>\n<p>Denying access to wp-login.php for all but a set of whitelisted IP can be a good way of enhancing site security &#8211; provided that the client has a fixed IP address.<\/p>\n<p>We typically add such access controls within a .htaccess file in the document root of a project, leaving login access for our own IP address and that of the site owner.<\/p>\n<p>You might occasionally need to temporarily whitelist an additional IP address, but this is easy to do.<\/p>\n<p>Restricting access by IP address is no substitute for a proper username\/password policy &#8211; but it may be a useful additional layer, since would-be attackers don\u2019t even get a chance to knock on the door.<\/p>\n<p>Under Apache 2.2, you could use these directives within a .htaccess file:<\/p>\n<p># ==============================================================================<br \/>\n# Whitelisted IP access for wp-login.php<br \/>\n# ==============================================================================<br \/>\n&lt;files wp-login.php&gt;<br \/>\norder deny,allow<br \/>\ndeny from all<\/p>\n<p># whitelist Your First IP address<br \/>\nallow from xxx.xxx.xxx.xxx<br \/>\n# whitelist Your Second IP Address<br \/>\nallow from xxx.xxx.xxx.xxx<br \/>\n# whitelist Your Third IP Address<br \/>\nallow from xxx.xxx.xxx.xxx<\/p>\n<p>&lt;\/files&gt;<\/p>\n<p># ==============================================================================<br \/>\n# Protect specified files from direct access<br \/>\n# ==============================================================================<br \/>\n&lt;FilesMatch &#8220;^(wp-config\\.php|php\\.ini|php5\\.ini|install\\.php|php\\.info|readme\\.html|bb-config\\.php|\\.htaccess|\\.htpasswd|readme\\.txt|timthumb\\.php|error_log|error\\.log|PHP_errors\\.log|\\.svn)&#8221;&gt;<br \/>\nDeny from all<br \/>\n&lt;\/FilesMatch&gt;<\/p>\n<p>Whilst the Allow, Order, and Deny directives still work in Apache 2.4, they are deprecated:<\/p>\n<p>The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.<\/p>\n<p>-Apache 2.4 Documentation<\/p>\n<p>Unfortunately, there is not a lot of literature on how to properly set up such restrictions on Apache 2.4 &#8211; without relying on mod_access_compat.<br \/>\nDeny Access Completely<\/p>\n<p>In Apache 2.2:<\/p>\n<p>Order deny,allow<br \/>\nDeny from all<\/p>\n<p>In Apache 2.4 this becomes:<\/p>\n<p>Require all denied<\/p>\n<p>Restrict Access by IP address: Comparison of Apache 2.2 and 2.4<\/p>\n<p>Allow from a particular IP in Apache 2.2:<\/p>\n<p>Order Deny,Allow<br \/>\nDeny from all<br \/>\nAllow from xxx.xxx.xxx.xxx<\/p>\n<p>Allow from a particular IP in Apache 2.4:<\/p>\n<p>Require ip xxx.xxx.xxx.xxx<\/p>\n<p>TL;DR Restrict Access Apache 2.4<\/p>\n<p># ==============================================================================<br \/>\n# Restrict access to WordPress login page by IP<br \/>\n# See: http:\/\/httpd.apache.org\/docs\/2.4\/mod\/core.html#files<br \/>\n# ==============================================================================<br \/>\n&lt;Files &#8220;wp-login.php&#8221;&gt;<br \/>\nRequire ip 123.123.123.123<br \/>\n&lt;\/Files&gt;<\/p>\n<p>If you have full access to Apache config on your server, you can enable these directives for all virtual hosts by adding them to the Apache config file:<\/p>\n<p>sudo nano \/etc\/apache2\/conf-enabled\/security.conf<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Access Control by host and ip address in Apache 2.4<br \/>\nIn this post we will learn about access control by host and ip address in Apache 2.4. The Apache 2.4 released with lots of new feature. While working on Apache 2.4 you will surely get attention on new format of access control. The method of using allow,deny or vice-versa is deprecated, it was old styled method before Apache 2.4 versions.