homepage Welcome to WebmasterWorld Guest from 54.196.225.45
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
.htaccess multiple sections of allow/deny?
a way to control bad bots?
jlnaman




msg:4540355
 10:18 pm on Jan 29, 2013 (gmt 0)

Will Appache execute different sections of allow and deny directives?

<Limit GET>
Order Allow,Deny
Deny All
Allow Some
</Limit>
<Limit GET>
Order Deny,Allow
Allow All
Deny badbot
</Limit>


Why? There are 79 ARIN controlled IPv4 prefixes and 176 nonArin I wish to Deny.
Within the 79, there there are some specific bad bots within ARIN prefixs I also with to Deny
The question is will Apache process these as two different sections? Or am I stuck with 176 Denys plus badbot Denys? It is really a maintenance and optimization concern.

 

g1smd




msg:4540366
 11:00 pm on Jan 29, 2013 (gmt 0)

Only the last Limit will apply.

You'll need to combine the rules into one container.

wilderness




msg:4540379
 12:26 am on Jan 30, 2013 (gmt 0)

There are 79 ARIN controlled IPv4 prefixes and 176 nonArin I wish to Deny.


255 lines unmanageable!

Many thanks. I needed a good laugh today ;)

jlnaman




msg:4540383
 12:51 am on Jan 30, 2013 (gmt 0)

One container: first one Limit Get, Put & second Limit Get, Head to make them different ?
If really one container, then one container on /home/user/.htaccess and the second more restrictive set on /home/user/public_html/.htaccess ? I may try that tonight ...

Deny From 178/8 # RIPE NCC
Allow From 216/8 # ARIN
-- 2nd container --
deny from 216.244.76.31# really bad Gogglebot spoofer
. . .

wilderness




msg:4540387
 1:08 am on Jan 30, 2013 (gmt 0)

deny from 216.244.76.31# really bad Gogglebot spoofer


1) This is total waste for two reason, NEVER (unless for temporary use) deny to the Class D, always dent to the provider larger range.

2) If you deny every fake Google or other major bot offending with fakes, you'll be adding these Class D IP's for all of eternity.

jlnaman




msg:4540390
 1:21 am on Jan 30, 2013 (gmt 0)

Advice accepted. I denied about ten Class D's and then killed off Amazon AWS using their list on https://forums.aws.amazon.com/ann.jspa?annID=1701 They control a lot of addresses and host a lot of really bad actors, IMHO.

wilderness




msg:4540394
 1:41 am on Jan 30, 2013 (gmt 0)

See the active and very large Server Farm thread in the SSID forum [webmasterworld.com]

lucy24




msg:4540395
 1:43 am on Jan 30, 2013 (gmt 0)

One container: first one Limit Get, Put & second Limit Get, Head to make them different ?

No. It's not like CSS where <class = "widget foobar"> means it has to be both A and B or the rule won't apply.

When two rules in Apache contradict each other, you need to know exactly where you are. Not just physically where-- i.e. different directories at different levels-- but what module, if any.

Sometimes Apache grabs the first thing that applies. A simple example is the DirectoryIndex line: as soon as it finds a match it stops, without checking to see if there's also an index.jsp or a main.php in the same directory. Other times Apache uses the last thing it meets, discarding any others. Some people have been bitten by the <Location> envelope, which can override any previous Deny.

And still other times the whole thing grinds to a crashing 500-level halt.

In the case of PUT, I should think you'd want to block almost everyone. But you may not need to do it explicitly. Just the other day my logs turned up a slew of "PUT ... html" (and assorted other extensions) that got hit with a resounding 405 requiring no effort from my side at all. Didn't even show up in error logs.

jlnaman




msg:4540397
 2:04 am on Jan 30, 2013 (gmt 0)

Apologies to all. I am getting educated fast. I thought deny from was like a firewall directive and executed immediately. [httpd.apache.org...] shows directives being merged and overridden. My being cute doesn't accomplish anything.
BTW, I used the PUT just to try and make it different (which won't make any difference) from the other section/container. I'm back to straightforward dealing with ip address. Wilderness showed me a sane way to merge ranges even tighter. => Many thanks to all of you who pointed me in a better direction!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved