Solved How to configure apache server to listen only on loopback NIC?

Solved issue

CaffeineAddict

Well-Known Member
Joined
Jan 21, 2024
Messages
1,655
Reaction score
1,153
Credits
13,701
I've installed apache server and by default it listens on all interfaces, this is currently loopback and my primary NIC with local IP which is used to connect to default gateway.

How do I configure it so that it listens only on loopback address?
 


To have it only listen on local loopback you would probably have to configure this in your main apache configuration file.
Code:
Listen 127.0.0.1:80
 
List the files in /etc/apache2?
This is the default tree:
tree /etc/apache2
/etc/apache2
├── apache2.conf
├── conf-available
│ ├── charset.conf
│ ├── javascript-common.conf
│ ├── localized-error-pages.conf
│ ├── other-vhosts-access-log.conf
│ ├── security.conf
│ └── serve-cgi-bin.conf
├── conf-enabled
│ ├── charset.conf -> ../conf-available/charset.conf
│ ├── localized-error-pages.conf -> ../conf-available/localized-error-pages.conf
│ ├── other-vhosts-access-log.conf -> ../conf-available/other-vhosts-access-log.conf
│ ├── security.conf -> ../conf-available/security.conf
│ └── serve-cgi-bin.conf -> ../conf-available/serve-cgi-bin.conf
├── envvars
├── magic
├── mods-available
│ ├── access_compat.load
│ ├── actions.conf
│ ├── actions.load
│ ├── alias.conf
│ ├── alias.load
│ ├── allowmethods.load
│ ├── asis.load
│ ├── auth_basic.load
│ ├── auth_digest.load
│ ├── auth_form.load
│ ├── authn_anon.load
│ ├── authn_core.load
│ ├── authn_dbd.load
│ ├── authn_dbm.load
│ ├── authn_file.load
│ ├── authn_socache.load
│ ├── authnz_fcgi.load
│ ├── authnz_ldap.load
│ ├── authz_core.load
│ ├── authz_dbd.load
│ ├── authz_dbm.load
│ ├── authz_groupfile.load
│ ├── authz_host.load
│ ├── authz_owner.load
│ ├── authz_user.load
│ ├── autoindex.conf
│ ├── autoindex.load
│ ├── brotli.load
│ ├── buffer.load
│ ├── cache_disk.conf
│ ├── cache_disk.load
│ ├── cache.load
│ ├── cache_socache.load
│ ├── cern_meta.load
│ ├── cgid.conf
│ ├── cgid.load
│ ├── cgi.load
│ ├── charset_lite.load
│ ├── data.load
│ ├── dav_fs.conf
│ ├── dav_fs.load
│ ├── dav.load
│ ├── dav_lock.load
│ ├── dbd.load
│ ├── deflate.conf
│ ├── deflate.load
│ ├── dialup.load
│ ├── dir.conf
│ ├── dir.load
│ ├── dump_io.load
│ ├── echo.load
│ ├── env.load
│ ├── expires.load
│ ├── ext_filter.load
│ ├── file_cache.load
│ ├── filter.load
│ ├── headers.load
│ ├── heartbeat.load
│ ├── heartmonitor.load
│ ├── http2.conf
│ ├── http2.load
│ ├── ident.load
│ ├── imagemap.load
│ ├── include.load
│ ├── info.conf
│ ├── info.load
│ ├── lbmethod_bybusyness.load
│ ├── lbmethod_byrequests.load
│ ├── lbmethod_bytraffic.load
│ ├── lbmethod_heartbeat.load
│ ├── ldap.conf
│ ├── ldap.load
│ ├── log_debug.load
│ ├── log_forensic.load
│ ├── lua.load
│ ├── macro.load
│ ├── md.load
│ ├── mime.conf
│ ├── mime.load
│ ├── mime_magic.conf
│ ├── mime_magic.load
│ ├── mpm_event.conf
│ ├── mpm_event.load
│ ├── mpm_prefork.conf
│ ├── mpm_prefork.load
│ ├── mpm_worker.conf
│ ├── mpm_worker.load
