Odd effect of Deny From IP Address

Forum Moderators: phranque

Message Too Old, No Replies

Odd effect of Deny From IP Address

Site blocked when Deny From IP line added

JimmieT

12:47 pm on Apr 19, 2010 (gmt 0)

In my .htaccess file I added the following line:

Deny From 64.136.XX.#*$! , which resolves to JØnÜ Online Services. My site is 209.197.#*$!.#*$!

The effect of adding that line is that it blocks access to my web site and produces a “Forbidden Access” warning, but, not my custom “Forbidden Access” html file. I could not find any reason why this would occur. When I remove that line, access to my site is permitted again.

jdMorgan

1:16 pm on Apr 19, 2010 (gmt 0)

What "Order" directive did you use prior to declaring your "Deny from"?

Jim

JimmieT

2:34 pm on Apr 19, 2010 (gmt 0)

order allow,deny
allow from all

Jim

jdMorgan

3:37 pm on Apr 19, 2010 (gmt 0)

So is the problem that *all* visitors are being blocked, or rather just that your custom 403 page is not being served to visitors whose IP addresses are (correctly) being blocked?

If the latter, then note that your custom 403 error page is a... well, it's a page, and so the mod_access restrictions apply.

In order to allow your custom 403 error page to be served, you will have to provide an exclusion to the IP-address-based Deny. I also recommend that you provide an exclusion for robots.txt as well -- Otherwise, some robots will take a non-200 OK response as carte-blanche to attempt to spider your entire website, leading to a "403 storm" that continues unless and until they give up.

This solution requires mod_setenvif, use of the "Deny,Allow" mod_access priority setting, and an additional "Allow from" line, using the "Allow from env=<varname>" syntax:


SetEnvif Request_URI "^/(robots\.txt|custom-403-page\.html)$" AllowAll
#
Order Deny,Allow
#
Allow from env=AllowAll
#
Deny from 192.168.0.12
Deny from 10.10.0.10

Here, any request not matching a denied IP address or any request for robots.txt or your custom 403 error page will be allowed.

Be aware that in .htaccess, only one "Order" directive may be used in any non-exclusive scope; Otherwise, only the last "Order" directive will be applied. To avoid "Order directive collisions," it may be useful to use <Limit>, <LimitExcept>, <Files>, and <FilesMatch> containers -- if required.

Jim

jdMorgan

4:15 pm on Apr 19, 2010 (gmt 0)

Also, be sure to delete your browser cache after uploading any new code to your server, and in-between your "access should be allowed" and "access should be denied" test cases (and vice-versa). Otherwise, you will likely see stale results previously cached by your browser.

Jim

JimmieT

6:17 pm on Apr 19, 2010 (gmt 0)

Yes, *all* visitors are being blocked.

The 403 error page is of little concern. I only mentioned it because a standard 403 error, instead of my custom 403, appears when the aforementioned Deny From IP is in the .htaccess file. Also, I am not adding the IP range block, just one address.

The real concern is that the whole web site becomes non-accessible when that particular IP address is in the denied list. I have over 300 Deny From IP addresses or IP ranges and it is the only IP address that, when included in the Deny From list, produces the 403 error. Everything else works just fine otherwise.

Jim

wilderness

7:20 pm on Apr 19, 2010 (gmt 0)

The real concern is that the whole web site becomes non-accessible when that particular IP address is in the denied list. I have over 300 Deny From IP addresses or IP ranges and it is the only IP address that

What you likely have is a syntax error generating a 500 code and taking down your server/site.

Deny From 64.136.XX.#*$!

If the use of upper-case in the above was just a typo to this forum, disregard.
If it was NOT a typo and what you actually copied-pasted from your htaccess?

try changing to "deny from", lower case, or "Deny from".

JimmieT

8:48 pm on Apr 19, 2010 (gmt 0)

~wilderness
The other 300 plus "Deny From"s do not give me a 500 code and they are all first letter capitalized, "Deny From 000.000.000.000", etc.

It should make no difference when I add the offending IP in the same format as the others.

Jim

wilderness

9:05 pm on Apr 19, 2010 (gmt 0)

syntax errors may be quite inconsistent.

I've had syntax errors that have been in place for months without causing a 500 error or effecting other lines. (even though the line with the error may not function properly).

Then upon adding an additional line, all hell breaks loose and requires locating the syntax error.

jdMorgan

10:02 pm on Apr 19, 2010 (gmt 0)

Look for other things, then... Tabs instead of spaces, UTF16-encoded characters, incorrect line-enders, etc. perhaps added by using a non-ASCII editor.

Unless there is real magic in this world, then your code -as you describe it- should work fine.

Also, a quick look at your server error log file would be in order.

Jim

JimmieT

10:48 pm on Apr 19, 2010 (gmt 0)

Well I am still a bit confused as to why I was having a problem. I removed completely the offending “Deny From” line, and visited my site with no problems; full access. I then typed in the same line that was giving me a problem, and now the system works fine. So, perhaps there was some invisible character embedded in the original line that caused the problem and was eliminated when I removed the whole line.

I would never have guessed that was the problem.

Thanks for your time and effort to educate me and give me suggestions to locate the problem.

Jim