I've come up with apache configuration that does reverse-proxy for an internal owncloud installation. It works very well and now I'd like to restrict hosts by IP, that would have access to this reverse-proxied host, but I noticed 2 things (example config of the host doing the proxying):
<VirtualHost *:443>
# I put below line here but it seems it isn't used when reverse-proxying
DocumentRoot "c:/apache/owncloud"
# this host is going to answer to The World to requests to owncloud
ServerName cloud.example.com:443
ServerAdmin [email protected]
ErrorLog "c:/apache/logs/ssl-owncloud-error.log"
TransferLog "c:/apache/logs/ssl-owncloud-access.log"
# the actual host with owncloud is reachable from intranet by this name
ProxyPass "/" "https://cloud.example.com/"
ProxyPassReverse "/" "https://cloud.example.com/"
# This is important, the Directory section, I imagined this would work...
<Directory "c:/apache/owncloud">
Options FollowSymLinks
AllowOverride FileInfo
Require IP xxx.xxx.xxx.xxx
Require IP yyy.yyy.yyy.yyy
Require all denied
</Directory>
SSLEngine on
SSLCertificateFile "c:/apache/ssl/server.pem"
SSLCertificateKeyFile "c:/apache/ssl/privkey.decr.key"
SSLProxyEngine On
</VirtualHost>
1) I've put the Directory section and thought it would be respected, but it isn't.
2) Naturally the proxied machine (owncloud host) has no idea that in reality host external to our LAN pulled the page, in access logs it's only showing IP of the proxy, so I can't do the restricting there.
Please share your knowledge as to where do I setup IP based restrictions because these above don't work and effectively whole world can see owncloud as it is.
Since a ProxyPass does not map requests to the local file system setting access controls in a
Directory
block does not work. You'll need to set them in aLocation
container, i.e. use something like this: