prevent directory access using setenvif - apache

I would like to use SetEnvIf to block directory access to specific ip addresses.
here is what i came up with.
<Directory /main>
order allow,deny
SetEnvIf Remote_Addr ^(2|5|6)\. banned [OR]
SetEnvIf Remote_Addr ^(7|8|9)\. banned
allow from all
deny from env=banned
</Directory>
the (2|5|6)\. and (7|8|9)\. are wildcarded ip address examples,
I am trying to prevent those ranges from accessing the main directory on my server.
but not sure if the [OR] and the wildcarded ip addresses will work.
Also how can i redirect the banned to http://officeofstrategicinfluence.com/spam/
instead of just denying or blocking them?

[OR] cannot be used like the way you have used but it can be used as per the regex syntax. Try this code:
<Directory /main>
SetEnvIf Remote_Addr ^(2|5|6|7|8|9)\. banned
order allow,deny
allow from all
deny from env=banned
</Directory>
Also note that <Directory> directive only works in Apache config not in .htaccess
UPDATE: As per comments, you can use this rewrite rule in your root .htaccess:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^(2|5|6|7|8|9)\.
RewriteRule ^main(/|$) http://officeofstrategicinfluence.com/spam/ [NC,L,R]

Related

Is there any way to simplify restrict access to specific source IP in apache httpd.conf file

For example, this is my httpd.conf:
...
<Location /a>
Order deny,allow
Deny from all
Allow from x.x.x.x
(and other "Allow from x.x.x.x")
</Location>
<Location /b>
Order deny,allow
Deny from all
Allow from x.x.x.x
(and other "Allow from x.x.x.x")
</Location>
(and other locations with same ip restrict)
...
Inside the Location tags are the same ip restrict, and there are hundreds ips. So how to simplify it?
Instead of placing the "allow from" inside each location, you can place it in the "" block of the document root.
Another option could be to use a rewrite rule and place it at the virtualhost level (or in the httpd.conf, according to your configuration):
RewriteCond %{REMOTE_ADDR} ^214.53.25.(6[4-9]|7[0-9]|8[0-9]|9[0-9])$ [OR]
RewriteCond %{REMOTE_ADDR} ^214.53.25.1([0-1][0-9]|2[0-8])$
RewriteRule .* - [F]

.htaccess file to block all IPs except 4 and always allow requests to /api/ for averyone

I am trying to disallow all requests by
RewriteCond %{HTTP:X-FORWARDED-FOR} !=67.x.x.x
RewriteCond %{REQUEST_URI} !^api
RewriteRule ^(.*)$ - [R=403,L]
ErrorDocument 403 "<html><hea....
So the IP 67 should be allowed for all REQ - but the directory /api/ should be accessible for everyone.
How can I do that?
You Can apply some of these directives.
Also, am thinking that your api is a directory
order deny,allow
deny from all
allow from 222.333.444, 67.8.9.9 # ALLOWED IPS MUST BE SEPARATED BY COMMAS
<Directory /api>
# All access controls and authentication are disabled
# in this directory
Satisfy Any
Allow from all
</Directory>
To deny access to all but 4 specific ip addresses you can use a negative RewriteCond and regex pattern to match against the allowed ip addresses something like the following :
RewriteCond %{REMOTE_ADDR} !(ip1|ip2|ip3|ip4)
If you do not want your /api uri to be redirected to 403 you can exclude it in your Rewrite pattern so that the uri is available for both allowed and denied ip addresses.
Full code :
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !(ip1|ip2|ip3|ip4)
RewriteRule !api - [R=403,L]

htaccess use of Order Deny,Allow

I'm using Order Deny,Allow in my .htaccess file, without success. IP's I need to prevent access to are going right through with no troubles. I read that as of Apache 2.4 Order Deny,Allow would no longer work; first is that factual and second if so what has replaced it? I cannot access my httpd.conf file, so Require and Require not is not an option for me.
I only have access to .htaccess, how can I accomplish banning by ip or if no longer possible, redirecting by ip. Below is a snipit of my Order Deny,Allow if it matters. Thanks in advance!
Order Deny,Allow
Deny from 123.125.71.*
Deny from 123.125.71.121.some.domain.com
Deny from some.domain.com
Allow from All
(as you can see, I'm attempting to block the same ip, in various formats but no matter the format, the traffic continues to go through.)
To push the undesired ip to 403 ,you can use the following rule :
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^00\.00\.00\.00$
RewriteRule ^ - [R=403,L]
Replace 00.00.00.00 with your undesired ip address.
To ban multiple ipaddress, you can add multiple conditions seprated by a [OR] flag to your rule :
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^00\.00\.00\.00$ [OR]
RewriteCond %{REMOTE_ADDR} ^00\.00\.00\.00$
RewriteRule ^ - [R=403,L]

Deny access to URI

I'm trying to deny access to a certain uri, namely /admin/ and have tried this .htaccess file:
SetEnvIf Request_URI !^/admin/ not_admin_uri
Order deny,allow
Deny from all
allow from 356.244.33.
allow from env=not_admin_uri
This works for the example IP range, but not for the "not_admin_uri" part.
What's going wrong here?
To negate a match you cannot place ! in the SetEnvIf directive. You need to use negative lookahead like this:
SetEnvIf Request_URI ^/(?!admin/) not_admin_uri
Maybe try using a rewrite rule. If not from your IP then block access.
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.
RewriteRule ^admin/? - [F,L]

How can I limit access to a virtual host (subdomain) to a few specific IPs?

The catch is that this virtual host points to the same root location as the main site. It is meant to just mirror the content of www.mysite.com on sub.mysite.com. This prohibits me from using allow and deny rules in my .htaccess, since that would affect www.mysite.com traffic as well. I've also tried using:
RewriteCond %{HTTP_HOST} ^sub.mysite.com$
RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.89$ [OR]
RewriteCond %{REMOTE_ADDR} !^123\.55\.76\.234$ [OR]
RewriteCond %{REMOTE_ADDR} !^12\.54\.67\.87$
RewriteRule ^.*$ http://www.mysite.com [R=301]
The IP addresses don't fall into a range, so I think generating a single-line REGEX to cover all of them wouldn't work, and using a series of conditionals like the above simply didn't work, and seemed very messy. The above IPs are just examples. I would need to limit access to roughly 10 unique IPs. Any ideas?
Try to define allow and deny in the virtualhost under the directory node. That should only take effect on the virtualhost you want to.
<VirtualHost 111.22.33.55:8080>
ServerName sub.mysite.com
<Directory proxy:>
Order Deny,Allow
Deny from all
Allow from 111.22.33
</Directory>
</VirtualHost>