I have little to no apache configuration experience but I want to explore a setup scenario. Our site has two internal IP Ranges: 192.168.1 /24 and 192.168.2 /24. The first one is used internally by our staff. The second one acts as a DMZ for a few customers who connect via VPN and is for use with the server at 192.168.2.10. The VPN customers are assigned a 192.168.2 /24 range IP Address. The server is a Solaris 10 system with Apache currently turned off. We are interested in starting it up so we can monitor various subsystems, databases and to allow some basic administration scripts to run. So what Apache settings should be made to allow connections only from the 192.168.1 /24 range. As well as any authentication settings which might be required. I am looking at a security in depth situation here so: 1) I am fully aware about firewall settings. That is covered. I am looking to get deeper into settings. 2) Are there any default settings which are insecure within Apache? 3) Any tools available to test/verify security? Like the CIS tools.
Hello, You can limit the access to Apache from your range just configuring your .htaccess, vhost or main config: Allow from 192.168.1.0/24 Or just create a role in Firewall config or iptables To test a webserver must be much expert, at the moment i can only suggest you to install mod_qos and configure same limitation on Apache with this modules.. Try to make an attack slowloris without this modules and your apache will be offline. PM me for more details if you want