│ ├── negotiation.conf
│ ├── negotiation.load
│ ├── proxy_ajp.load
│ ├── proxy_balancer.conf
│ ├── proxy_balancer.load
│ ├── proxy.conf
│ ├── proxy_connect.load
│ ├── proxy_express.load
│ ├── proxy_fcgi.load
│ ├── proxy_fdpass.load
│ ├── proxy_ftp.conf
│ ├── proxy_ftp.load
│ ├── proxy_hcheck.load
│ ├── proxy_html.conf
│ ├── proxy_html.load
│ ├── proxy_http2.load
│ ├── proxy_http.load
│ ├── proxy.load
│ ├── proxy_scgi.load
│ ├── proxy_uwsgi.load
│ ├── proxy_wstunnel.load
│ ├── ratelimit.load
│ ├── reflector.load
│ ├── remoteip.load
│ ├── reqtimeout.conf
│ ├── reqtimeout.load
│ ├── request.load
│ ├── rewrite.load
│ ├── sed.load
│ ├── session_cookie.load
│ ├── session_crypto.load
│ ├── session_dbd.load
│ ├── session.load
│ ├── setenvif.conf
│ ├── setenvif.load
│ ├── slotmem_plain.load
│ ├── slotmem_shm.load
│ ├── socache_dbm.load
│ ├── socache_memcache.load
│ ├── socache_redis.load
│ ├── socache_shmcb.load
│ ├── speling.load
│ ├── ssl.conf
│ ├── ssl.load
│ ├── status.conf
│ ├── status.load
│ ├── substitute.load
│ ├── suexec.load
│ ├── unique_id.load
│ ├── userdir.conf
│ ├── userdir.load
│ ├── usertrack.load
│ ├── vhost_alias.load
│ └── xml2enc.load
├── mods-enabled
│ ├── access_compat.load -> ../mods-available/access_compat.load
│ ├── alias.conf -> ../mods-available/alias.conf
│ ├── alias.load -> ../mods-available/alias.load
│ ├── auth_basic.load -> ../mods-available/auth_basic.load
│ ├── authn_core.load -> ../mods-available/authn_core.load
│ ├── authn_file.load -> ../mods-available/authn_file.load
│ ├── authz_core.load -> ../mods-available/authz_core.load
│ ├── authz_host.load -> ../mods-available/authz_host.load
│ ├── authz_user.load -> ../mods-available/authz_user.load
│ ├── autoindex.conf -> ../mods-available/autoindex.conf
│ ├── autoindex.load -> ../mods-available/autoindex.load
│ ├── deflate.conf -> ../mods-available/deflate.conf
│ ├── deflate.load -> ../mods-available/deflate.load
│ ├── dir.conf -> ../mods-available/dir.conf
│ ├── dir.load -> ../mods-available/dir.load
│ ├── env.load -> ../mods-available/env.load
│ ├── filter.load -> ../mods-available/filter.load
│ ├── mime.conf -> ../mods-available/mime.conf
│ ├── mime.load -> ../mods-available/mime.load
│ ├── mpm_event.conf -> ../mods-available/mpm_event.conf
│ ├── mpm_event.load -> ../mods-available/mpm_event.load
│ ├── negotiation.conf -> ../mods-available/negotiation.conf
│ ├── negotiation.load -> ../mods-available/negotiation.load
│ ├── reqtimeout.conf -> ../mods-available/reqtimeout.conf
│ ├── reqtimeout.load -> ../mods-available/reqtimeout.load
│ ├── setenvif.conf -> ../mods-available/setenvif.conf
│ ├── setenvif.load -> ../mods-available/setenvif.load
│ ├── status.conf -> ../mods-available/status.conf
│ └── status.load -> ../mods-available/status.load
├── ports.conf
├── sites-available
│ ├── 000-default.conf
│ └── default-ssl.conf
└── sites-enabled
└── 000-default.conf -> ../sites-available/000-default.conf
 
That's probably the file where you have to define it.
Upon restarting service I get this:

