I have a (virtual) webserver that should be accessible only internally and had configured it for LAN only access which works fine. Some users are connected via openVPN and they can't access this web. If I manually change flex-80.conf and flex-443.conf in /etc/httpd/conf.d/ to access traffic from VPN subnet (10xxxx) I understand the configuration will be overwritten by webadmin.
Does anyone have an idea on how I could work around this problem in a secure way?
BR
Sven
Does anyone have an idea on how I could work around this problem in a secure way?
BR
Sven
In Web Server
Share this post:
Accepted Answer
That is just another feature request needing someone to code it, but I do like the idea! I do not know enough about apache to know if the include files would be the same for ports 80 and 443 or if some of the directives should only be for one of the config files
The only other thing you can do is change the flex- files and set the immutable bit (chattr +i) on them, but then the webconfig can never change them.
The only other thing you can do is change the flex- files and set the immutable bit (chattr +i) on them, but then the webconfig can never change them.
Responses (4)
-
Accepted Answer
Thanks Nick, but I don't like to hack the code as I tend to forget what I have done
Your suggestion in the other thread about customisation of web config is also an interesting approach. -
Accepted Answer
As a hack, you could modify /usr/clearos/apps/flexshare/libraries/Flexshare.php around line 3156 from:
to:if ($share['WebAccess'] == self::ACCESS_LAN) {
$config_directory[] = "\t\t<RequireAny>";
$config_directory[] = "\t\t\tRequire local";
if (count($lans) > 0) {
foreach ($lans as $lan)
$config_directory[] = "\t\t\tRequire ip " . $lan;
}
$config_directory[] = "\t\t</RequireAny>";
}
...... totally untested, of course. You will then need to make an edit to your website configuration to regenerate the flex-{80,443}.conf.if ($share['WebAccess'] == self::ACCESS_LAN) {
$config_directory[] = "\t\t<RequireAny>";
$config_directory[] = "\t\t\tRequire local";
if (count($lans) > 0) {
foreach ($lans as $lan)
$config_directory[] = "\t\t\tRequire ip " . $lan;
$config_directory[] = "\t\t\tRequire ip 10.8.0.0/255.255.255.0";
}
$config_directory[] = "\t\t</RequireAny>";
}
I am trying to see how $lan is defined to see if there may be another route. -
Accepted Answer
I have tested with NAT enabled in openVPN but it didn't help and would have created other problems since we identify visitors by their VPN IP.
I will have to deal with it some other way but please file an enhancement request as I think it would be logical also for others.
Is there a way to override the flex-80.conf and flex-443.conf settings for virtual webservers?
/Sven -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »