I am getting a lot of traffic from cloud server providers / bots,
how can I completely block this ISPs?
With a .htaccess?
Use the Deny directive. For example, Deny from 10.1.2.0/24.
Related
I have a simple REST api endpoint, which will respond to the requests from out side. Now I want to secure it. I only want my end point to respond to requests which comes from my server (host).
What would be the easiest way to do this?
Can we trust HTTP_REFERER?
Please help.
Thanks in advance
You can deny/allow IP's using .htaccess
<files api.php>
order deny,allow
deny from all
allow from 0.0.0.0 # Your Server IP
allow from 0.0.0.0 # Your Client IP
allow from 0.0.0.0 # Your Clients another IP
</files>
Hope this help
Can we trust HTTP_REFERER
No. Referrer is sent by client so can be anything and cannot be trusted. You can however try checking REMOTE_ADDR against allowed IP's or if you do not assign IPs per user, you can simply set up firewall using i.e. iptables, use .htaccess with proper Allow/Deny entries or any other software that controls the traffic before it reach your API. This will allow you to decouple this feature from main API
I have been setting up an IP blocklist reciently and I was wondering is it possible to block an IP that is connecting via HTTP and not to block them if they connect via HTTPS. There was a post on SO .Htaccess rules to redirect respective HTTP links to HTTP and HTTPS to HTTPS? which is similar but uses mod_rewrite which I have had horrible experience with and has only given me 500 errors in the past . Is there any way to do it with the standard format?
order allow,deny
allow from 192.168.1.0/24
deny from all
I need support for IPv6 addresses too. If the rewrite method is the only option, in your answer could you include a link that I could look at to perform my task properly? Many thanks!
I am using Apache/2.2.20 (Ubuntu)
What you desire isn't built into Apache's .htaccess mechanism. Simply: no protocol level commands are supported by mod_auth or mod_access. Furthermore, what you seek breaks the expected assumption that if you provide a resource over HTTP, that same path will work over HTTPS. This will cause surprising results for people using HTTPS enforcers.
But, if you're dead set on doing something like this, I would recommend Squid. You can use it to do all kinds of nifty things, like denying access to the cache from certain protocols on a per-file basis, and otherwise fiddling with data coming off your Apache server before you serve it to your users.
I have a web app at domain1.com which needs to be able to make requests to many different sites, too many to add specific vhost information for each site, what I'd like to be able to do is make a request with the web app to its hosting apache server like this
/domain1.com/some/path
/domain2.com/some/path
and for it to be send to
https://domain1.com/some/path
https://domain2.com/some/path
I've tried different settings using apaches ProxyPass but with no success
How do I do this?
That should be able to work with these directives:
ProxyPass /domain1.com/ https://domain1.com/
ProxyPass /domain2.com/ https://domain2.com/
A request to https://yourproxy.com/domain1.com/some/path should then be forwarded on to https://domain1.com/some/path. It is also possible you may need to use some of the SSLProxy* directives from mod_ssl.
Edit Based on the comment, you might try this:
ProxyPass / http://
I just now tried that, and http://myproxy.com:port1/myserver.com:port2/some/path was sent on to (and returned from) http://myserver.com:port2/some/path.
However, this seems like a bad idea from a security standpoint. I suppose it does allow the proxy to sit on one side of a firewall and allow the backends to be behind the firewall. I am certainly no web expert, but it just feels a bit sketchy.
someone trying to access pages like
//mysqladmin//scripts/setup.php
Is it some hack attempt or .. ?
If yes then how i can block its ip from accessing mine website ?
Via htaccess or something else ?
As an update to this old question for those who still land here:
Order Allow Deny are deprecated as of Apache 2.4 and Require should be used.
<RequireAll>
Require all granted
Require not ip 1.2.3.4
</RequireAll>
Ranges, netmasks, etc. can also be specified.
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html (Deprecated)
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
To block special IP addresses you can put the following in a .htaccess file located in your directory, you like to restrict:
order allow,deny
deny from 1.2.3.4
allow from all
Where 1.2.3.4 is the IP you like to block.
But note that IP adresses change users and also attackers change IP adresses.
So this will not secure your application and potentially block leagal visitors.
The better solution will be to make sure your script does not accept malicious paths.
Append a base path to the path you get from the user
Make sure the path you get from the user does not contain '../'
If I have mod_jk set up with several workers and a load balancer worker, is there a request parameter or something that would allow me to force a specific http request down to a specific worker. For instance if I have a worker worker1 is there something like this:
http://www.example.com?worker=worker1
Often we need to troubleshoot problems on a specific server in the cluster and being able to force the request directly to that server is essential.
I think the common practice is to do that via subdomains which alias the main domain. Just make sure that you don't let Google index because you'll have duplicate content issues. IP filtering and a restrictive robots.txt will do the job.
www1.example.com
www2.example.com
Tweak the value of your JSESSIONID cookie. The end has the name of the worker you're stuck to (assuming you're doing sticky sessions)
Use SetHandler as described here http://tomcat.apache.org/connectors-doc/reference/apache.html instead of JKMount directives
Something like this:
<Location />
SetHandler jakarta-servlet
SetEnvIf REQUEST_URI ^/.*\?.*worker=(\w+)&?$ JK_WORKER_NAME=$1
</Location>