What must I do to ensure that a web server (Apache) running on a machine is not accessible to the outside world?

StackOverflow https://stackoverflow.com/questions/116905

  •  02-07-2019
  •  | 
  •  

Question

I would like to use my laptop as a web development (PHP, Python, etc.) machine, but I'm hesitant to do this unless I can ensure that it can not be accessed by the outside world.

I'm guessing that something more than a firewall is necessary, such as configurations to the Apache configuration files, but I'm not sure what else I would need to be 100% sure it's locked down tightly.

Was it helpful?

Solution

You need to configure the server daemon to only bind to localhost using the Listen directive like this:

Listen 127.0.0.1

An alternative is to configure access control for the main server like this

<Directory "/var/www/localhost/htdocs">
AllowOverride None
Deny from all
Allow from 127.0.0.1/255.0.0.0
</Directory>

Remember to put the root directory of your server in the Directory Directive.

OTHER TIPS

in the configuration file, change the LISTEN directive to only listen on the loop back address:

Listen 127.0.0.1

Install a firewall and close all external ports but those who you want to use. If you are using Linux, there are nice frontends for iptables such as firestarter, if you use OS X there is an integrated firewall and Windows has one too. :)

But yes, the Firewall is the way to go. (Or you can tell Apache to listen on 127.0.0.1:80 only)

A firewall should be sufficient. Just make sure that you run apache in a non-standard port (typically 8080) and make sure your firewall blocks outside access to that port.

Firewall should be enough. But you can use the Listen directive as well.

A firewall will do just fine. But if you won't settle for just a firewall you can configure apache to just listen on your loopback device, or tell it to just accept connections from a set of addresses on your lan. The first method is easier, but that way you can access the web pages only from the machine apache is running on.

Put a router between you and the internet, and don't forward any ports to your laptop. That way anyone trying to access the laptop hits the router and can't get any further.

You can forward ports to your main machine (or just put the main machine in the DMZ) if you need it to be available to incoming connections.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top