A user is somehow avoiding an IP block in apache 2.2/2.4, and I can not figure out how. The company I work for hosts hundreds of sites in different datacenters; this user is attacking several of the sites we host.
Depending on the datacenter, the user with comes in with their IP in the remote_addr or X-Forwarded-For fields. We maintain two lists of "bad actors" which are in a file based on their IP address in either the remote_addr or X-Forwarded_For fields, and this file is included in the apache.conf. The lines either look like
SetEnvIf X-Forwarded-For 41\.216\.xxx\.xxx BlockedBot
or SetEnvIf Remote_Addr 41\.216\.xxx\.xxx BlockedBot. We then have the following in our apache.conf, near the bottom:
<Location />
<IfVersion < 2.4>
AuthType none
Require valid-user
Satisfy any
Order Deny,Allow
Deny from env=BlockedBot
Deny from env=EmptyHost
</IfVersion>
<IfVersion >= 2.4>
<RequireAll>
Require all granted
Require not env BlockedBot
Require not env EmptyHost
</RequireAll>
</IfVersion>
</Location>
My problem is, after putting this bad actor's ip in both files, making sure they were both included, his requests still come through fine. To double check, I used curl with the bad actor's IP in the X-Forwarded-For field, and it correctly blocks my request:
curl --header "X-Forwarded-For: 41.216.xxx.xxx" www.testexample.com/images/fpo/check-14aca5cd1a.png
The bad actor issuing the same exact request with his IP in the XFF field gets through with a 200 status code, no problem. How is this possible?
