modrewrite(?) -- Allowing specific IPs from a banned subnet

Forum Moderators: phranque

Message Too Old, No Replies

modrewrite(?) -- Allowing specific IPs from a banned subnet

Conditional ip-banning from various subnets.

seretogis

7:16 am on Apr 22, 2006 (gmt 0)

I've attempted doing this with modaccess but it doesn't appear to be able to do what I'd like, which is to ban subnets from accessing an entire website but allow specific IPs within those subnets.

For instance:
Return a 403 for any hostname containing utexas.eduexcept for friendly.utexas.edu.
<or>
Return a 403 for 12.384.58.* but allow 12.384.58.93

..all while allowing every other non-listed subnet to haev uninterrupted access.

I believe I'll have to use mod_rewrite to do this, but I'm not entirely sure where to begin and would appreciate a general heads up of where to start, or some reading material that would be helpful for this specific situation.

jdMorgan

1:42 pm on Apr 22, 2006 (gmt 0)

Take a look at the mod_acccess [httpd.apache.org] Order directive. This is the cause of many problems due to a common misunderstanding of its function. Order sets the 'priority' of the Allow and Deny directives that follow it, and determines which one will override the other.

As a simple example, the following code first blocks a large range, and then allows a smaller range and an additional single IP address in a different subnet of that range:


# Allow access by default, Deny specified IP addresses or ranges, Allows override Denies
Order Deny,Allow
#
# Deny from 192.168.0.0 to 192.168.255.255
Deny from 192.168
#
# Allow from 192.168.10.0 to 192.168.10.255
Allow from 192.168.10
#
# Allow from 192.168.123.321
Allow from 192.168.123.321

In addition to partial IP addresses as shown above, you may also use network/netmask notation or network/CIDR notation for the allows and denies. You may mix and match as needed for readability or convenience.

Note that only one Order directive can appear within a container (e.g. <FilesMatch> or <Directory>) that is not mutually-exclusive with other containers. If no containers are used, then only one Order directive per file can be used.

Jim