1

I've been trying for ages to get this to work and I can't put my finger on it. What I'm trying to do is block access to a site from a number of countries, based on the CF-IPCountry header added by CloudFlare. I figured htaccess was a suitable way to do this.

We are running LiteSpeed 4.2.4 on top of DirectAdmin for a control panel.

The problem we having is the htaccess rule doesn't seem to do anything.

Here's the rule we tried:

SetEnvIf CF-IPCountry AU UnwantedCountry=1
Order allow,deny
Deny from env=UnwantedCountry
Allow from all

That makes no difference at all, connections are still accepted. Just to check that the rule was at least being processed, I changed Allow from all to Deny from all, and connections were refused. So it appears to be a problem wit the variable.

Here's the relevant headers that come in with the request.

Connection: Keep-Alive 
Accept-Encoding: gzip 
CF-Connecting-IP: xx.xx.xx.xx
CF-IPCountry: AU 
X-Forwarded-For: xx.xx.xx.xx.xx
CF-RAY: c9062956e2d04b6 
X-Forwarded-Proto: http 
CF-Visitor: {"scheme":"http"} 
Zone-Name: xx.com.au

Hopefully someone can help me out, this has been driving me nuts for too long.

Thanks

Update

I've now enabled rewrite logging by adding RewriteLogLevel 9 to the virtual host.

Initially I ran the test with all my other htaccess rules which are quite extensive for this site, I could see the various matches all being logged so I know logging was working right.

I stripped my htaccess down to bare bones just to test this case, so I had the following in my htaccess:

SetEnvIf CF-IPCountry AU UnwantedCountry=1
Order allow,deny
Deny from env=UnwantedCountry
Allow from all

With just that in my htaccess, there's no log output at all, which says to me it's simply not matching the rules I'm guessing. I verified again that "CF-IPCountry: AU " is present in the headers.

neekster
  • 113
  • 1
  • 5
  • I would suggest enabling logging for `mod_rewrite` and see how the rules are evaluated. Not sure about your versions but [RewriteLog](http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritelog) for Apache 2.2 or [logging](http://httpd.apache.org/docs/current/mod/mod_rewrite.html#logging) for Apache 2.4. I guess it works the same for LiteSpeed since it should be compatible with Apache configs. Note that this has to be set in the main config. – Qben Nov 06 '13 at 10:45
  • Thanks Qben, I'll look into this and see if I can get some logs. Litespeed seems to use RewriteLog so should be easy enough to get working, I'll post more when I have it. – neekster Nov 06 '13 at 15:04
  • I've just added logging and updated my question. On another note I might try in a few days when we have a maintenance window moving Litespeed out the way and testing Apache to see if it's a Litespeed quirk. – neekster Nov 06 '13 at 16:19
  • I must admit that I was totally wrong in regards to the logging I suggested. `SetEnvIf` is not part of `mod_rewrite` but rather `mod_setenvif` hence you will not see this in your `RewriteLog`. Sorry about that, I was simply hooked on the `htaccess` part and did not think. You do have `mod_setenvif` enabled? – Qben Nov 07 '13 at 06:34
  • What is the value of `AllowOverride` in your httpd.conf? It must at least allow the `Limit` directive in order for this to work. – Jenny D Nov 07 '13 at 10:32
  • Thanks for above. Qben, I'll bet good money I don't have mod_setenvif enabled, had no idea that was a requirement. But I don't need to check because your RewriteRule worked perfectly, your a legend. I will check out of curiosity if that module was enabled though. Jenny, thanks for suggestion, I did test before and I don't think that was a problem. – neekster Nov 07 '13 at 10:52
  • As a final update to this, turns out Litespeed does not support mod_setenvif, which explains everything. Their suggestion was indeed to use RewriteRule. – neekster Nov 07 '13 at 12:15
  • @neekster I'm glad it worked! mod_rewrite may carry some little extra overhead compared to mod_setenvif, but since the latter doesn't exist then mod_rewrite is obviously better for you :-) – Jenny D Nov 07 '13 at 15:56

1 Answers1

6

As an alternative to use SetEnvIf you could do this with a RewriteRule as well. 

RewriteCond %{HTTP:CF-IPCountry} ^(AU|SE)$
RewriteRule ^ - [F,L]

This would block AU ans SE users.

Qben
  • 248
  • 4
  • 9