<\/p>\n<p>We do expect users have some experience on Apache webserver. Hence, we are directly jumping on ACL of apache 2.4 . We have used all the below given methods inside Apache Virtual Host.<br \/>\nIn trailing post, we are going to use directive called RequireAll. So as per Apache 2.4 documentation, know what is RequireAll directive :<\/p>\n<p>apache 2.4 RequireAll<br \/>\nAllow only particular IP Address or Host to access website in Apache 2.4<\/p>\n<p>In this scenario we will allow only particular IP address or hosts to access the website. Rest of the world will not be able to access the website hosted on Apache 2.4 .<\/p>\n<p>Note: Replace Directive value as per your server\u2019s web data path.<\/p>\n<p>&lt;Directory &#8220;\/var\/www\/html\/website&#8221;&gt;<br \/>\nOptions All<br \/>\nAllowOverride All<br \/>\nRequire all denied<br \/>\n## &#8220;Require ip&#8221; is used here for IP Address\/CIDR\/Network<br \/>\nRequire ip 192.168.56.4 10.10.1.1<\/p>\n<p>## &#8220;Require host&#8221; is used here for hostname\/FQDN<br \/>\nRequire host www.example.com server01<br \/>\n&lt;\/Directory&gt;<\/p>\n<p>As per your requirement you can set ACL either on ip address or Host or both.<\/p>\n<p>Alternatively for this same scenario you can write in below given format also. You should notice the written in below given example.<\/p>\n<p>&lt;Directory &#8220;\/var\/www\/html\/website&#8221;&gt;<br \/>\nOptions All<br \/>\nAllowOverride All<br \/>\n&lt;RequireAll&gt;<br \/>\n## &#8220;Require ip&#8221; is used here for IP Address\/CIDR\/Network<br \/>\nRequire ip 192.168.56.4 10.10.1.1<\/p>\n<p>## &#8220;Require host&#8221; is used here for hostname\/FQDN<br \/>\nRequire host www.example.com server01<br \/>\n&lt;\/RequireAll&gt;<br \/>\n&lt;\/Directory&gt;<\/p>\n<p>Deny only particular IP Address or Host to access website in Apache 2.4<\/p>\n<p>In this section, we will deny particular ip address\/host to access the website. As mentioned in above section as same as according to your requirement you can set ACL either on ip address or Host or both. Check the directive section where we have applied the ACL.<\/p>\n<p>Note: Replace Directive value as per your server\u2019s web data path.<\/p>\n<p>&lt;Directory &#8220;\/var\/www\/html\/website&#8221;&gt;<br \/>\nOptions All<br \/>\nAllowOverride All<br \/>\n&lt;RequireAll&gt;<br \/>\nRequire all granted<br \/>\n## &#8220;Require ip&#8221; is used here for IP Address\/CIDR\/Network<br \/>\nRequire not ip 192.168.56.4 10.10.1.1<\/p>\n<p>## &#8220;Require host&#8221; is used here for hostname\/FQDN<br \/>\nRequire not host www.example.com server01<br \/>\n&lt;\/RequireAll&gt;<br \/>\n&lt;\/Directory&gt;<\/p>\n<p>Deny All to access website running on Apache 2.4<\/p>\n<p>In this section, we will define Require all denied directly inside directive. This configuration will deny all to access the website.<\/p>\n<p>Note: Replace Directive value as per your server\u2019s web data path.<\/p>\n<p>&lt;Directory &#8220;\/var\/www\/html\/website&#8221;&gt;<br \/>\nOptions All<br \/>\nAllowOverride All<br \/>\n## &#8220;Require all denied&#8221; will deny all to access the website.<br \/>\nRequire all denied<br \/>\n&lt;\/Directory&gt;<\/p>\n<p>Allow All to access website running on Apache 2.4<\/p>\n<p>In this section, we will define Require all granted directly inside directive. The below given configuration helps all to access the website.