You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Navindra Umanee <na...@cs.mcgill.ca> on 2003/11/16 05:30:35 UTC
[users@httpd] Host Deny with mod_rewrite
Hi,
According to http://httpd.apache.org/docs-2.0/misc/rewriteguide.html
I can deny external host access to Apache with the following example
config:
RewriteEngine on
RewriteMap hosts-deny txt:/path/to/hosts.deny
RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND
RewriteRule ^/.* - [F]
This is very convenient because I can edit the hosts.deny file and the
changes take effect immediately without having to reload Apache
(useful for scripts too). However, %{REMOTE_HOST} or %{REMOTE_ADDR}
have to match the key *exactly* for the denial to take effect.
How can I use this approach to deny access on a domain basis or IP
subnet basis? For example, I'd like "123.45.67 -" in the RewriteMap
to deny access to any IP that matches "123.45.67.*". With the current
approach I would need 255 keys in the RewriteMap to match everything
under 123.45.67.
Thanks,
Navin.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Host Deny with mod_rewrite
Posted by Joshua Slive <jo...@slive.ca>.
On Sun, 16 Nov 2003, Navindra Umanee wrote:
> Joshua Slive <jo...@slive.ca> wrote:
> > On Sun, 16 Nov 2003, Navindra Umanee wrote:
> > > I switched temporarily to using <Limit>
> >
> > I hope you aren't actually using the <Limit> directive. If so, please
> > check the docs for the reasons it shouldn't be there.
>
> I already have a RewriteRule that denies everything except
> GET/HEAD/POST and the Limit itself denies POST for certain matches, so
> I figure it's okay.
Yes, it sounds like that is a valid use of <Limit>. But you would be a
little safer if you used <LimitExcept GET> (which also excludes HEAD).
That way you won't have any nasty surprises if your RewriteRule
accidentally malfunctions.
> Not really sure how. Say I have:
>
> <Limit POST>
> order allow,deny
> allow from all
>
> deny from 127.0.0.1
> </Limit>
>
> Now say I want to deny from 127.0.0.1 iff X-Proxy-IP is set to a
> certain value (and log that value... but that's another story)?
I don't think that is a very good example, because it is trivial to do
that with ONLY mod_rewrite. Perhaps what you want to say is "suppose I
have a long list of IPs that I want to deny only X-Proxy-IP is set to a
certain value".
Yes, that can get a little complicated. You can try something like this:
RewriteCond %{HTTP:X-Proxy-IP} a.certain.value
RewriteRule (.*) /protected/$1 [PT]
Alias /protected /usr/local/apache2/htdocs
<Location /protected>
<LimitExcept GET>
Order allow,deny
...
To be frank, I'm not sure if that will work or not.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Host Deny with mod_rewrite
Posted by Navindra Umanee <na...@cs.mcgill.ca>.
Joshua Slive <jo...@slive.ca> wrote:
> On Sun, 16 Nov 2003, Navindra Umanee wrote:
> > I switched temporarily to using <Limit>
>
> I hope you aren't actually using the <Limit> directive. If so, please
> check the docs for the reasons it shouldn't be there.
I already have a RewriteRule that denies everything except
GET/HEAD/POST and the Limit itself denies POST for certain matches, so
I figure it's okay.
> > but it is not as convenient
> > since I can't seem to use .htaccess with mod_proxy, and furthermore I
> > can't do other tests like I can with RewriteCond before denying access
> > (eg, looking at X-Proxy-* environment vars...)
>
> .htaccess only affects the filesystem (like <Directory>) so it doesn't
> apply to proxy requests.
Indeed, that's unfortunate.
> You can, of course, combing mod_access directives with mod_rewrite
> directives. Just be carefull about it.
Not really sure how. Say I have:
<Limit POST>
order allow,deny
allow from all
deny from 127.0.0.1
</Limit>
Now say I want to deny from 127.0.0.1 iff X-Proxy-IP is set to a
certain value (and log that value... but that's another story)?
Thanks,
Navin.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Host Deny with mod_rewrite
Posted by Joshua Slive <jo...@slive.ca>.
On Sun, 16 Nov 2003, Navindra Umanee wrote:
> I switched temporarily to using <Limit>
I hope you aren't actually using the <Limit> directive. If so, please
check the docs for the reasons it shouldn't be there.
> but it is not as convenient
> since I can't seem to use .htaccess with mod_proxy, and furthermore I
> can't do other tests like I can with RewriteCond before denying access
> (eg, looking at X-Proxy-* environment vars...)
.htaccess only affects the filesystem (like <Directory>) so it doesn't
apply to proxy requests.
You can, of course, combing mod_access directives with mod_rewrite
directives. Just be carefull about it.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Host Deny with mod_rewrite
Posted by Navindra Umanee <na...@cs.mcgill.ca>.
Joshua Slive <jo...@slive.ca> wrote:
> Hmmm... Tricky problem. Perhaps you would be better off writing yourself
> a custom module based on mod_access, rather than doing extremely fancy
> things with mod_rewrite.
Thanks for the hint Joshua!
I switched temporarily to using <Limit> but it is not as convenient
since I can't seem to use .htaccess with mod_proxy, and furthermore I
can't do other tests like I can with RewriteCond before denying access
(eg, looking at X-Proxy-* environment vars...)
> That is completely untested. And it will only catch /24 subnets and
> second-level domains. You could, of course, expand it further along the
> same lines.
Thanks again.
Cheers,
Navin.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Host Deny with mod_rewrite
Posted by Joshua Slive <jo...@slive.ca>.
On Sat, 15 Nov 2003, Navindra Umanee wrote:
> How can I use this approach to deny access on a domain basis or IP
> subnet basis? For example, I'd like "123.45.67 -" in the RewriteMap
> to deny access to any IP that matches "123.45.67.*". With the current
> approach I would need 255 keys in the RewriteMap to match everything
> under 123.45.67.
Hmmm... Tricky problem. Perhaps you would be better off writing yourself
a custom module based on mod_access, rather than doing extremely fancy
things with mod_rewrite.
But it may be possible. I'd try something along these lines.
RewriteEngine on
RewriteMap hosts-deny txt:/path/to/hosts.deny
RewriteCond %{REMOTE_ADDR} ^([0-9]+\.[0-9]+\.[0-9]+)\.
RewriteCond %{REMOTE_HOST} ([^.]+\.[^.]+)$
RewriteCond ${hosts-deny:%1|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%2|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND
RewriteRule ^/.* - [F]
That is completely untested. And it will only catch /24 subnets and
second-level domains. You could, of course, expand it further along the
same lines.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org