You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Aaron Brown <ab...@bzzagent.com> on 2007/12/06 16:23:24 UTC
Tomcat and Apache Deny rules
I've been trying to block the litefinder malicious bot which scours our site
every day and tries to access pages with the incorrect case, thus causing
crazy amounts of errors to get thrown.
We have an Apache 2.2.4 front end using mod_jk to load balance against 9
Tomcat instances on 6 separate machines.
I have an .htaccess file that blocks based on user agent along with some
known ip addresses for the bot. This works correctly for all static
content. That is, when I change my browser's user agent to "litefinder",
and access the site, I am denied all gif, jpg, css, js, etc files. However,
all the dynamic content is passed on to Tomcat without honoring the rules in
.htaccess, thus not solving my problem.
My question is basically, how do I/can I make Apache enforce my deny rules
even for JkMount'ed data? If you need more info, I'm happy to provide.
Thanks!
Aaron
==========================
Here is the .htaccess file in my webroot:
#block litefinder malicious crawler
SetEnvIfNoCase User-Agent LiteFinder stayout=1
Order Allow,deny
Allow from all
Deny from env=stayout
Deny from 208.101.44.3
Deny from 209.160.65.42
Deny from 209.62.109.178
Deny from 216.40.220.34
Deny from 216.40.222.50
Deny from 216.40.222.66
Deny from 216.40.222.82
Deny from 216.40.222.98
Deny from 67.19.114.226
Deny from 67.19.250.26
Deny from 70.85.113.242
Deny from 74.53.243.226
Deny from 74.53.243.242
Deny from 74.53.244.18
Deny from 74.53.249.34
Deny from 74.86.209.74
Deny from 74.86.249.98
Deny from 75.125.18.178
Deny from 75.125.47.162
Deny from 75.125.52.146
Deny from 84.19.176.208
Deny from 87.118.118.111
Deny from 87.118.98.57
Deny from 87.118.98.62
Here is the relevant section from my httpd.conf
<VirtualHost ****:80>
DocumentRoot ****
ServerName *****
JkMount /jkstatus/* status
JkMount /* v3lb
JkMount /captcha/Captcha.jpg v3lb
JkUnMount /member/bzzmap/*.xml v3lb
JkUnMount /member/bzzmap/*.swf v3lb
JkUnMount /manager/* v3lb
JkUnMount /images/* v3lb
JkUnMount /awstats/* v3lb
JkUnMount /img/* v3lb
JkUnMount /js/* v3lb
JkUnMount /*.gif v3lb
JkUnMount /*.png v3lb
JkUnMount /*.pdf v3lb
JkMount /captcha/* v3lb
JkUnMount /member/campaigns/*.jpg v3lb
JkUnMount /*.css v3lb
JkUnMount /*.html v3lb
JkUnMount /*.mov v3lb
JkUnMount /*.wmv v3lb
JkUnMount /*.rm v3lb
JkUnMount /*.ram v3lb
#JkUnMount /*.swf v3lb
JkUnMount /*.mpeg v3lb
JkUnMount /*.mpg v3lb
JkUnMount /*.mp3 v3lb
JkUnMount /*.xml v3lb
JkMount /dwr v3lb
ErrorLog logs/www.error_log
CustomLog logs/www.access_log combined
</VirtualHost>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and Apache Deny rules
Posted by Martin Gainty <mg...@hotmail.com>.
also suggest LocationMatch with uses reg expression
http://httpd.apache.org/docs/1.3/mod/core.html#location
fred .htaccess is a nix technology although the workaround of specifying
AccessFileName seems to work
it seems under (non-cygwin) NTFS any filename starting with . is set to
'system file handler'
HTH
M--
----- Original Message -----
From: "Aaron Brown" <ab...@bzzagent.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Thursday, December 06, 2007 1:11 PM
Subject: Re: Tomcat and Apache Deny rules
> After extensive searching, I actually found my answer in the archive
> here....I needed to put the deny rules in a <Location> tag in httpd.conf
> rather than VirtualHost, Directory, or .htaccess.
>
> Thanks everyone,
> Aaron
>
> On 12/6/07 12:32 PM, "fredk2" <fr...@gmail.com> wrote:
>
> >
> >
> > Hi,
> >
> > Any reasons as to why not set the directives in the httpd.conf instead
of
> > .htaccess ?
> > .htaccess only matters to requests for the directory it is in.
