.htaccess configuration (limit get, allow, deny) - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess configuration (limit get, allow, deny)

<Limit GET POST> vs. <Limit GET HEAD POST>

strawberry

10:51 am on Jul 22, 2009 (gmt 0)

10+ Year Member

Part of my default .htaccess contain the following lines

IndexIgnore .htaccess */.?* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

What do they do? Why having "deny from all" and "allow from all" in the same script?

----

What is the different of <Limit GET POST> and <Limit GET HEAD POST>?

----

There are some conflicts with the below lines.
When I add it, my site is down.
Could you help me?
Thanks.

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

<Limit GET HEAD POST>
order allow,deny
deny from 116.193.8.0/21
deny from 125.31.0.0/18
deny from 161.64.0.0/16
deny from 192.203.232.0/24
deny from 202.75.248.0/22
deny from 202.86.128.0/18
deny from 202.171.252.0/22
deny from 202.172.0.0/22
deny from 202.173.0.0/22
deny from 202.174.0.0/22
deny from 202.175.0.0/22
deny from 202.175.4.0/22
deny from 202.175.8.0/21
deny from 202.175.16.0/20
deny from 202.175.32.0/19
deny from 202.175.64.0/19
deny from 202.175.96.0/19
deny from 202.175.160.0/19
allow from all
</LIMIT>

jdMorgan

5:22 pm on Jul 22, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

> Why having "deny from all" and "allow from all" in the same script?

Because the code was written by someone who was 'just guessing' and copied without research. Both are really bad practices.

> What is the different of <Limit GET POST> and <Limit GET HEAD POST>?

None. "GET" implies "HEAD", so "HEAD" does not need to be included.

I suggest you decide what you want to do, and then use or write code that does that. See Apache mod_access "Order", "Allow", and "Deny", directive and Apache core <Limit> and <LimitExcept>.

Also, in the long term, you may find that using "Order Deny,Allow" will allow more flexibility. For example, you can "Deny from" many IP addresses, but then provide for an Allow that will override those Denies if your custom 403 error page is requested.

If you don't do that, then you can't even use a custom 403 page, because any attempt to serve it in response to a denied request would result in a second 403 error, and that second 403 error would cause a third -- and this would continue until either the client or the server detected the loop and gave up.

It's not clear what "conflict" you are experiencing with you list of IP denies. Please be more specific.

Jim

strawberry

1:15 am on Jul 26, 2009 (gmt 0)

10+ Year Member

I appreciate your help.

---
Conflict:

If my .htaccess include <Limit GET POST> and <Limit GET HEAD POST>, my site does not visit.(cannot connect to my website)

Example:

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
<Limit GET HEAD POST>
order allow,deny
deny from 116.193.8.0/21
deny from 125.31.0.0/18
deny from 161.64.0.0/16
deny from 192.203.232.0/24
deny from 202.75.248.0/22
deny from 202.86.128.0/18
deny from 202.171.252.0/22
deny from 202.172.0.0/22
deny from 202.173.0.0/22
deny from 202.174.0.0/22
deny from 202.175.0.0/22
deny from 202.175.4.0/22
deny from 202.175.8.0/21
deny from 202.175.16.0/20
deny from 202.175.32.0/19
deny from 202.175.64.0/19
deny from 202.175.96.0/19
deny from 202.175.160.0/19
allow from all
</LIMIT>

Thanks a lot.

jdMorgan

1:55 am on Jul 26, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Too complicated. Simplify:


Order Deny,Allow
#
<Limit PUT DELETE>
Deny from all
</Limit>
#
<Limit GET POST>
Deny from 116.193.8.0/21
Deny from 125.31.0.0/18
Deny from 161.64.0.0/16
Deny from 192.203.232.0/24
Deny from 202.75.248.0/22
Deny from 202.86.128.0/18
Deny from 202.171.252.0/22
Deny from 202.172.0.0/22
Deny from 202.173.0.0/22
Deny from 202.174.0.0/22
Deny from 202.175.0.0/22
Deny from 202.175.4.0/22
Deny from 202.175.8.0/21
Deny from 202.175.16.0/20
Deny from 202.175.32.0/19
Deny from 202.175.64.0/19
Deny from 202.175.96.0/19
Deny from 202.175.160.0/19
</Limit>

Note that as documented, <Limit GET> implies <Limit HEAD>.

See Apache mod_access for more info about Deny,Allow precedence.

If you use a custom error document, you will need to allow it to be accessed unconditionally. You should also allow your robots.txt file to be accessed unconditionally.
Example:


SetEnvIf Request_URI ^/(robots\.txt¦my-custom-403-error-page\.html)$ allowall
Allow from env=allowall

Replace the broken pipe "¦" character with a solid pipe before use; Posting on this forum modifies the pipe character.

Jim

strawberry

8:29 am on Jul 26, 2009 (gmt 0)

10+ Year Member

I add to my .htaccess, my website is working and perfect.

Order Deny,Allow
#
<Limit PUT DELETE>
Deny from all
</Limit>
#
<Limit GET POST>
Deny from 116.193.8.0/21
Deny from 125.31.0.0/18
Deny from 161.64.0.0/16
Deny from 192.203.232.0/24
Deny from 202.75.248.0/22
Deny from 202.86.128.0/18
Deny from 202.171.252.0/22
Deny from 202.172.0.0/22
Deny from 202.173.0.0/22
Deny from 202.174.0.0/22
Deny from 202.175.0.0/22
Deny from 202.175.4.0/22
Deny from 202.175.8.0/21
Deny from 202.175.16.0/20
Deny from 202.175.32.0/19
Deny from 202.175.64.0/19
Deny from 202.175.96.0/19
Deny from 202.175.160.0/19
</Limit>

I also edit my robots.txt

SetEnvIf Request_URI ^/(robots\.txt�xmy-custom-403-error-page\.html)$ allowall
Allow from env=allowall

Thank you so much.

<snip>

[edited by: jdMorgan at 1:17 pm (utc) on July 26, 2009]
[edit reason] No URLs, please. See TOS. [/edit]

jdMorgan

1:19 pm on Jul 26, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

The "SetEnvIf" and "Allow from env=" directives should be placed in your .htaccess file, preferebly within the <Limit GET POST> section.

Jim