You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Navindra Umanee <na...@cs.mcgill.ca> on 2003/11/16 05:30:35 UTC

[users@httpd] Host Deny with mod_rewrite

Hi,

According to http://httpd.apache.org/docs-2.0/misc/rewriteguide.html

I can deny external host access to Apache with the following example
config:

RewriteEngine on
RewriteMap    hosts-deny  txt:/path/to/hosts.deny
RewriteCond   ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND
RewriteRule   ^/.*  -  [F]

This is very convenient because I can edit the hosts.deny file and the
changes take effect immediately without having to reload Apache
(useful for scripts too).  However, %{REMOTE_HOST} or %{REMOTE_ADDR}
have to match the key *exactly* for the denial to take effect.

How can I use this approach to deny access on a domain basis or IP
subnet basis?  For example, I'd like "123.45.67 -" in the RewriteMap
to deny access to any IP that matches "123.45.67.*".  With the current
approach I would need 255 keys in the RewriteMap to match everything
under 123.45.67.

Thanks,
Navin.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Host Deny with mod_rewrite

Posted by Joshua Slive <jo...@slive.ca>.

On Sun, 16 Nov 2003, Navindra Umanee wrote:

> Joshua Slive <jo...@slive.ca> wrote:
> > On Sun, 16 Nov 2003, Navindra Umanee wrote:
> > > I switched temporarily to using <Limit>
> >
> > I hope you aren't actually using the <Limit> directive.  If so, please
> > check the docs for the reasons it shouldn't be there.
>
> I already have a RewriteRule that denies everything except
> GET/HEAD/POST and the Limit itself denies POST for certain matches, so
> I figure it's okay.

Yes, it sounds like that is a valid use of <Limit>.  But you would be a
little safer if you used <LimitExcept GET> (which also excludes HEAD).
That way you won't have any nasty surprises if your RewriteRule
accidentally malfunctions.

> Not really sure how.  Say I have:
>
>         <Limit POST>
>                 order allow,deny
>                 allow from all
>
> 		deny from 127.0.0.1
> 	</Limit>
>
> Now say I want to deny from 127.0.0.1 iff X-Proxy-IP is set to a
> certain value (and log that value... but that's another story)?

I don't think that is a very good example, because it is trivial to do
that with ONLY mod_rewrite.  Perhaps what you want to say is "suppose I
have a long list of IPs that I want to deny only X-Proxy-IP is set to a
certain value".

Yes, that can get a little complicated.  You can try something like this:

RewriteCond %{HTTP:X-Proxy-IP} a.certain.value
RewriteRule (.*) /protected/$1 [PT]

Alias /protected /usr/local/apache2/htdocs
<Location /protected>
<LimitExcept GET>
Order allow,deny
...

To be frank, I'm not sure if that will work or not.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Host Deny with mod_rewrite

Posted by Navindra Umanee <na...@cs.mcgill.ca>.

Joshua Slive <jo...@slive.ca> wrote:
> On Sun, 16 Nov 2003, Navindra Umanee wrote:
> > I switched temporarily to using <Limit>
> 
> I hope you aren't actually using the <Limit> directive.  If so, please
> check the docs for the reasons it shouldn't be there.

I already have a RewriteRule that denies everything except
GET/HEAD/POST and the Limit itself denies POST for certain matches, so
I figure it's okay.

> > but it is not as convenient
> > since I can't seem to use .htaccess with mod_proxy, and furthermore I
> > can't do other tests like I can with RewriteCond before denying access
> > (eg, looking at X-Proxy-* environment vars...)
> 
> .htaccess only affects the filesystem (like <Directory>) so it doesn't
> apply to proxy requests.

Indeed, that's unfortunate.

> You can, of course, combing mod_access directives with mod_rewrite
> directives.  Just be carefull about it.

Not really sure how.  Say I have:

        <Limit POST>
                order allow,deny
                allow from all
		
		deny from 127.0.0.1
	</Limit>

Now say I want to deny from 127.0.0.1 iff X-Proxy-IP is set to a
certain value (and log that value... but that's another story)?

Thanks,
Navin.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Host Deny with mod_rewrite

Posted by Joshua Slive <jo...@slive.ca>.

On Sun, 16 Nov 2003, Navindra Umanee wrote:
> I switched temporarily to using <Limit>

I hope you aren't actually using the <Limit> directive.  If so, please
check the docs for the reasons it shouldn't be there.

> but it is not as convenient
> since I can't seem to use .htaccess with mod_proxy, and furthermore I
> can't do other tests like I can with RewriteCond before denying access
> (eg, looking at X-Proxy-* environment vars...)

.htaccess only affects the filesystem (like <Directory>) so it doesn't
apply to proxy requests.

You can, of course, combing mod_access directives with mod_rewrite
directives.  Just be carefull about it.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Host Deny with mod_rewrite

Posted by Navindra Umanee <na...@cs.mcgill.ca>.

Joshua Slive <jo...@slive.ca> wrote:
> Hmmm... Tricky problem.  Perhaps you would be better off writing yourself
> a custom module based on mod_access, rather than doing extremely fancy
> things with mod_rewrite.

Thanks for the hint Joshua!

I switched temporarily to using <Limit> but it is not as convenient
since I can't seem to use .htaccess with mod_proxy, and furthermore I
can't do other tests like I can with RewriteCond before denying access
(eg, looking at X-Proxy-* environment vars...)

> That is completely untested.  And it will only catch /24 subnets and
> second-level domains.  You could, of course, expand it further along the
> same lines.

Thanks again.

Cheers,
Navin.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Host Deny with mod_rewrite

Posted by Joshua Slive <jo...@slive.ca>.

On Sat, 15 Nov 2003, Navindra Umanee wrote:
> How can I use this approach to deny access on a domain basis or IP
> subnet basis?  For example, I'd like "123.45.67 -" in the RewriteMap
> to deny access to any IP that matches "123.45.67.*".  With the current
> approach I would need 255 keys in the RewriteMap to match everything
> under 123.45.67.

Hmmm... Tricky problem.  Perhaps you would be better off writing yourself
a custom module based on mod_access, rather than doing extremely fancy
things with mod_rewrite.

But it may be possible.  I'd try something along these lines.
RewriteEngine on
RewriteMap    hosts-deny  txt:/path/to/hosts.deny
RewriteCond   %{REMOTE_ADDR} ^([0-9]+\.[0-9]+\.[0-9]+)\.
RewriteCond   %{REMOTE_HOST} ([^.]+\.[^.]+)$
RewriteCond   ${hosts-deny:%1|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%2|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND
RewriteRule   ^/.*  -  [F]

That is completely untested.  And it will only catch /24 subnets and
second-level domains.  You could, of course, expand it further along the
same lines.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org