> >
> > Fred
> >
> > Aaron Brown-5 wrote:
> >> >
> >> > I've been trying to block the litefinder malicious bot which scours
our
> >> > site
> >> > every day and tries to access pages with the incorrect case, thus
causing
> >> > crazy amounts of errors to get thrown.
> >> >
> >> > We have an Apache 2.2.4 front end using mod_jk to load balance
against 9
> >> > Tomcat instances on 6 separate machines.
> >> >
> >> > I have an .htaccess file that blocks based on user agent along with
some
> >> > known ip addresses for the bot. This works correctly for all static
> >> > content. That is, when I change my browser's user agent to
"litefinder",
> >> > and access the site, I am denied all gif, jpg, css, js, etc files.
> >> > However,
> >> > all the dynamic content is passed on to Tomcat without honoring the
rules
> >> > in
> >> > .htaccess, thus not solving my problem.
> >> >
> >> > My question is basically, how do I/can I make Apache enforce my deny
rules
> >> > even for JkMount'ed data? If you need more info, I'm happy to
provide.
> >> >
> >> > Thanks!
> >> > Aaron
> >> >
> >> > ==========================
> >> >
> >> > Here is the .htaccess file in my webroot:
> >> >
> >> > #block litefinder malicious crawler
> >> > SetEnvIfNoCase User-Agent LiteFinder stayout=1
> >> > Order Allow,deny
> >> > Allow from all
> >> > Deny from env=stayout
> >> > Deny from 208.101.44.3
> >> > Deny from 209.160.65.42
> >> > Deny from 209.62.109.178
> >> > Deny from 216.40.220.34
> >> > Deny from 216.40.222.50
> >> > Deny from 216.40.222.66
> >> > Deny from 216.40.222.82
> >> > Deny from 216.40.222.98
> >> > Deny from 67.19.114.226
> >> > Deny from 67.19.250.26
> >> > Deny from 70.85.113.242
> >> > Deny from 74.53.243.226
> >> > Deny from 74.53.243.242
> >> > Deny from 74.53.244.18
> >> > Deny from 74.53.249.34
> >> > Deny from 74.86.209.74
> >> > Deny from 74.86.249.98
> >> > Deny from 75.125.18.178
> >> > Deny from 75.125.47.162
> >> > Deny from 75.125.52.146
> >> > Deny from 84.19.176.208
> >> > Deny from 87.118.118.111
> >> > Deny from 87.118.98.57
> >> > Deny from 87.118.98.62
> >> >
> >> > Here is the relevant section from my httpd.conf
> >> >
> >> > <VirtualHost ****:80>
> >> > DocumentRoot ****
> >> > ServerName *****
> >> > JkMount /jkstatus/* status
> >> > JkMount /* v3lb
> >> > JkMount /captcha/Captcha.jpg v3lb
> >> > JkUnMount /member/bzzmap/*.xml v3lb
> >> > JkUnMount /member/bzzmap/*.swf v3lb
> >> > JkUnMount /manager/* v3lb
> >> > JkUnMount /images/* v3lb
> >> > JkUnMount /awstats/* v3lb
> >> > JkUnMount /img/* v3lb
> >> > JkUnMount /js/* v3lb
> >> > JkUnMount /*.gif v3lb
> >> > JkUnMount /*.png v3lb
> >> > JkUnMount /*.pdf v3lb
> >> > JkMount /captcha/* v3lb
> >> > JkUnMount /member/campaigns/*.jpg v3lb
> >> > JkUnMount /*.css v3lb
> >> > JkUnMount /*.html v3lb
> >> > JkUnMount /*.mov v3lb
> >> > JkUnMount /*.wmv v3lb
> >> > JkUnMount /*.rm v3lb
> >> > JkUnMount /*.ram v3lb
> >> > #JkUnMount /*.swf v3lb
> >> > JkUnMount /*.mpeg v3lb
> >> > JkUnMount /*.mpg v3lb
> >> > JkUnMount /*.mp3 v3lb
> >> > JkUnMount /*.xml v3lb
> >> > JkMount /dwr v3lb
> >> > ErrorLog logs/www.error_log
> >> > CustomLog logs/www.access_log combined
> >> > </VirtualHost>
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To start a new topic, e-mail: users@tomcat.apache.org
> >> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> > For additional commands, e-mail: users-help@tomcat.apache.org
> >> >
> >> >
> >> >
> >
> > --
> > View this message in context:
> >
http://www.nabble.com/Tomcat-and-Apache-Deny-rules-tf4956657.html#a14196976
> > Sent from the Tomcat - User mailing list archive at Nabble.com.
