?

What you've posted is a random fragment of an htaccess. It says nothing about the visitors' IP. (If you have the All-Time, Absolute, Definitive Country List, you can drop the www site and retire on the proceeds from selling your list.)

I don't see how you could ever do it just with ErrorDocuments and allow/deny directives anyway. You would need to set up separate RewriteRules for each group of IPs.

Why don't you just block 'em?

:: detour to glance at latest batch of 403's ::

Whoops, gotta go. You know your search engine has Arrived when people start spoofing it.

Thank you.
This is my first time posting and I'm relatively inexperienced when it comes to fiddling around with Apache, so I was hoping someone here might be able to help guide me in the right direction.
We used to have it done like this ( I clipped the list of IP's in the middle ):

ErrorDocument 401 www.ourwebsite.com
ErrorDocument 404 www.ourwebsite.com
ErrorDocument 403 www.secondwebsite.com
<Limit GET HEAD POST>
order allow,deny
deny from 77.74.224.0/21
.......
deny from 217.72.80.0/20
allow from all
</LIMIT>

You really don't need the <Limit> envelope at all. I mean, is there anything people from those IPs are allowed to do?

Now I see what you're doing with the ErrorDocuments. But I gotta say it is generally a Very, Very Not Good Idea to turn a 403 into a 302, which is what you're doing here. Why don't you just slam the door on them?

Note too that a 403 is two different things. To a webmaster it's "Get out of my sight, you horrible robot". But to a normal human it's "Oh, oops, I guess this directory doesn't have an index.html file". If a welcome visitor is exploring your site and enters the wrong address, you don't want to send them off to Siberia. They need a page that says "Sorry, you're not allowed in here" with some links back to the places they are allowed in.

If you want people from certain countries to use a different site, put that other site in the appropriate languages and let them go there voluntarily.

A more effective method.

1) restore your error documents to their proper settings.
2) Remove the lines you provided
3) add the following:

RewriteEngine on (note: If not ON previously)
RewriteCond %{REMOTE_ADDR} ^77\.74\.2(2[4-9]|3[01])\. [OR]
RewriteCond %{REMOTE_ADDR} ^217\.72\.(8[0-9]|9[0-5])\.
RewriteRule .* http://www.example.com/ [R=301,L]

Note; You will need to convert all those CIDR's that you currently have to regex (as I've done in the two examples you provided).
Addition lines between the first and last IP's require use of

[OR]

at lines end.

Thanks lucy24, so I delete the LIMIT envelope first.

I would like to get the visitors from six countries to be immediately redirected to our second web site, that is appropriate for visitors from that area. Just changing the language is not enough.
And I would like to do this in a .htaccess country deny format.
Is this not a good way of doing a country block? If so, why?

Thanks for the suggestion Wilderness.
Why is that way better then .htaccess country deny format?
How exactly should I restore the error documents?
Which lines should I remove?
So I should change all the ranges? That is a lot of ranges we are talking about here and they need to be updated monthly, I need a simple solution that does the country block and redirection and can be easily updated with the use of monthly updated country ip ranges.

I need a simple solution

You should stick with what you know.

"restore your error documents to their proper settings" means keep them as regular error documents that live on your own domain. Using a Redirect as an error document would mean that everyone who gets a 403 for any reason will be redirected-- not just people from your six countries, but any unwanted robots, straying humans and so on.

The people from selected countries require different handling from the lockouts. You don't want to waste time redirecting Ukrainian robots-- and, as I said above, you definitely don't want to redirect legitimate humans who simply blunder into the wrong directory.

Now, rumor has it that Apache 2.4 can recognize CIDRs in the same form that you use in your Deny From directives: 202.1.0.0/17 and so on. But in the meantime you'll have to convert them to Regular Expressions.

202.1.0.0/17 and 202.1.128.0/17 for example become
^202\.1\.(\d\d?|1([01]\d|2[0-7]))\. and ^202\.1\.(1(2[89]|3\d)|2\d\d) *
And those are the easy ones. (Don't quote me. I didn't proofread the numbers.)

If you plan on doing this monthly, you'll want to run up a quick program that does the format-converting for you. There may already exist one.


* Technically the last bit is 2([0-4]\d|5[0-5]) but the other numbers won't occur so no need to waste time on them.

If you plan on doing this monthly, you'll want to run up a quick program that does the format-converting for you.

No such creature exists.

Google offers one [support.google.com], however the output is badly formatted.

No such creature exists.

Then you'll have the fun of making your own. You can do a lot with Regular Expressions-- including using them to make other Regular Expressions :)

It's completely mechanical.

:: pause to move cat ::

nn.2.0.0/14 or nn.nn.2.0/22 or (shudder) nn.nn.nn.2/30
turn into
nn.[2-5].\d+.d+, nn.nn.[2-5].\d+, nn.nn.nn.[2-5]
That kind of thing. Feed your list into the programming language of your choice, sit back and let it spit out the result. Wasn't it you that gave me a recent list of China IPs? That's what I did with 'em, though possibly in the other direction.

And then consolidate things like
\d+.\d+.\d*2.0/24
\1.\2.\33.0/24
into
\1.\2.\32.0/23

We'll stipulate that all those . are really \. because it would have been unreadable.

That kind of thing. Feed your list into the programming language of your choice, sit back and let it spit out the result. Wasn't it you that gave me a recent list of China IPs?

Perhaps you could provide the URL for that?

:: shuffling papers ::

Nope, my mistake, the China list came from that IP Blocks www site. Which makes me wish I had the nerve to lock out the entire 202 and 203 ranges, since I am obviously not going to clog up my htaccess with a string of /24s. Even with a /16 cutoff it's bloated as all get-out.

Maybe I'm thinking of the PSInet list.