Forum Moderators: phranque
I have an elaborate .htaccess file that works great, but, now I run multiple domains on my server and want to protect all the domains (nothing new here, I know).
Here's what I've got -works PERFECT in .htaccess (sample IP given):
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_ADDR} ^192.168.(3[1-9]).*$
RewriteRule .* - [F]
(also works: RewriteCond %{REMOTE_ADDR} 192.168.36.* )
But, it doesn't work in httpd.conf file under:
<Directory "/var/www/html">
Options FollowSymLinks MultiViews -Indexes
...etc, etc.
I found this info:
[httpd.apache.org...]
%{LA-U:variable} can be used for look-aheads which perform an internal (URL-based) sub-request to determine the final value of variable.
This can be used to access variable for rewriting which is not available at the current stage, but will be set in a later phase. For instance, to rewrite according to the REMOTE_USER variable from within the per-server context (httpd.conf file) you must
use %{LA-U:REMOTE_USER} - this variable is set by the authorization phases, which come after the URL translation phase (during which mod_rewrite operates).
On the other hand, because mod_rewrite implements its per-directory context (.htaccess file) via the Fixup phase of the API
and because the authorization phases come before this phase, you just can use %{REMOTE_USER} in that context.
So, I tried all these possibilities:
RewriteCond %{REMOTE_ADDR} 192.168.36.*
RewriteCond %{REMOTE_ADDR} ^192.168.36.*$
RewriteCond %{REMOTE_ADDR} ^192.168.36.$
RewriteCond %{REMOTE_ADDR} ^192\.168\.36\.$
RewriteCond %{REMOTE_ADDR} ^192\.168\.36\.*$
RewriteCond %{REMOTE_ADDR} ^192.168.(3[1-9]).*$
RewriteCond %{LA-U:REMOTE_ADDR} ^192.168.(3[1-9]).*$
RewriteCond %{LA-U:REMOTE_ADDR} ^192\.168\.(3[1-9])\.*$
RewriteCond %{LA-U:REMOTE_ADDR} ^192\.168\.36\.$
RewriteCond %{LA-U:REMOTE_ADDR} 192.168.36.*
None of them worked.
I'm also looking to block empty user agents.
This works fine in .htaccess (but have no idea if it works in httpd.conf)
RewriteCond %{HTTP_USER_AGENT} ="" [OR]
RewriteCond %{HTTP_USER_AGENT} ="-"
I get NO strange error logs -everything looks 'normal.'
I'm wondering if the ONLY way to block the IP with httpd.conf is to:
1.) Use CIDR under the allow,deny directive? (which I'll have to learn)
2.) Move the RewriteCond OUTSIDE the <Directory > (just thought of that ...too tired)
3.) Create a script to handle this list of IP's and Agent's I want to block
4.) Do something else I'm missing here?
I've seen things about simple firewalls and using IP maps. I know enough to be (sorta) dangerous, but I've never been able to figure that part out (I tried once). I understand most of this stuff and it appears to be the easiest way for me to accomplish this.
Running Apache 2.2, Fedora Core 6 on a GoDaddy Virtual-Dedicated server.
Thanks in advance for your input and help!
-Mike
1) "*" at the end of an IP range is invalid and a redundant attempt.
2) you have lines where the periods (.)between IP Classes are not escaped (\), while others are.
3) the "ends with" ($) character is only required wwhen either a specific Class D is utilized or when your foccusing on "ends with, rather than "begins with" (^).
There are numerous examples of "Blank User Agent" denials (you've used the term "empty" incorrectly). BLANK.
The forum library offers an excellent link explaining expressions:
[webmasterworld.com...]
Don
edited.
See this thread for some http.conf info:
[webmasterworld.com...]
So, you're getting carried away with the {LA:xyz} stuff -- That path of investigation will not be productive.
<Directory /var/www/html>
Options FollowSymLinks -Indexes
#
RewriteEngine on
RewriteBase /
RewriteCond %{REMOTE_ADDR} ^192\.168\.(3[1-9])\.
RewriteRule . - [F]
#
...
#
</Directory>
If that code doesn't work, first make sure you've got the code in the right <Directory> container, and then look to other configuration problems.
Do not enable MultiViews unless you must use content negotiation. MultiViews can lead to unexpected URL-to-filename associations, and result in duplicate-content problems with search engines.
Jim
Aside from that, I have a thought...
There are currently 3 domains on this server, and, being kind of a rookie,
I must be missing something here. Within the same <Directory> (as above)
I noticed the "deny from 192.168.0.1" has no global effect either. :(
So, as you pointed out, Jim, these are probably in the wrong place, but I can't figure out where.
In the httpd.conf file, there are these <Directory> sections:
<Directory /> -which is simply has deny,allow deny from all and Options & AllowOverride both None
<Directory "/var/www/html"> -the one I tried using
<Directory "/var/www/icons"> -I'm sure it's not this
<Directory "var/www/cgi-bin"> -simply has: AllowOverride & Options (None) allow,deny allow from all
<Directory "/var/www/error"> -all default, this is under the <IfModule mod_include.c>
---
Now, I just noticed there is a ## section:
<Directory /home/*/public_html> -with some 'example' settings.
What's interesting is, this is where each domain is located, such as:
ROOT/home/rootuser -has 4 files like .bash*
ROOT/home/user1/public_html/index.html -domain #1 files
ROOT/home/user2/public_html/index.html -domain #2 files
ROOT/home/user3/public_html/index.html -domain #3 files
As obvious as this may be... should I un-comment this section (or create one similar)
and add my few directives in here for the little bit of "blacklisting" that I want to do?
Looking closer at this section, it seems like it's the way to go?
Also, if so, can I use the wildcard * to cover ALL domains on the server?
Or do I have to create one for EACH individual user?
Thanks again in advance!
-Mike
The best way to protect all domains depends on how your server is set up [httpd.apache.org].
Jim