> >
> >
>
>
> -------------------------------------------------------
> Aaron Brown, Systems Engineer
> BzzAgent, Inc. | www.bzzagent.com
> abrown@bzzagent.com | 617.451.2280
> -------------------------------------------------------
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and Apache Deny rules
Posted by Aaron Brown <ab...@bzzagent.com>.
After extensive searching, I actually found my answer in the archive
here....I needed to put the deny rules in a <Location> tag in httpd.conf
rather than VirtualHost, Directory, or .htaccess.
Thanks everyone,
Aaron
On 12/6/07 12:32 PM, "fredk2" <fr...@gmail.com> wrote:
>
>
> Hi,
>
> Any reasons as to why not set the directives in the httpd.conf instead of
> .htaccess ?
> .htaccess only matters to requests for the directory it is in.
>
> Fred
>
> Aaron Brown-5 wrote:
>> >
>> > I've been trying to block the litefinder malicious bot which scours our
>> > site
>> > every day and tries to access pages with the incorrect case, thus causing
>> > crazy amounts of errors to get thrown.
>> >
>> > We have an Apache 2.2.4 front end using mod_jk to load balance against 9
>> > Tomcat instances on 6 separate machines.
>> >
>> > I have an .htaccess file that blocks based on user agent along with some
>> > known ip addresses for the bot. This works correctly for all static
>> > content. That is, when I change my browser's user agent to "litefinder",
>> > and access the site, I am denied all gif, jpg, css, js, etc files.
>> > However,
>> > all the dynamic content is passed on to Tomcat without honoring the rules
>> > in
>> > .htaccess, thus not solving my problem.
>> >
>> > My question is basically, how do I/can I make Apache enforce my deny rules
>> > even for JkMount'ed data? If you need more info, I'm happy to provide.
>> >
>> > Thanks!
>> > Aaron
>> >
>> > ==========================
>> >
>> > Here is the .htaccess file in my webroot:
>> >
>> > #block litefinder malicious crawler
>> > SetEnvIfNoCase User-Agent LiteFinder stayout=1
>> > Order Allow,deny
>> > Allow from all
>> > Deny from env=stayout
>> > Deny from 208.101.44.3
>> > Deny from 209.160.65.42
>> > Deny from 209.62.109.178
>> > Deny from 216.40.220.34
>> > Deny from 216.40.222.50
>> > Deny from 216.40.222.66
>> > Deny from 216.40.222.82
>> > Deny from 216.40.222.98
>> > Deny from 67.19.114.226
>> > Deny from 67.19.250.26
>> > Deny from 70.85.113.242
>> > Deny from 74.53.243.226
>> > Deny from 74.53.243.242
>> > Deny from 74.53.244.18
>> > Deny from 74.53.249.34
>> > Deny from 74.86.209.74
>> > Deny from 74.86.249.98
>> > Deny from 75.125.18.178
>> > Deny from 75.125.47.162
>> > Deny from 75.125.52.146
>> > Deny from 84.19.176.208
>> > Deny from 87.118.118.111
>> > Deny from 87.118.98.57
>> > Deny from 87.118.98.62
>> >
>> > Here is the relevant section from my httpd.conf
>> >
>> > <VirtualHost ****:80>
>> > DocumentRoot ****
>> > ServerName *****
>> > JkMount /jkstatus/* status
>> > JkMount /* v3lb
>> > JkMount /captcha/Captcha.jpg v3lb
>> > JkUnMount /member/bzzmap/*.xml v3lb
>> > JkUnMount /member/bzzmap/*.swf v3lb
>> > JkUnMount /manager/* v3lb
>> > JkUnMount /images/* v3lb
>> > JkUnMount /awstats/* v3lb
>> > JkUnMount /img/* v3lb
>> > JkUnMount /js/* v3lb
>> > JkUnMount /*.gif v3lb
>> > JkUnMount /*.png v3lb
>> > JkUnMount /*.pdf v3lb
>> > JkMount /captcha/* v3lb
>> > JkUnMount /member/campaigns/*.jpg v3lb
>> > JkUnMount /*.css v3lb
>> > JkUnMount /*.html v3lb
>> > JkUnMount /*.mov v3lb
>> > JkUnMount /*.wmv v3lb
>> > JkUnMount /*.rm v3lb
>> > JkUnMount /*.ram v3lb
>> > #JkUnMount /*.swf v3lb
>> > JkUnMount /*.mpeg v3lb
>> > JkUnMount /*.mpg v3lb
>> > JkUnMount /*.mp3 v3lb
>> > JkUnMount /*.xml v3lb
>> > JkMount /dwr v3lb
>> > ErrorLog logs/www.error_log
>> > CustomLog logs/www.access_log combined
>> > </VirtualHost>
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To start a new topic, e-mail: users@tomcat.apache.org
>> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> > For additional commands, e-mail: users-help@tomcat.apache.org
>> >
>> >
>> >
>
> --
> View this message in context:
> http://www.nabble.com/Tomcat-and-Apache-Deny-rules-tf4956657.html#a14196976
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
-------------------------------------------------------
Aaron Brown, Systems Engineer
BzzAgent, Inc. | www.bzzagent.com
abrown@bzzagent.com | 617.451.2280
-------------------------------------------------------
Re: Tomcat and Apache Deny rules
Posted by fredk2 <fr...@gmail.com>.
