How to do apache htaccess ban by ip with the some exception? - apache

P.S.: Sorry me and please be lenient with my English.
I have the situation when some IP must blocked and better way for this on my mind - htaccess. It cause I have many entry points. It easy and works fine...
I do:
<Files *>
Order allow,deny
deny from aaa.aaa.aaa.aaa/aa
deny from bbb.bbb.bbb.bbb/bb
Allow from all
</Files>
BUT! There one more things. I have a few devices which should be allowed access even if they go through the denied IP.
I can't install some module for Apache. So I need some simply way for decide it.
Can someone give me some ways or some tricks for it?

You need some way of identifying those devices, then you can add an environment variable to set up an exception and use access control by environment variable. For example, if you can do it by user-agent:
SetEnvIf User-Agent SpecialUA UAException=1
<Files *>
Order allow,deny
Allow from UAException=1
Deny from aaa.aaa.aaa.aaa/aa
Deny from bbb.bbb.bbb.bbb/bb
Allow from all
</Files>
See also SetEnvIf. I am linking to Apache 2.2 docs since you are using the old syntax which has been updated in 2.4.

Related

Configure Apache to restrict a page to a subnet

I am trying to configure an Apache Server version 2.4 to restrict external users from accessing some pages.
I have something looking like that but it is not very concluent since the page if forbidden for everybody:
<Directory /var/www/html/folder>
<Files *.php>
Require ip x.x.x.x/24
</Files>
</Directory>
I tried other syntaxes for subnets (x.x.x, x.x.x.0 ...) nothing seemed to work
What's the correct way to do this ? Thank you

Access Control Apache

Just having trouble setting an access control in Apache. So I want to deny access to a specific ip address for a section in my website. So when this ip address access my site, they shouldn't be able to see the "test" section of the website.
This is what I have done inside the httpd.conf file
<Directory /test>
Order Allow,Deny
Allow from all
Deny from 10.13.89.47
</Directory>
Please can someone tell me what I am doing wrong ?
Thanks
Based on the information you have provided, you document root is '/' (very dangerous) or you've not understood how the 'Directory' tag works. I would expect the tag to look something more like.....
<Directory /srv/www/htdocs/test>
I have used something else to get it working.
<Location/test>
Order Allow,Deny
Allow from all
Deny from 10.13.89.47
</Location>

How to block access to a particular route in .htaccess file

I need to block access to a particular route in my web application using a .htaccess file for everyone except a list of IP's. When I say block and whitelist IP's I want to use the following on particular route
order deny,allow
deny from all
allow from 1.1.1.1
allow from 2.2.2.2
I tried using the Location directive, but it is not allowed in .htaccess.
I do not have access to the server config file since it is a managed hosting provider
The route I want to block is for eg: http://www.example.com/route1
Is there a way?
Thanks for the help in advance
You can definitely achieve this using multiple methods.
.htaccess files:
<files route1>
order deny,allow
deny from all
allow from my.ip.address
</files>
If you are looking at whitelisting multiple ip's I would suggest the follow method:
<Files myfile.php>
order deny,allow
deny from all
allow from env=allowip
#Office 1
#132.11.32.222
SetEnvIf X-FORWARDED-FOR "^132\.11\.32\.222" allowip
#Office 2
#142.11.32.222
SetEnvIf X-FORWARDED-FOR "^142\.11\.32\.222" allowip
</Files>

htaccess deny from *.ru or deny from .ru

I am aware that blocking by host extension can cause unwanted server load but which is correct? For example...
deny from *.ru
or
deny from .ru
It's deny from .ru, according to the Apache 2.2 mod_authz documentation which say the host syntax is identical to Allow. They provide an example:
Allow from apache.org
Allow from .net example.edu

Upgrading httpd.conf from version 2.2 to 2.4

I have a problem, I accidentally upgraded from Apache 2.2 to 2.4 and now need to change my httpd.conf file to use the new Require directives instead of using the old Order and Allow directives. I think I have made all the changes I need to but there is one section I am not sure what I should replace it with. This is the section:
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
This combination of Order, Deny and Satisfy confuses me as I am a newb at this. What is the proper 2.4 configuration to accomplish the same thing. I have tried googling an answer and searched this site but haven't found anything (perhaps using the wrong terms - I don't know). If some guru out there could provide some help that would be greatly appreciated.
Thanks!
The idioms have changed in Apache 2.4.
Read through "Upgrading to 2.4 from 2.2" at http://httpd.apache.org/docs/trunk/upgrading.html
Look for these entries:
2.2 configuration:
Order deny,allow
Deny from all
2.4 configuration:
Require all denied
In your case Satisfy All is not needed anymore:
v2.2
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
v2.4:
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
i know this question was asked in 2014, but this solution is too good not to be published here...
on the old 2.2 Apache, i prepare the migration with:
<Location />
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
order allow,deny
allow from all
</IfVersion>
</Location>
Depending on the Apache version, the correct configuration-syntax will be used. And it does not matter if you run 2.2 or 2.4 .
Here's what I did to get Apache back up and running after upgrading:
Use the new installed apache2.conf file in the 'etc/apache2' directory. This will clear up quite a few errors. The new file has the new 'Require' syntax built in.
In the apache2.conf file the 'default' directory path is 'var/www'. Mine was different so I was pulling my hair out until I noticed it.
change all your VH files in the 'sites-available' directory e.g. xyzsite.com.conf (add '.conf' to the files. Same with the default file. You'll have to change the 'Require' syntax in this file as Henk points out.
The httpd.conf is simply not used, so if you have one you might as well delete it to avoid confusion in the future.
Hope this helps.