Enough to cover here, so let it dive into ...
As mentioned by Marc B, if you set the web server to an open IP address, all Internet users can access it. This does not mean that you are in this situation - you say that you are on a university network, and you will most likely find that they implement some form of local network that has NAT and / or firewall between your PC and the Internet. However, you can still find that everything on the university network (or at least your segment β see subnet and VLAN ) has access to your web server.
What can you do to prevent this?
This is by no means a complete list, but here are some of the most commonly used approaches to monitoring web server security.
Set up a web server for listening only on the local host (Mark B has already covered this, but to clarify):
The main Apache configuration file, httpd.conf , uses the Listen directive to determine which listening sockets to create and communicate with at startup. By default, Listen 80 usually Listen 80 , which means that the server will listen on TCP port 80 at each IP address registered on the machine. These IP addresses will be 127.0.0.1 , loopback address and any IP addresses associated with any network interfaces that you have set, for example, the above example 220.81.184.12 .
You can change this directive as more restrictive. For example, if you want to accept connections only from the local machine, you can change it to Listen 127.0.0.1 80 . By doing so, you can access your web server from your local computer at http://127.0.0.1/ , http://localhost/ and http://220.81.184.12/ - yes, you can still use any address associated with a machine due to loopback running - but no other machine anywhere in the world can directly access it using any address.
Configure a firewall to block connections from other computers:
By default, all firewalls block every incoming request, and you must explicitly allow open ports and / or applications to accept incoming connections. If you do not want other computers to have access to your server, do not open the port that allows the application. Many firewalls allow you to be more selective about these rules by allowing incoming requests from specific IP addresses, but not others.
If you want other people to not access network resources hosted on your computer, a firewall is usually a good place to start. You should find that your Ubuntu installation comes with iptables enabled .
Limit remote clients that can access directories in the Apache configuration file:
Please note: this information describes the use of Apache directives, which are now deprecated. See Footnote No. 1
As you probably already know so that Apache can serve the directory, you need to create a <Directory> section for it in httpd.conf . In the default configuration file, you will find a section pre-configured to serve DocumentRoot , which will contain some lines that look like this:
Order allow,deny Allow from all
This allows all requests from each client. As you can see, there are two directives: Order and Allow (which has an additional directive, Deny ). Understanding what these directives do and how they work is important if you intend to manage your Apache server. They are explained in detail on the linked pages of the manual, so I will not go into it here - let's just give an example:
Order deny,allow Deny from all Allow from 127.0.0.1
Changing the default value causes each request to be rejected, unless it was created from 127.0.0.1 - your local computer. Now let's say you want your friend whose IP address was 172.32.64.218 to also access the page: we added the Allow directive for his IP address to the end of the above configuration:
Allow from 172.32.64.218
After you install this, your friend will tell you that he owns all the IP addresses between 172.32.64.216 and 172.32.64.223 and wants to be able to use any of them to access your server. Instead of creating 8 separate Allow directives, we can define them in one: using CIDR , we can express this subnet as 172.32.64.216/29 , and we can use this in the Allow directive:
Allow from 172.32.64.216/29
The <Directory> sections define the rules for the directory and all its subdirectories, so if you apply the rule to /myDir , the same rules will apply to /myDir/subDir and /myDir/subDir/subSubDir . But you can override these rules below the tree - so you can create a <Directory> section for /myDir/subDir/subSubDir with different rules. You can also use . Htaccess files for defining rules if you allow them using AllowOveride .
As you can see, this management method, which is allowed access to your site, is relatively easy to configure and can provide powerful and flexible control of the rules.
To answer your question If other person installed PHP in his PC, what would happen? - nothing. PHP is a server-side scripting language and cannot directly affect anything on any other computer, especially in terms of access control to a remote machine.
Footnote No. 1 06/2012
In short, the Order , Allow and Deny directives are deprecated in Apache 2.4. This type of access control is now combined with the standard authentication process and is now provided using the Require ip , Require host and Require local directives supported by mod_authz_host .
Support for Order , Allow and Deny is still provided through mod_access_compat for backward compatibility, but new configurations for 2.4 or more should use the appropriate Require structures, and old configurations must be converted to use the new mechanisms as soon as they are ported. Old management mechanisms will be removed in a future version of Apache.
A document introducing the new directives is available here .