I have university Internet. It has IP, let’s say 188.8.131.52. I have project named let’s say MyProject (it’s folder). When I try to type 184.108.40.206/MyProject it launches my site. That means, that everybody in university can access my folder and site? I use Ubuntu and have installed PHP and MySQL. And also I can access phpmyadmin through IP like 220.127.116.11/phpmyadmin.
So, what’s happening?
EDIT: And what does it mean? If other person installed PHP in his PC, what would happen?
Quite a lot to cover here, so let’s dive in…
As mentioned by Marc B, if you set a web server on an un-firewalled public IP, everyone on the internet can access it. This is not to say that you are in this situation – you say you are on a university network, and you will most likely find that they implement some form of local network that has a NAT layer and/or firewall between your PC and the internet. However, you may still find that everyone on the university network (or at least your segment – see subnetting and VLANs) is able to access your web server.
What can you do to prevent this?
This is by no means an exhaustive list, but here are some of the more commonly used approaches to controlling web server security.
Set your web server to listen only on localhost (Mark B has already covered this but to clarify):
The main Apache configuration file, httpd.conf, uses a directive called
Listen to determine which listening sockets to create and bind to when it starts up. The default is usually
Listen 80, which means that the server will listen on TCP port 80, on every IP address registered on the machine. These IP addresses will be
127.0.0.1, the loopback address, and any IP addresses associated with any network interfaces you have installed, such as the above example of
You can modify this directive to be more restrictive. For example, if you wanted to only accept connections from your local machine, you could change it to
Listen 127.0.0.1 80. By doing this, you will be able to access your web server from your local machine at
http://18.104.22.168/ – yes, you can still use any address associated with the machine, because of the way loopback works – but no other machine anywhere in the world will be able to directly access it using any address.
Configure a firewall to block connections from other machines:
Almost all firewalls block every incoming request by default, and you have to explicitly allow open ports and/or applications to accept incoming connections. If you don’t want other machines to be able to access your server, don’t open the port allowing the application. Many firewalls will allow you to be more selective about these rules, by allowing incoming requests from certain IP addresses but not others.
If you want to stop other people from accessing network resources hosted by you computer, a firewall is usually a good place to start. You should find that your Ubuntu installation comes with iptables included.
Restrict the remote clients that can access directories in your Apache configuration file:
Please Note: This information describes the use of Apache directives that are now deprecated. Refer to footnote #1
As you probably already know, in order to get Apache to serve a directory, you have to create a
<Directory> section for it in
httpd.conf. Within the the default configuration file, you will find a section pre-configured to serve
DocumentRoot, which will contain some lines that look like this:
Order allow,deny Allow from all
This allows all requests from every client. As you can see, there are two directives there –
Allow (which has a complementary directive,
Deny). Understanding what these directives do and how they work is essential if you are going to administer an Apache server. They are explained in great detail in the manual pages linked, so I won’t go into it here – lets just have an example:
Order deny,allow Deny from all Allow from 127.0.0.1
Changing the default to this results in every request being denied, unless it originated from
127.0.0.1 – your local machine. Now lets say you want to allow your friend, who’s IP address is
22.214.171.124, to access the page as well – we add an
Allow directive for his IP address onto the end of the above configuration:
Allow from 126.96.36.199
After you set this up, your friend tells you that he owns all the IP addresses between
188.8.131.52, and wants to be able to use any of them to access your server. Instead of creating 8 seperate
Allow directives, we can define it in one: using CIDR shorthand, we can express this subnet as
184.108.40.206/29, and we can use this in an
Allow from 220.127.116.11/29
<Directory> sections define rules for a directory and all of it’s sub-directories, so if you apply a rule to
/myDir, the same rules will also apply to
/myDir/subDir/subSubDir. But, you can override these rules lower down the tree – so you can create a
<Directory> section for
/myDir/subDir/subSubDir with different rules. You can also use .htaccess files to define the rules, as long as you enable them with an
As you can see, this method of controlling who is allowed to access your site is both relatively simple to configure, and can provide powerful and flexible rule control.
To answer your question
If other person installed PHP in his PC, what would happen? – nothing. PHP is a server-side scripting language and cannot directly affect anything on any other computer, especially in terms of controlling access to a remote machine.
Footnote #1 06/2012
Just a brief note to mention that the
Deny directives have been deprecated in Apache 2.4. This type of access control has now been merged with the standard authentication process and is now provided using
Require host and
Require local directives as supported by mod_authz_host.
Deny is still provided through mod_access_compat for backwards compatibility, but new configurations for the 2.4 branch and beyond should use the appropriate
Require structures and old configurations should be converted to use the new mechanisms as soon as they are migrated. The old control mechanisms will be removed in a future version of Apache.
A document providing an introduction to the usage of the new directives is available here.
You’ve put a webserver on a public IP… it’s going to be accessible from anywhere in the world. If you want to keep the server private, you’ll have to configure Apache to NOT listen on the public IP port and set it to respond to 127.0.01 only. That’s done via
Listen directives in httpd.conf.
Another alternative is to use a firewall to block access to Apache’s ports from anything but authorized IPs.
I would recommend using HTTP Auth to protect the directories you don’t want sharing. That way if you ever do want to share one of them, you can just share login details with the person you want to give access.