Including list of denied ips | 403 redirects? - Apache Web Server forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Including list of denied ips | 403 redirects?

When including list of ips to deny, 403 errors don't resolve

cooch17

11:38 pm on Jun 16, 2013 (gmt 0)

Suppose I want to block some ip's from a directory. if I try


<Directory /home/www/directory/of/interest/>
Order allow,deny
allow from all

deny from 1.2.3.4/24
deny from 5.6.7.8/24
etc.

ErrorDocument 403 http://server.root/errors/403.html
</Directory>

Works fine - someone from one of the denied ips tries to hit the subdirectory, then the 403.html page is presented.

But...if I put the ips I want to block into a file (call it ipblock.dat), and then try


<Directory /home/www/directory/of/interest/>
Order allow,deny
allow from all

Include /path/to/ipblock.dat


ErrorDocument 403 http://server.root/errors/403.html
</Directory>

the 403 page isn't presented. Instead, what is seen is some message about too many redirects.

For a bunch of reasons, having the ip blocks I want to deny in a separate external file is practical for my purposes, but I can't really use it if I can't figure out how to get the 403 error page to show correctly.

Suggestions/points to the obvious most welcome.

dougwilson

2:34 am on Jun 17, 2013 (gmt 0)

I've had one problem like this, can't remember how long ago, and I'm not sure what your doing with the dat file. That said, you could try something like this

<Files 403.html>
order allow,deny
allow from all
</Files>

In other words make sure any one can access the error page

That's all I've got

lucy24

3:55 am on Jun 17, 2013 (gmt 0)

But...if I put the ips I want to block into a file (call it ipblock.dat)

What's the exact format of the IP list in the .dat document? Is it a direct cut-and-paste from the version you had in the directory? Nothing added, nothing deleted? Saved as a plain-text file?

Access to the error document shouldn't be a problem unless you goofed and put 403.html into the same directory that you're denying access to. If for some reason it has to live there, then the <Files> envelope is your salvation :)

the 403 page isn't presented. Instead, what is seen is some message about too many redirects.

What do you mean by "some message"? The browser's own too-many-redirects message? Or a server message about internal redirects? They're entirely different things, reflecting entirely different problems.

Never mind what the user sees. What do the logs say? It's your own server, so you should be able to crank up the logging level to a stage where it gives useful information.

If access to the 403 document is the problem, it will show up clearly in error logs.

cooch17

2:17 pm on Jun 17, 2013 (gmt 0)

Further details:

1\ the file ipblock.dat is a simple text file - nothing fancy.

deny from 1.2.3.4/24
deny from 5.6.7.8/24

and so on.

2\ when trying to access the subdirectory, the browser (Chrome - get more or less the same thing from other browsers) reports

This webpage has a redirect loop

The webpage at [server.address...] has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.
Here are some suggestions:

Reload this webpage later.

Learn more about this problem.

Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.

In the log files, I see "GET /errors/403.html HTTP/1.1"

So, in theory, I should be seeing the 403.html page. But, I'm not.

cooch17

2:40 pm on Jun 17, 2013 (gmt 0)

Solved -- if I block the subdirectory from ip 1.2.3.4, then of course, I also block the errors subdirectory nested within it. I just realized I was pointing to an URL for the 403 page that was in a directory nested in the directory I was blocking. Moving the error directory to somewhere else solved the problem.