.htaccess multiple sections of allow/deny?

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess multiple sections of allow/deny?

a way to control bad bots?

jlnaman

10:18 pm on Jan 29, 2013 (gmt 0)

Will Appache execute different sections of allow and deny directives?

<Limit GET>
Order Allow,Deny
Deny All
Allow Some
</Limit> 
<Limit GET>
Order Deny,Allow
Allow All
Deny badbot
</Limit>

Why? There are 79 ARIN controlled IPv4 prefixes and 176 nonArin I wish to Deny.
Within the 79, there there are some specific bad bots within ARIN prefixs I also with to Deny
The question is will Apache process these as two different sections? Or am I stuck with 176 Denys plus badbot Denys? It is really a maintenance and optimization concern.

g1smd

11:00 pm on Jan 29, 2013 (gmt 0)

Only the last Limit will apply.

You'll need to combine the rules into one container.

wilderness

12:26 am on Jan 30, 2013 (gmt 0)

There are 79 ARIN controlled IPv4 prefixes and 176 nonArin I wish to Deny.

255 lines unmanageable!

Many thanks. I needed a good laugh today ;)

jlnaman

12:51 am on Jan 30, 2013 (gmt 0)

One container: first one Limit Get, Put & second Limit Get, Head to make them different ?
If really one container, then one container on /home/user/.htaccess and the second more restrictive set on /home/user/public_html/.htaccess ? I may try that tonight ...

Deny From 178/8 # RIPE NCC
Allow From 216/8 # ARIN
-- 2nd container --
deny from 216.244.76.31# really bad Gogglebot spoofer
. . .

wilderness

1:08 am on Jan 30, 2013 (gmt 0)

deny from 216.244.76.31# really bad Gogglebot spoofer

1) This is total waste for two reason, NEVER (unless for temporary use) deny to the Class D, always dent to the provider larger range.

2) If you deny every fake Google or other major bot offending with fakes, you'll be adding these Class D IP's for all of eternity.

jlnaman

1:21 am on Jan 30, 2013 (gmt 0)

Advice accepted. I denied about ten Class D's and then killed off Amazon AWS using their list on [forums.aws.amazon.com...] They control a lot of addresses and host a lot of really bad actors, IMHO.

wilderness

1:41 am on Jan 30, 2013 (gmt 0)

See the active and very large Server Farm thread in the SSID forum [webmasterworld.com]

lucy24

1:43 am on Jan 30, 2013 (gmt 0)

One container: first one Limit Get, Put & second Limit Get, Head to make them different ?

No. It's not like CSS where <class = "widget foobar"> means it has to be both A and B or the rule won't apply.

When two rules in Apache contradict each other, you need to know exactly where you are. Not just physically where-- i.e. different directories at different levels-- but what module, if any.

Sometimes Apache grabs the first thing that applies. A simple example is the DirectoryIndex line: as soon as it finds a match it stops, without checking to see if there's also an index.jsp or a main.php in the same directory. Other times Apache uses the last thing it meets, discarding any others. Some people have been bitten by the <Location> envelope, which can override any previous Deny.

And still other times the whole thing grinds to a crashing 500-level halt.

In the case of PUT, I should think you'd want to block almost everyone. But you may not need to do it explicitly. Just the other day my logs turned up a slew of "PUT ... html" (and assorted other extensions) that got hit with a resounding 405 requiring no effort from my side at all. Didn't even show up in error logs.

jlnaman

2:04 am on Jan 30, 2013 (gmt 0)

Apologies to all. I am getting educated fast. I thought deny from was like a firewall directive and executed immediately. [httpd.apache.org...] shows directives being merged and overridden. My being cute doesn't accomplish anything.
BTW, I used the PUT just to try and make it different (which won't make any difference) from the other section/container. I'm back to straightforward dealing with ip address. Wilderness showed me a sane way to merge ranges even tighter. => Many thanks to all of you who pointed me in a better direction!