20

Because the data size isn't little that my web app needs to load, it gets pretty slow some times so therefor I decided to add some jQuery ajax functions to load certain data upon request and then save it in a cache.

What I would like to know is how can I limit any GET or POST requests only from localhost/same server/same ip so I can avoid any calls from outside to my app?

That means that my php functions that returns data, should return data only if requested from localhost.

My web app runs on CodeIgniter's framework and my web server's configuration is a LAMP running on ubuntu.

Any ideas?

Alex
  • 7,538
  • 23
  • 84
  • 152

4 Answers4

29

in the constructor you could use 

if ($_SERVER['SERVER_ADDR'] != $_SERVER['REMOTE_ADDR']){
  $this->output->set_status_header(400, 'No Remote Access Allowed');
  exit; //just for good measure
}

However if this method isnt what you're looking for.. use .htaccess you can perform a quick google search to return a specific example for denying get/post to all and then allow for 127.0.0.1/localhost.

NDBoost
  • 10,184
  • 6
  • 53
  • 73
10

Using .htaccess is probably the best way, allow only from your local address and 127.0.0.1. I found this example at petergasser.com and changed it only slightly:

AuthName "bla"  
AuthType Basic  
<Limit GET POST>  
order deny,allow  
deny from all 
allow from 127.0.0.1
allow from <your-ip-here>
</Limit>
h00ligan
  • 1,471
  • 9
  • 17
  • That's weird...I'm getting forbidden, maybe a problem with docker? Different ip? – Marcelo Agimóvel Nov 22 '17 at 06:51
  • 1
    It shouldn't make a difference as long as both apache and the application making the request are on the same host. Of course you have to make sure that apache is listening to the IP addresses in question. – h00ligan Nov 25 '17 at 14:14
  • I believe docker is using some other ip like 172.18.0.3 or something, it doesn't work. But if I use my LAN address in "allow from", it works. – Marcelo Agimóvel Nov 27 '17 at 11:08
  • 1
    In that case you're not actually connecting from localhost as the docker container is a host of it's own. – h00ligan Nov 28 '17 at 14:51
  • Thank you, I believe I got the solution by using csrf tokens in codeigniter, do you think I still need this improvement we are talking about? – Marcelo Agimóvel Nov 28 '17 at 17:01
  • 1
    No, you shouldn't need this solution if you're using tokens or API keys as slash197 suggests below. In fact I'd say tokens or API keys are a better solution. – h00ligan Nov 29 '17 at 09:55
3

I use like this, thanks to @gorelative

if( 
isset($_SERVER['REMOTE_ADDR']) AND ( $_SERVER['REMOTE_ADDR'] !== $_SERVER['SERVER_ADDR'] )
){
 die(' Access Denied, Your IP: ' . $_SERVER['REMOTE_ADDR'] );
}
Community
  • 1
  • 1
Fthr
  • 769
  • 9
  • 10
3

Use a key (think of API keys) to send along the request to your server. Then on your server you check that key and if it's the right one you return data.

slash197
  • 9,028
  • 6
  • 41
  • 70
  • why would that be an advantage over Mike's or h00ligan's solution? – Alex Mar 26 '12 at 13:22
  • Doesn't have advantage over the other solutions only in the case where you would return different data based on where the call came from. – slash197 Mar 26 '12 at 13:33
  • Thanks @slash197 but I'm going to stick to the solutions mentioned above for now. Any way, you have any good article where I can read something about your solution? – Alex Mar 26 '12 at 13:35
  • This could be a better solution in cases where you're either not using Apache (my solution is for Apache only) or where you want to enable access from other machines and don't want to list all the IP addresses or the addresses are dynamic. – h00ligan Aug 10 '16 at 07:15