I would like to allow only one country access, but exclude proxies within this country.
This is what I have (shortened version for convenience)
<Limit GET POST>
order deny,allow
deny from all
allow from 139.82.0.0/16
allow from 143.54.0.0/16
allow from 186.192.0.0/11
allow from 186.224.0.0/11
.
deny from 186.201.27.66
deny from 186.201.196.1
deny from 186.214.51.231
deny from 186.237.225.26
</Limit>
But I know this wont work. How do I go about doing this?
Update : for the new apache 2.4 jump directly to the end.
The Order keyword and its relation with Deny and Allow Directives is a real nightmare. It would be quite interesting to understand how we ended up with such solution, a non-intuitive one to say the least.
The first important point is that the Order keyword will have a big impact on how Allow and Deny directives are used.
Secondly, Deny and Allow directives are not applied in the order they are written, they must be seen as two distinct blocks (one the for Deny directives, one for Allow).
Thirdly, they are drastically not like firewall rules: all rules are applied, the process is not stopping at the first match.
You have two main modes:
The Order-Deny-Allow-mode, or Allow-anyone-except-this-list-or-maybe-not
Order Deny,Allow
This is an allow by default mode. You optionally specify Deny rules.
Firstly, the Deny rules reject some requests.
If someone gets rejected you can get them back with an Allow.
I would rephrase it as:
Rule Deny
list of Deny rules
Except
list of Allow rules
Policy Allow (when no rule fired)
The Order-Allow-Deny-mode, or Reject-everyone-except-this-list-or-maybe-not
Order Allow,Deny
This is a deny by default mode. So you usually specify Allow rules.
Firstly, someone's request must match at least one Allow rule.
If someone matched an Allow, you can still reject them with a Deny.
In the simplified form:
Rule Allow
list of Allow rules
Except
list of Deny rules
Policy Deny (when no rule fired)
Back to your case
You need to allow a list of networks which are the country networks. And in this country you want to exclude some proxies' IP addresses.
You have taken the allow-anyone-except-this-list-or-maybe-not mode, so by default anyone can access your server, except proxies' IPs listed in the Deny list, but if they get rejected you still allow the country networks. That's too broad. Not good.
By inverting to order allow,deny you will be in the reject-everyone-except-this-list-or-maybe-not mode.
So you will reject access to everyone but allow the country networks and then you will reject the proxies. And of course you must remove the Deny from all as stated by #Gerben and #Michael Slade (this answer only explains what they wrote).
The Deny from all is usually seen with order deny,allow to remove the allow by default access and make a simple, readable configuration. For example, specify a list of allowed IPs after that. You don't need that rule and your question is a perfect case of a 3-way access mode (default policy, exceptions, exceptions to exceptions).
But the guys who designed these settings are certainly insane.
All this is deprecated with Apache 2.4
The whole authorization scheme has been refactored in Apache 2.4 with RequireAll, RequireAny and RequireNone directives. See for example this complex logic example.
So the old strange Order logic becomes a relic, and to quote the new documentation:
Controling how and in what order authorization will be applied has been a bit of a mystery in the past
Not answering OPs question directly, but for the people finding this question in search of clarity on what's the difference between allow,deny and deny,allow:
Read the comma as a "but".
allow but deny: whitelist with exceptions.
everything is denied, except items on the allow list, except items on the deny list
deny but allow: blacklist with exceptions.
everything is allowed, except items on the deny list, except items on the allow list
allow only one country access, but exclude proxies within this country
OP needed a whitelist with exceptions, therefore allow,deny instead of deny,allow
Just use order allow,deny instead and remove the deny from all line.
Change your code to
<Limit GET POST>
deny from all
allow from 139.82.0.0/16
allow from 143.54.0.0/16
allow from 186.192.0.0/11
allow from 186.224.0.0/11
</Limit>
This way your htaccess will deny every except those that you explicitly allow with allow from..
A proxy within the allow range can easily be overwritten with an additional deny from.. rule.
As Gerben suggested, just change:
order deny,allow
deny from all
to
order allow,deny
And the restrictions will work as you want them to.
Details can be found in Apache's docs.
In apache2, linux configuration
Require all granted
Related
I've set up a forward proxy using Apache 2.4. I want to allow proxy users access to seven different domains and deny everything else. I've configured the access to the seven domain as follows:
# Allow proxy only to these test sites
<ProxyMatch ^https\:.{1,20}\.?test\.(com|io|zone)>
Include /etc/apache2/sites-available/password-protect.conf
</ProxyMatch>
<ProxyMatch ^https\:.{1,20}\.?testhost\.(cloud|com|io)>
Include /etc/apache2/sites-available/password-protect.conf
</ProxyMatch>
<ProxyMatch ^https\:.{1,20}\.?test-content\.com>
Include /etc/apache2/sites-available/password-protect.conf
</ProxyMatch>
I've temporarily included password protection in each of the ProxyMatch directives so I can verify the regex is being matched. That part works properly. The problem I have is I cannot figure out a way to deny everything else. I've added a ProxyMatch tag to deny * and it does deny everything. Apache doesn't just find the first matching ProxyMatch and then stop. The last deny all matches everything.
