Deny access to URI - apache

I'm trying to deny access to a certain uri, namely /admin/ and have tried this .htaccess file:
SetEnvIf Request_URI !^/admin/ not_admin_uri
Order deny,allow
Deny from all
allow from 356.244.33.
allow from env=not_admin_uri
This works for the example IP range, but not for the "not_admin_uri" part.
What's going wrong here?

To negate a match you cannot place ! in the SetEnvIf directive. You need to use negative lookahead like this:
SetEnvIf Request_URI ^/(?!admin/) not_admin_uri

Maybe try using a rewrite rule. If not from your IP then block access.
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.
RewriteRule ^admin/? - [F,L]

Related

htaccess use of Order Deny,Allow

I'm using Order Deny,Allow in my .htaccess file, without success. IP's I need to prevent access to are going right through with no troubles. I read that as of Apache 2.4 Order Deny,Allow would no longer work; first is that factual and second if so what has replaced it? I cannot access my httpd.conf file, so Require and Require not is not an option for me.
I only have access to .htaccess, how can I accomplish banning by ip or if no longer possible, redirecting by ip. Below is a snipit of my Order Deny,Allow if it matters. Thanks in advance!
Order Deny,Allow
Deny from 123.125.71.*
Deny from 123.125.71.121.some.domain.com
Deny from some.domain.com
Allow from All
(as you can see, I'm attempting to block the same ip, in various formats but no matter the format, the traffic continues to go through.)
To push the undesired ip to 403 ,you can use the following rule :
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^00\.00\.00\.00$
RewriteRule ^ - [R=403,L]
Replace 00.00.00.00 with your undesired ip address.
To ban multiple ipaddress, you can add multiple conditions seprated by a [OR] flag to your rule :
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^00\.00\.00\.00$ [OR]
RewriteCond %{REMOTE_ADDR} ^00\.00\.00\.00$
RewriteRule ^ - [R=403,L]

Htaccess deny specific get parameter

I want to do deny access to specific ip. I tried this htaccess code but didn't worked:
<Files "index.php?action=deny">
Order Allow,Deny
Deny from XXXX
Allow from all
</Files>
where XXXX is an ip address. how can I do something like that, so it will deny only specific get parameter and not the whole file?
In 2.4, use to check the query string
<If "%{QUERY_STRING} =~ /action=deny/">
Require all denied
</If>
In 2.2, use mod_rewrite:
RewriteEngine ON
RewriteCond %{QUERY_STRING} action=deny
RewriteRule index.php - [F]
Your pattern in Files directive is misleading. If you want to match the URL with action=deny query argument; you'd need to use <Location>:
<Location /index.php?action=deny>
You can use this rule in your root .htaccess:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^action=deny$ [NC]
#RewriteCond %{REMOTE_ADDR} =11.22.33.44
RewriteRule ^index\.php$ - [F]
Replace 11.22.33.44 with your actual IP address

prevent directory access using setenvif

I would like to use SetEnvIf to block directory access to specific ip addresses.
here is what i came up with.
<Directory /main>
order allow,deny
SetEnvIf Remote_Addr ^(2|5|6)\. banned [OR]
SetEnvIf Remote_Addr ^(7|8|9)\. banned
allow from all
deny from env=banned
</Directory>
the (2|5|6)\. and (7|8|9)\. are wildcarded ip address examples,
I am trying to prevent those ranges from accessing the main directory on my server.
but not sure if the [OR] and the wildcarded ip addresses will work.
Also how can i redirect the banned to http://officeofstrategicinfluence.com/spam/
instead of just denying or blocking them?
[OR] cannot be used like the way you have used but it can be used as per the regex syntax. Try this code:
<Directory /main>
SetEnvIf Remote_Addr ^(2|5|6|7|8|9)\. banned
order allow,deny
allow from all
deny from env=banned
</Directory>
Also note that <Directory> directive only works in Apache config not in .htaccess
UPDATE: As per comments, you can use this rewrite rule in your root .htaccess:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^(2|5|6|7|8|9)\.
RewriteRule ^main(/|$) http://officeofstrategicinfluence.com/spam/ [NC,L,R]

Dynamic IP .htaccess blocklist?

Is it possible to block users from IP adresses with a dynamic file-based blocklist?
So, suppose the .htaccess looks like:
order Deny,Allow
Deny from 123.156.0.1
Deny from 10.0.0.10
Allow from all
Can this list be made dynamic, for example:
order Deny,Allow
[include Deny list here]
Allow from all
Another option would of course be to fix it with PHP, but it is preferable to let Apache handle this.
According to the Apache docs, it doesn't seem to be possible to read values from a text file.
However, you could include a configuration file containing the IP addresses. They would have to be in Apache's conf file format, though.
This should work:
order Deny,Allow
include conf/IPList.conf
Allow from all
It's even possible to include whole directories, even though it's not recommended.
I use the RewriteMap feature from Apache's RewriteModule, as a whitelist like this:
## WHITELIST IPS ##
RewriteMap ipslist txt:/path/to/whitelist.txt
RewriteCond %{REMOTE_ADDR} ^(.*)$
RewriteCond ${ipslist:%1|black} ^black$ [NC]
RewriteRule (.*) - [F]
With some tweaking, you could make this a blacklist.

Redirect all IPs except those whitelisted

I want to protect some subdomains from the public. Restriction should be done against a whitelist of IPs.
Infinite loop due to the redirect is not a problem as its not the www-domain.
I tried this http://discussions.apple.com/message.jspa?messageID=2411725, but couldnt get it to work.
However I did try this first
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.89$ [OR]
RewriteCond %{REMOTE_ADDR} !^213\.45\.67\.89$
RewriteRule ^/.* http://www.mydomain.com [R]
.. but didnt work.
What am I doing wrong ?
This kind of thing is actually exactly what Apache's Allow and Deny directives are intended for. Inside the <VirtualHost> block for the domain you want to restrict access to, put this:
<Location />
Order allow,deny
Allow from all
Deny from 123.45.67.89
Deny from 213.45.67.89
</Location>
However, this would produce a 403 (forbidden) error, which doesn't redirect to your www domain by default. I think you can make it do so by adding the directive
ErrorDocument 403 http://www.example.com
You have to combine the RewriteCond directives with AND instead of OR as you want to redirect if both conditions are true (therefor the IP address is neither X nor Y). So try this:
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.89$
RewriteCond %{REMOTE_ADDR} !^213\.45\.67\.89$
RewriteRule ^ http://www.example.com/ [R]