How to denay access to any of the apps from remote?

Hi,
I have created /etc/apache2/conf-available/umc-access.conf as follows:
<Location /bluespice>
Require ip 192.168.199.0/24
Require all denied

To restrict access to wiki only to local IPs. Though that does not work. I can restrict the access to all by using only Require all denied but once I add the other line access is wide open from anywhere. Any idea what am I doing incorrectly? Thank you

Where did you create it? In UCS or the bluespice container? I don’t use bluespice so I’m not sure how it’s setup.

Also, usually there is a link in the conf-enabled directory to the conf file in the conf-available directory. If that link is not there then apache shouldn’t read that conf file and it won’t be enabled. You didn’t mention creating that link.

Hi,
Thank you.
It is in /etc/apache2/conf-available/umc-access.conf
The link in conf-enabled exists and the behavior changes as I change the file and restart apache.
It just does not work as it should.

Could it be that requests are proxied to the bluespice container through apache? I wondered about that earlier but thought if you put the config in UCS itself it should handle that before getting to the app, but maybe not. I’d probably try to decipher the chain of events by looking through the logs and maybe moving the config, at least temporarily for troubleshooting, into the UCS config files rather than having it separate.

I’m curious to find out what the solution is.

I tried this with nextcloud, which I have installed on my UCS server and it seemed to work fine.

<Location /nextcloud>
  Require ip 192.168.222.0/24
  Require all denied
</Location>

Maybe there is something different with the bluespice app that is involved. Have you tried verifying the additional config works with another path perhaps?

Thank you.
Then there has to be something specific on my machine.
It does not work for me for any apps including nextcloud.

I would check which ip addresses get logged when trying to access the server. Do you maybe have a reverse proxy in your network to access the UCS installation. if so, then univention sees the requests as coming from your reverse proxy and not an external ip.

Thank you,
You are correct it is the proxy. Any idea how to resolve it?

Change it to:

<Location /nextcloud>
  Require ip 192.168.222
  Require all denied
</Location>

(without “.0/24”)
See:

Check the docs for the proxy you are using and see if there is a setting to add a x-forwarded-for header. I think you can then set up apache to respond to that header.

You also might be able to just set up your proxy to reject the request and not forward it on to UCS. That may be a lot easier actually depending on what you are using to proxy.

thank you, I will look into it. I am using haproxy.

You should be able to do what you need with haproxy.

Mastodon