Welcome to WebmasterWorld Guest from 54.196.73.22

Forum Moderators: Ocean10000 & phranque

Blocking Ranges with Prejudice

     
12:32 am on Aug 9, 2018 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 444
votes: 37


I block all googleusercontent.com (Google Cloud) ranges with prejudice (allowing some UAs through)

@keyplyr, how do you do this? This statement always confuses me.

If I have a large IP range, for example say from 0-255 and I need to poke a hole for, say 87, I block 0-86 and 88-255, with:
deny from a.b.c.d/16

With CIDR format this gets messy quickly. with combinations of /24, /23, /19 and others. Is there a better way?
1:57 am on Aug 9, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12344
votes: 807


A simple way...
RewriteCond %{REMOTE_ADDR} ^123\.45\. [OR]
RewriteCond %{REMOTE_ADDR} ^234\.56\.
RewriteCond %{HTTP_USER_AGENT} !(UA-example1|UA-example2)
RewriteCond %{HTTP_REFERER} !(example1\.com|example2\.com)
RewriteRule !^(forbidden\.html|ads\.txt|robots\.txt)$ - [F,L]

I use a multi-tiered set of rules/conditions combining other Blocking Methods [webmasterworld.com]

I have my CIDRs set up to allow different conditions using SetEnvIf.
2:23 am on Aug 9, 2018 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 444
votes: 37


Thanks. Can you provide an example for your SetEndIfs? I have use htaccess inheritance, so Rewrites are not as useful as SetEndIfs.
3:24 am on Aug 9, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12344
votes: 807


Sorry no. I don't do what you're asking with SetEndIfs. I have that batch of filters set up to do different things.

IMO, using the IP ranges allows a more surgical alternative, which is why I chose to use it in the example. I can visualize where a range starts/ends easier than I can with CIDRs, plus with ranges, you can do more nesting.
4:11 am on Aug 9, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15031
votes: 665


I rarely use SetEnvIf for this purpose, but when I do, it goes like this:
SetEnvIf Remote_Addr ^1\.2\. bad_range

BrowserMatch NiceGuy !bad_range
Note that mod_setenvif uses Regular Expressions rather than CIDR ranges (unless they've added the functionality in 2.4 and nobody told me), so you use the same syntax as in a RewriteCond, rather than the syntax you'd use in a Deny or Allow line. If you're lucky, it will be an exact /16 or /24 so you don't have to say anything complicated, like
^1\.2\.(1[6-9]|2\d|3[01])
for the equivalent of 1.2.16.0/20. And if you're really lucky it would be a whole /8, like ^52 (to pick a number wholly at random).
10:28 pm on Aug 9, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5493
votes: 3


If I have a large IP range, for example say from 0-255 and I need to poke a hole for, say 87, I block 0-86 and 88-255, with:


Using mod rewrite and poking hole for 87

([0-9]|[1-79][0-9|8[0-689]|1[0-9][0-9]|2[0-5][0-9])
Note; depending upon what CLASS (A,B,C or D) the location of parenthesis and the leading or trailing characters will vary.