I think I can create a complex regex where I take the three ProxyMatch regex expressions, add a NOT operator to each and "or" them all together. That seems like a huge mess. If I add more regex matches later, my "catch all" ProxyMatch will be unmaintainable. Just want to check to see if there is a better way to create a catch-all deny for any proxy requests that do not match the three ProxyMatch expressions above. I've already looked at all the proxy directives in the mod_proxy documentation. Don't see any way to do this without being messy.
Via htaccess, I would like to:
1 - Disallow everyone to access the site.
2 - Allow only 3 ips to pass through the ip ban.
3 - Leave 1 directory accessible fully to the public.
I understand the the rule number 3 goes against rule number 1, and this is where I am confused.
Currently I have this code:
<Files 403.shtml>
order deny,allow
deny from all
</Files>
allow from xxx.xxx.xxx.xx #Fred
allow from xxx.xxx.xxx.xxx #Ben
The above code works fine in not letting anyone in apart from my 3 coworkers.
<Directory /printing/>
Order Allow, Deny
Allow from All
</Directory>
The above code (when added) give me a 500 internal server error.
How to have a mix of both code so people can still access my directory publicly while blocking access to any other parts of the website?
You can't add a <Directory> container inside an htaccess file, since htaccess is already per-directory.
What you need to do is create an htaccess file in the printing directory with just:
Order Allow, Deny
Allow from All
We have enabled spelling mod by default on our server to avoid linking problems with html code done on Windows. Recently we added protection to our image folder to allow only images and documents of certain type to be accesible through htaccess by simple deny,allow and list of allowed types:
Order deny,allow
Deny from all
<Files ~ ".(jpe?g|png|gif|pdf)$">
Allow from all
</Files>
Problem is, that now images with wrong case in url, which are supposed to be corrected with mod-spelling, shows error (Forbidden access) instead of actual image. Any ideas how to correct this?
I want to do that:
documentRoot/.htaccess:
- allow access only if a user comes from a specific ip OR if he can authenticate
- all others should be rejected
documentRoot/somedir/:
- same rules as in documentRoot
documentRoot/otherdir/.htaccess:
- 202.111.22.3 should be rejected
- for the rest: allow access only if a user comes from a specific ip OR if he can authenticate
documentRoot/otherdir/csvexport/.htaccess:
- allow access to every one
My problem is the inheritance from parent htaccess files, i can not get it right, but i hope someone of you is able to solve my issue.
How to do that?
So you'll have something like this:
documentRoot/.htaccess
Allow From 12.34.56.78
Require valid-user
Satisfy any
documentRoot/otherdir/.htaccess:
Deny From 202.111.22.3
Allow From 12.34.56.78
Require valid-user
Satisfy any
documentRoot/otherdir/csvexport/.htaccess:
Allow From All
12.34.56.78 being the "specific ip" that you want to allow.
I read the guide from apache site but I'm a bit confused, I'm trying to ban some ranges using this syntax:
order allow,deny
deny from 127.0.55.0/127.0.75.255
deny from 127.0.235.0/127.0.255.255
allow from all
But I think it's not working properly, probably the syntax is wrong or I'm using it in the wrong way, where should I write this text in htaccess? before the other lines or after? in the same htaccess file there're some mod rewrite script too (for anti-hotlinking).
I've come to this answer using apache documentation.
You can give an address range using ip/netmask pair :
deny from 127.0.55.0/24
However, since range 55 - 75 are not power of two, I don't see how to make a range out of them. I'd add several rules.
order allow,deny
deny from 127.0.55.0/24 // Matches 55
deny from 127.0.56.0/21 // Matches 56 to 64
deny from 127.0.64.0/21 // Matches 64 to 71
deny from 127.0.72.0/22 // Matches 72 to 75
deny from 127.0.235.0/24 // Matches 235
deny from 127.0.236.0/22 // Matches 236 to 239
deny from 127.0.240.0/21 // Matches 240 to 255
allow from all
should work.
NB: Remove the comments after // before pasting into htaccess
order allow,deny
deny from 2001:4200::/32
deny from 2001:4210::/32
deny from 2001:4218::/32
deny from 2001:4220::/32
deny from 2001:4228::/32
deny from 2001:4238::/32
deny from 2001:4248::/32
deny from 2001:4250::/32
allow from all
along these lines how to add a redirect to another website for a very long deny list that blocks a lot of countries in htaccess