Combine 2 RESTRICTIONS in .htaccess

Forum Moderators: phranque

Message Too Old, No Replies

Combine 2 RESTRICTIONS in .htaccess

Hitman3266

3:33 am on Feb 18, 2006 (gmt 0)

alright, i have been trying to figure out how to enforce both of these restrictions

SetEnvIf User-Agent "^npgmup" badUA
Order Deny,Allow
Deny from all
Allow from env=badUA

AND

Allow from XX Allow from XX Allow from XX[/code}

now it doesnt enforce both of them, anyone who has the user-agent of npgmup will be able to connect, and the IP restriction, is now useless. I need it to use a command similar to [code]satisfy all

and it doesnt work. i basically need a way to enforce user-agent AND IP. anyway i can do that thanks

jdMorgan

4:09 am on Feb 18, 2006 (gmt 0)

Hitman3266,

Welcome to WebmasterWorld!

Since all I see for bad UAs or IPs are Allow from directives, it's not clear what you want to do.

If you want to deny access from those IP addresses and deny access to anyone using that user-agent, then you need to use the Deny from directive, and make sure that your Order statement reflects the allow/deny priority resolution that you want.

See Apache mod_access [httpd.apache.org] for details.

Jim

Hitman3266

7:26 am on Feb 18, 2006 (gmt 0)

ok heres what i want to do, i have a game server, and everyone connects to it and downloads the update files. Now the user agent of is npgmup. So first i want to allow ONLY that user agent. Second, i have many people who connect and make it lag, so i want to allow friends only, so i want to add friends IP so they can play. So i need user-agent AND IP. i need both

Hitman3266

7:33 am on Feb 18, 2006 (gmt 0)

SetEnvIf User-Agent "^npgmup" badUA
Order Deny,Allow
Deny from all
Allow from env=badUA
Allow from 24.184.
Allow from 72.153.
Allow from 70.255.1
Allow from 4.238
Allow from 4.239
##-->Allow from 200.55.119.80
Allow from 70.247
Allow from 218.164
Allow from 196.203.
Allow from 151.
Allow from 65.2.
Allow from 218.164
Allow from 68.
Allow from 220.143
Allow from 85.145.
satisfy all

i need like this but i need SATISFY ALL and it doesnt work, i need like this

CHECK USER AGENT - Passed
CHECK IP ADRESS - Passed
Allow update

jdMorgan

7:30 pm on Feb 18, 2006 (gmt 0)

The problem is that Satisfy has no effect in the scope of mod_access; It is used to resolve authorization only between the "final results" of mod_access and mod_auth. That is, it works only between those two modules, and not within either one.

The solution is a bit tricky, because of the way that mod_access handles environment variables. Mod_access does not test the value of the variable, but only whether it exists. Combined with the requirement of using negative-true ORed logic (see DeMorgan's theorem), the solution is a bit complicated. The following should get you close, but it's not tested... beware of typos:


# Default to denying everyone
SetEnv bad_ua 1
SetEnv bad_ip 1
# Reset bad_ua envar if request from allowed user_agent
SetEnvIf User-Agent "^npgmup$" bad_ua=0
# Reset bad_ip envar if request from allowed ip address
SetEnvIf Remote_Addr "256.45.67.89" bad_ip=0
SetEnvIf Remote_Addr "256.56.78.90" bad_ip=0
...
SetEnvIf Remote_Addr "256.67.89.1" bad_ip=0
#
# *Define* variable getout if bad_ua=1 or bad_ip=1
SetEnvIf bad_ua 1 getout
SetEnvIf bad_ip 1 getout
#
# Declare precedence - Deny overrides Allow
Order Allow,Deny
# Default is allow from all
Allow from all
# Deny if variable getout is defined
Deny from getout

See Apache mod_access [httpd.apache.org] and mod_setenvif [httpd.apache.org]

Jim