<\/p>\n<p>Note: Replace Directive value as per your server\u2019s web data path.<\/p>\n<p>&lt;Directory &#8220;\/var\/www\/html\/website&#8221;&gt;<br \/>\nOptions All<br \/>\nAllowOverride All<br \/>\n## &#8220;Require all granted&#8221; will allow all to access the website.<br \/>\nRequire all granted<br \/>\n&lt;\/Directory&gt;<\/p>\n<p>Restart apache service<\/p>\n<p>After doing changes in apache config file, do not forget to restart the apache service.<\/p>\n<p>### In Ubuntu\/Debian\/<br \/>\nsudo service apache2 restart<\/p>\n<p>### In CentOS 7\/RHEL 7<br \/>\nsystemctl restart httpd<\/p>\n<p>### In CentOS|RHEL 5.x,6x.<br \/>\nservice httpd restart<\/p>\n<p>Apache Forbidden Error Message<\/p>\n<p>On denying the ip address\/host from Apache 2.4. The user will get the \u201cForbidden\u201d message. Given below is the image reference.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<pre>&lt;VirtualHost *:80&gt;\r\n        ServerName www.company.com\r\n        ProxyPreserveHost On\r\n        AllowEncodedSlashes NoDecode\r\n\r\n        &lt;IfModule mod_rewrite.c&gt;\r\n                RewriteEngine On\r\n                RewriteCond %{HTTPS} off\r\n                RewriteRule (.*) https:\/\/%{HTTP_HOST}%{REQUEST_URI}\r\n        &lt;\/IfModule&gt;\r\n\r\n&lt;\/VirtualHost&gt;\r\n\r\n&lt;VirtualHost *:443&gt;\r\n        ServerName www.company.com\r\n        ProxyRequests Off\r\n        SSLProxyEngine on\r\n        AllowEncodedSlashes NoDecode\r\n\r\n        RequestHeader set X-Forwarded-Proto \"https\"\r\n\r\n        # Always use HTTP Strict Transport Security (HSTS)\r\n        Header always set Strict-Transport-Security \"max-age=63072000; includeSubdo:mains; preload\"\r\n\r\n        SSLEngine on\r\n        SSLCertificateFile      \/etc\/httpd\/ssl\/com.crt\r\n        SSLCertificateKeyFile   \/etc\/httpd\/ssl\/com.key\r\n        SSLCertificateChainFile \/etc\/httpd\/ssl\/CA.crt\r\n\r\n        # Set a cookie so the client gets the same backend server each time\r\n        Header add Set-Cookie \"ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=\/\" env=BALANCER_ROUTE_CHANGED\r\n\r\n        ProxyPass \/balancer-manager !\r\n        ProxyPass \/ \"balancer:\/\/mycluster\/\" nocanon\r\n        ProxyPassReverse \/ \"balancer:\/\/mycluster\/\"\r\n\r\n        &lt;Proxy balancer:\/\/mycluster\/&gt;\r\n                BalancerMember http:\/\/10.0.0.2 route=1\r\n                BalancerMember http:\/\/10.0.0.3 route=2\r\n                ProxySet stickysession=ROUTEID\r\n        &lt;\/Proxy&gt;\r\n\r\n        &lt;Location \"\/balancer-manager\"&gt;\r\n                SetHandler balancer-manager\r\n                Require host localhost\r\n                Require ip 192.168.2.0\/24\r\n                Require host 1982.168.1.10\r\n        &lt;\/Location&gt;\r\n\r\n&lt;\/VirtualHost&gt;<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Using Apache with mod_proxy Related content Using Apache with virtual hosts and mod_proxy Using Apache with mod_jk Installing Confluence on Windows from Zip File Installing Confluence on Linux from Archive File Running Confluence behind Apache Still need help? <\/p>\n<p>The Atlassian Community is here for you.<\/p>\n<p>Ask the community<\/p>\n<p>This page describes how to integrate Confluence [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7460"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7460"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7460\/revisions"}],"predecessor-version":[{"id":7463,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7460\/revisions\/7463"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}