Bash:
sudo systemctl status apache2
× apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Fri 2024-09-20 16:01:25 CEST; 2min 31s ago
   Duration: 2h 29min 53.833s
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 14853 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
        CPU: 54ms

ruj 20 16:01:25 msi systemd[1]: Starting apache2.service - The Apache HTTP Server...
ruj 20 16:01:25 msi apachectl[14856]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
ruj 20 16:01:25 msi apachectl[14856]: (98)Address already in use: AH00072: make_sock: could not bind to address 127.0.0.1:80
ruj 20 16:01:25 msi apachectl[14856]: no listening sockets available, shutting down
ruj 20 16:01:25 msi apachectl[14856]: AH00015: Unable to open logs
ruj 20 16:01:25 msi apachectl[14853]: Action 'start' failed.
ruj 20 16:01:25 msi apachectl[14853]: The Apache error log may have more information.
ruj 20 16:01:25 msi systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
ruj 20 16:01:25 msi systemd[1]: apache2.service: Failed with result 'exit-code'.
ruj 20 16:01:25 msi systemd[1]: Failed to start apache2.service - The Apache HTTP Server.
 
Upon restarting service I get this:
I don't currently have a Debian vm installed but on my Rocky Linux it works.
Code:
[root@ansible ~]# ss -tulpn | grep 80   
tcp   LISTEN 0      511        127.0.0.1:80        0.0.0.0:*    users:(("httpd",pid=2010,fd=3),("httpd",pid=2009,fd=3),("httpd",pid=2008,fd=3),("httpd",pid=2006,fd=3))
Check what's already running on port 80?
 
Last edited:
I will install a Debian vm and try it myself.
 
Check what's already running on port 80?
I did check but nothing is listening on 80:

Bash:
sudo ss -tunlp
Netid            State             Recv-Q            Send-Q                         Local Address:Port                          Peer Address:Port            Process                                             
udp              UNCONN            0                 0                                    0.0.0.0:39309                              0.0.0.0:*                users:(("firefox-bin",pid=2927,fd=189))           
udp              UNCONN            0                 0                               192.168.3.44:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=17))                 
udp              UNCONN            0                 0                                  127.0.0.1:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=15))                 
udp              UNCONN            0                 0                               192.168.3.44:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=13))                 
udp              UNCONN            0                 0                                  127.0.0.1:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=11))                 
udp              UNCONN            0                 0                               192.168.3.44:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=9))                 
udp              UNCONN            0                 0                                  127.0.0.1:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=7))                 
udp              UNCONN            0                 0                               192.168.3.44:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=5))                 
udp              UNCONN            0                 0                                  127.0.0.1:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=3))                 
tcp              LISTEN            0                 4096                               127.0.0.1:9050                               0.0.0.0:*                users:(("tor",pid=2393,fd=6))                     
tcp              LISTEN            0                 256                                127.0.0.1:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=16))                 
tcp              LISTEN            0                 256                                127.0.0.1:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=12))                 
tcp              LISTEN            0                 256                                127.0.0.1:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=8))                 
tcp              LISTEN            0                 256                                127.0.0.1:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=4))                 
tcp              LISTEN            0                 256                             192.168.3.44:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=18))                 
tcp              LISTEN            0                 256                             192.168.3.44:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=14))                 
tcp              LISTEN            0                 256                             192.168.3.44:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=10))                 
tcp              LISTEN            0                 256                             192.168.3.44:53                                 0.0.0.0:*                users:(("unbound",pid=1430,fd=6))
 
I did check but nothing is listening on 80:
Debian uses a different file now, you need to remove it from /etc/apache2/apache2.conf and place it here.
Code:
root@debian:/etc/apache2# grep ^Listen ports.conf       
Listen 127.0.0.1:80
 
@f33dm3bits
Works flawlessly, thank you very much for your time to investigate!

I'm total noob when it comes to anything related to web, there is a lot of docs to read on the apache alone, and I haven't even touched site development yet.

Reason why I want loopback only access to server is to prevent accidental or deliberate routing over default gateway.
 

Members online


Top