You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Scott Pettit <sc...@pettit.net.nz> on 2004/09/12 05:50:05 UTC
[users@httpd] Environment Variables / Allow Directives
Hi,
I have a file which is updated daily on my web server which contains a
listing of all the IP subnets in New Zealand.
It looks like:
129.223.0.0/19
129.223.123.0/24
129.223.96.0/19
130.123.0.0/16
130.123.0.0/24
130.195.0.0/16
130.195.0.0/24
and so on.
What I want to do is use this file to limit access to a virtual host to
users from New Zealand only (international bandwidth costs are
horrendous).
I've figured I need to make a directive like this:
<Directory />
Options FollowSymlinks
Order Deny,Allow
Deny from all
Allow from env=NZIP
</Directory>
But how can I setup an env which reads this file each time someone
creates a connection and denies them if their IP address isn't in that
file?
I realise I could put all of the subnets on the end of the Allow from
part, but there's a few thousand to go in there and it needs to be kept
up to date.
I have tried using mod_geoip from maxmind.com, but it didn't work very
well.
Any help would be much appreciated.
--
Scott Pettit
scott@pettit.net.nz
Be who you are and say what you feel, because those who mind don't
matter, and those who matter don't mind.
-Dr. Seuss
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Environment Variables / Allow Directives
Posted by Nick Kew <ni...@webthing.com>.
On Sun, 12 Sep 2004, Scott Pettit wrote:
> I have tried using mod_geoip from maxmind.com, but it didn't work very
> well.
Didn't work very well?
The whole concept *cannot* work very well. Matching IP addresses to
geographic locations simply doesn't work. It has a long history of
failure - e.g. when I had two ISPs back in about '96/97, Lycos was
notorious for guessing where I was and serving me different languages
depending on which ISP I used.
Having said that, what you're asking looks a lot like RBL-based access.
So if you were to set up dnscache locally and hack your ip data file
to blacklist foreign addresses, that would have the same effect. Just
don't put the cache anywhere something on the system will go and use
it for 'normal' DNS lookup.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org