Hi,
Any reasons as to why not set the directives in the httpd.conf instead of
.htaccess ?
.htaccess only matters to requests for the directory it is in.
Fred
Aaron Brown-5 wrote:
>
> I've been trying to block the litefinder malicious bot which scours our
> site
> every day and tries to access pages with the incorrect case, thus causing
> crazy amounts of errors to get thrown.
>
> We have an Apache 2.2.4 front end using mod_jk to load balance against 9
> Tomcat instances on 6 separate machines.
>
> I have an .htaccess file that blocks based on user agent along with some
> known ip addresses for the bot. This works correctly for all static
> content. That is, when I change my browser's user agent to "litefinder",
> and access the site, I am denied all gif, jpg, css, js, etc files.
> However,
> all the dynamic content is passed on to Tomcat without honoring the rules
> in
> .htaccess, thus not solving my problem.
>
> My question is basically, how do I/can I make Apache enforce my deny rules
> even for JkMount'ed data? If you need more info, I'm happy to provide.
>
> Thanks!
> Aaron
>
> ==========================
>
> Here is the .htaccess file in my webroot:
>
> #block litefinder malicious crawler
> SetEnvIfNoCase User-Agent LiteFinder stayout=1
> Order Allow,deny
> Allow from all
> Deny from env=stayout
> Deny from 208.101.44.3
> Deny from 209.160.65.42
> Deny from 209.62.109.178
> Deny from 216.40.220.34
> Deny from 216.40.222.50
> Deny from 216.40.222.66
> Deny from 216.40.222.82
> Deny from 216.40.222.98
> Deny from 67.19.114.226
> Deny from 67.19.250.26
> Deny from 70.85.113.242
> Deny from 74.53.243.226
> Deny from 74.53.243.242
> Deny from 74.53.244.18
> Deny from 74.53.249.34
> Deny from 74.86.209.74
> Deny from 74.86.249.98
> Deny from 75.125.18.178
> Deny from 75.125.47.162
> Deny from 75.125.52.146
> Deny from 84.19.176.208
> Deny from 87.118.118.111
> Deny from 87.118.98.57
> Deny from 87.118.98.62
>
> Here is the relevant section from my httpd.conf
>
> <VirtualHost ****:80>
> DocumentRoot ****
> ServerName *****
> JkMount /jkstatus/* status
> JkMount /* v3lb
> JkMount /captcha/Captcha.jpg v3lb
> JkUnMount /member/bzzmap/*.xml v3lb
> JkUnMount /member/bzzmap/*.swf v3lb
> JkUnMount /manager/* v3lb
> JkUnMount /images/* v3lb
> JkUnMount /awstats/* v3lb
> JkUnMount /img/* v3lb
> JkUnMount /js/* v3lb
> JkUnMount /*.gif v3lb
> JkUnMount /*.png v3lb
> JkUnMount /*.pdf v3lb
> JkMount /captcha/* v3lb
> JkUnMount /member/campaigns/*.jpg v3lb
> JkUnMount /*.css v3lb
> JkUnMount /*.html v3lb
> JkUnMount /*.mov v3lb
> JkUnMount /*.wmv v3lb
> JkUnMount /*.rm v3lb
> JkUnMount /*.ram v3lb
> #JkUnMount /*.swf v3lb
> JkUnMount /*.mpeg v3lb
> JkUnMount /*.mpg v3lb
> JkUnMount /*.mp3 v3lb
> JkUnMount /*.xml v3lb
> JkMount /dwr v3lb
> ErrorLog logs/www.error_log
> CustomLog logs/www.access_log combined
> </VirtualHost>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Tomcat-and-Apache-Deny-rules-tf4956657.html#a14196976
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org