Re: [users@httpd] Access control with source IP addresses

[MegaBrutal <me...@gmail.com>]

2014-11-21 12:48 GMT+01:00 Rainer M. Canavan <ra...@sevenval.com>:
>
> On Nov 21, 2014, at 08:48 , Bu Xiaobing <bu...@ewellsoft.com> wrote:
>
>> Hi All,
>>
>> I want to do the httpd URL access control through visitors' IP addresses as the following :
>>
>> all source IP address can visit  ^/action.php?login
>> and only specified IP addresses can visit ^/action.php?manage
>>
>> Anyone can give me some advises?
>
> You've probably noticed that the usual mechanisms like Directory, Location and
> LocationMatch don't evaluate the query string. You'll probably have to
> use a RewriteRule preceded by
>
> RewriteCond %{QUERY_STRING} manage
>
> or something similar, in combination with
>
> <Location /action.php>
>  Allow From IP.IP.IP.IP
> </Location

It also worth to clarify the Apache version in question, as it's a
major change between 2.2 and 2.4 that Allow, Deny directives got
deprecated, and should be updated to Require. Some recent Linux
distros and FreeBSD already ship 2.4, so I think it's time to get
familiar with its features and caveats.

I know the question is how to solve access control in Apache, but in
this particular case I'd also consider to make the distinction at
PHP-level. Most PHP-based websites do that and don't rely on the web
server config to do proper access control.

Be prepared to also account for IPv6 addresses, if your web server
also serves over IPv6.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Access control with source IP addresses

[Bu Xiaobing <bu...@ewellsoft.com>]

Hi MegaBrutal,

Thansk for your answer, the version of our installed apache httpd is 
2.2.15-39.el6.centos.

We already did the access control on the PHP side, and we also want to 
do this on the apache httpd side to protect our website.


Bu Xiaobing

On 2014-12-1 21:20, MegaBrutal wrote:
> 2014-11-21 12:48 GMT+01:00 Rainer M. Canavan <ra...@sevenval.com>:
>> On Nov 21, 2014, at 08:48 , Bu Xiaobing <bu...@ewellsoft.com> wrote:
>>
>>> Hi All,
>>>
>>> I want to do the httpd URL access control through visitors' IP addresses as the following :
>>>
>>> all source IP address can visit  ^/action.php?login
>>> and only specified IP addresses can visit ^/action.php?manage
>>>
>>> Anyone can give me some advises?
>> You've probably noticed that the usual mechanisms like Directory, Location and
>> LocationMatch don't evaluate the query string. You'll probably have to
>> use a RewriteRule preceded by
>>
>> RewriteCond %{QUERY_STRING} manage
>>
>> or something similar, in combination with
>>
>> <Location /action.php>
>>   Allow From IP.IP.IP.IP
>> </Location
> It also worth to clarify the Apache version in question, as it's a
> major change between 2.2 and 2.4 that Allow, Deny directives got
> deprecated, and should be updated to Require. Some recent Linux
> distros and FreeBSD already ship 2.4, so I think it's time to get
> familiar with its features and caveats.
>
> I know the question is how to solve access control in Apache, but in
> this particular case I'd also consider to make the distinction at
> PHP-level. Most PHP-based websites do that and don't rely on the web
> server config to do proper access control.
>
> Be prepared to also account for IPv6 addresses, if your web server
> also serves over IPv6.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org