Msg#: 4540353 posted 10:18 pm on Jan 29, 2013 (gmt 0)
Will Appache execute different sections of allow and deny directives?
<Limit GET> Order Allow,Deny Deny All Allow Some </Limit> <Limit GET> Order Deny,Allow Allow All Deny badbot </Limit>
Why? There are 79 ARIN controlled IPv4 prefixes and 176 nonArin I wish to Deny. Within the 79, there there are some specific bad bots within ARIN prefixs I also with to Deny The question is will Apache process these as two different sections? Or am I stuck with 176 Denys plus badbot Denys? It is really a maintenance and optimization concern.
Msg#: 4540353 posted 12:51 am on Jan 30, 2013 (gmt 0)
One container: first one Limit Get, Put & second Limit Get, Head to make them different ? If really one container, then one container on /home/user/.htaccess and the second more restrictive set on /home/user/public_html/.htaccess ? I may try that tonight ...
Deny From 178/8 # RIPE NCC Allow From 216/8 # ARIN -- 2nd container -- deny from 220.127.116.11# really bad Gogglebot spoofer . . .
Msg#: 4540353 posted 1:21 am on Jan 30, 2013 (gmt 0)
Advice accepted. I denied about ten Class D's and then killed off Amazon AWS using their list on https://forums.aws.amazon.com/ann.jspa?annID=1701 They control a lot of addresses and host a lot of really bad actors, IMHO.
Msg#: 4540353 posted 1:43 am on Jan 30, 2013 (gmt 0)
One container: first one Limit Get, Put & second Limit Get, Head to make them different ?
No. It's not like CSS where <class = "widget foobar"> means it has to be both A and B or the rule won't apply.
When two rules in Apache contradict each other, you need to know exactly where you are. Not just physically where-- i.e. different directories at different levels-- but what module, if any.
Sometimes Apache grabs the first thing that applies. A simple example is the DirectoryIndex line: as soon as it finds a match it stops, without checking to see if there's also an index.jsp or a main.php in the same directory. Other times Apache uses the last thing it meets, discarding any others. Some people have been bitten by the <Location> envelope, which can override any previous Deny.
And still other times the whole thing grinds to a crashing 500-level halt.
In the case of PUT, I should think you'd want to block almost everyone. But you may not need to do it explicitly. Just the other day my logs turned up a slew of "PUT ... html" (and assorted other extensions) that got hit with a resounding 405 requiring no effort from my side at all. Didn't even show up in error logs.
Msg#: 4540353 posted 2:04 am on Jan 30, 2013 (gmt 0)
Apologies to all. I am getting educated fast. I thought deny from was like a firewall directive and executed immediately. [httpd.apache.org...] shows directives being merged and overridden. My being cute doesn't accomplish anything. BTW, I used the PUT just to try and make it different (which won't make any difference) from the other section/container. I'm back to straightforward dealing with ip address. Wilderness showed me a sane way to merge ranges even tighter. => Many thanks to all of you who pointed me in a better direction!