2

I am having trouble with blocking an IP in .htaccess

I've put

Require not ip 192.168.20.218

It works, but it blocks the entire network instead of blocking a single IP.

Can somebody solve this issue?

I am running on Apache 2.4 using Ubuntu 14.04.3 LTS

UPDATE: scenario is like this, I am using IP 192.168.20.218 on my computer, I am trying to do a test to block this IP address, I tried:

<RequireAll> 
Require all granted 
Require not ip 192.168.20.218 
</RequireAll>

Which is supposed to block my access, but instead it's still allowing me to access the page. If I take out the Require all granted it blocks the entire network.

MrWhite
  • 12,647
  • 4
  • 29
  • 41
Raffy Singidas Bandrang
  • 23
  • 1
  • 5
  • Regarding your update... "Something" is not quite right here!? I would say the most probable cause of this failing (and still allowing access) is that the IP you're "blocking" is not the IP that your web server sees when you access your site. (?) If you take out `Require all granted` it will indeed block the "entire network" - in fact, it will block _everything_. – MrWhite Dec 13 '17 at 00:48

2 Answers2

4

You can't use a negated directive by itself in order to authorize access. As noted in the documentation:

The result of the Require directive may be negated through the use of the not option. As with the other negated authorization directive <RequireNone>, when the Require directive is negated it can only fail or return a neutral result, and therefore may never independently authorize a request.

You would need to do something like the following instead:

<RequireAll>
Require all granted
Require not ip 192.168.20.218
</RequireAll>

So, you allow everyone and exclude a particular IP address.

The <RequireAll> container, as its name suggests, requires that all contained directives must be satisfied.

MrWhite
  • 12,647
  • 4
  • 29
  • 41
  • even this won't work Require all granted Require not ip 192.168.20.218 – Raffy Singidas Bandrang Dec 12 '17 at 22:05
  • This doesn't work either, instead this "Require all granted" allows to access all ip including the said ip address <192.168.20.218> even i put "Require not ip" – Raffy Singidas Bandrang Dec 12 '17 at 22:21
  • You need the `` wrapper. What does it do? Block _everyone_ again? Is this in the `.htaccess` file in the document root of your site? Any other directives? All caches cleared? – MrWhite Dec 12 '17 at 22:22
  • I already did the same Require all granted Require not ip 192.168.20.218 - still this one won't work . do i need to do something in the apache.conf ? or the site-enabled/000-default.conf? – Raffy Singidas Bandrang Dec 12 '17 at 22:34
  • "What does it do?" / In what way does it not work? Your question implies that `.htaccess` files are enabled and mod_authz_core is enabled (it should be as it's compiled into a default Apache build) - otherwise your initial directive wouldn't have blocked access. (However, if you access to the server config then you probably shouldn't be using `.htaccess`.) – MrWhite Dec 12 '17 at 22:40
  • MrWhite - scenario is like this, I am using IP 192.168.20.218 in my computer, I am trying to do a test to block ip address, I tried the code Require all granted Require not ip 192.168.20.218 , and still it allows me to access the page. if I take out the "Require all granted" it blocks the entire network. – Raffy Singidas Bandrang Dec 12 '17 at 23:09
  • the document root is /var/www/html the htaccess is located at the folder /var/www/html/folder, there is no other directives , no caches activate mod_file_cache is disable>>>>>Is this in the .htaccess file in the document root of your site? Any other directives? All caches cleared? – MrWhite 1 hour ago – Raffy Singidas Bandrang Dec 12 '17 at 23:40
  • And the URL you are requesting includes `/folder`? – MrWhite Dec 13 '17 at 00:39
  • I guess I know what is the problem. I cannot use the "Require not ip" when i check the ip address while browsing my application, it comes from one ip address "192.168.10.1" which is the gateway. it doesn't come from a unique ip address – Raffy Singidas Bandrang Dec 13 '17 at 01:18
  • That would imply your application is on a different network? `192.168.x.x` are all internal IP addresses. If your application is on "the public internet" (for example) then your application will only see the _external_ (public) IP address of your gateway when any machine on the LAN accesses your application. (`192.168.10.1` is the LAN side of your gateway, not the external IP address.) – MrWhite Dec 13 '17 at 08:47
0

I had this problem. I forgot I had an nginx reverse proxy in place. The IP coming into apache was the reverse proxy IP from nginx. Instead, I had to set a custom header in the reverse proxy containing the true IP, and then check this header in .htaccess instead of checking the ip.

Luke Chinworth
  • 1
  • 2