6

I'd like to maintain a file which includes a list of ip's which are blocked from using a site. I understand deny from can be used to achieve this (e.g Deny from 127.0.0.1 10.0.0.1 some.other.ip.address).

However, I'd like an external file so that an individual who does not have access to the config can update a txt file with ip's and this will then be included in the deny from.

Does anyone have any reccomendations on how this can be achieved? Any help is greatly appriciated.

r1901156
  • 123
  • 2
  • 2
  • 8
  • what about a list of files instead of a list of ips in a file? check it out and let me know what you think cause I am looking for feedback regarding this method https://stackoverflow.com/a/63635959/2456038 – RafaSashi Aug 28 '20 at 14:43

6 Answers6

9

Look at the Apache Include directive:

http://httpd.apache.org/docs/2.2/mod/core.html#include

You can create a seperate configuration file contain you denied list and include in any other configuration file i.e a site in sites-available. Example usage below:

In /etc/apache2/sites-enabled/yoursite.conf

<VirtualHost *:80>
...

Include /etc/apache2/sites-access/yoursite.conf

...
</VirtualHost>

In /etc/apache2/sites-access/yoursite.conf

order allow,deny
deny from 10.0.0.1
allow from all
William Greenly
  • 3,914
  • 20
  • 18
  • Thanks for the reply, I gave that method a shot but I've found something odd. The include appears to be added and parsed as entering nonsense in the include file will result in the apache complaining when testing the config, however, when adding deny froms in the include file they do not seem to be blocked, yet adding a deny from in an htaccess file in the directory works perfectly. Not sure what could be causing this - any help is greatly appriciated. – r1901156 May 28 '12 at 08:35
  • The reason you do not see them being blocked is because Apache does not read config files when they change; you need to reload them. Apache does read .htaccess files on every directory access, so any changes made there take effect immediately. – Michel Nov 09 '14 at 07:32
3

Using a RewriteMap map as the external IP address file works for a list of individual IP addresses:

RewriteEngine on
RewriteMap allowed "txt:${site_dir}/etc/allowed_ip_addresses"

UnsetEnv ALLOWED

RewriteCond ${allowed:%{REMOTE_ADDR}} 1
RewriteRule ^ - [E=ALLOWED]

<Location />
  Deny  from all
  Allow from env=ALLOWED
</Location>

Then allowed_ip_addresses contains lines like:

10.42.1.123      1
192.168.100.456  1

That maps allowed IP addresses to the value 1, and all other IP addresses to the empty string.

The RewriteCond looks up REMOTE_ADDR in the map, and if it's 1 then it sets an environment variable. UnsetEnv ensures that the variable is definitely unset otherwise.

Then Allow from only permits access when that environment variable has been set.

The external map file can have different filesystem permissions from your Apache config, and changes to it take effect immediately, without requiring restarting Apache.

Smylers
  • 1,673
  • 14
  • 18
2

this is not a real security method, but you can put this txt file in a shared directory and with a cron job update apache config...

another method is with htaccess..

order allow,deny
deny from 10.0.0.1
allow from all
chrvadala
  • 582
  • 6
  • 17
0
'In windows httpd.conf'
'<Directory />'
'Include "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/deny.txt"'
'</Directory>'
'deny.txt contain'
'Deny from xxx.xxx.xxx.xxx'
'etc'
Morten Oelbye
  • 11
  • 1
0

I have a walk around using .htaccess, a folder and a list of files with the banned ip as title.

If the IP file in banned_ips exists then return the forbidden flag:

RewriteCond "%{DOCUMENT_ROOT}/banned_ips/%{HTTP:X-FORWARDED-FOR}" -f
RewriteRule .* - [F]

My example is for AWS Cloudfrontbut you can replace HTTP:X-FORWARDED-FOR by REMOTE_ADDR or any variable containing the visitor ip.

Alternatively you can use HTTP_HOST to keep a directory by sites like:

RewriteCond "%{DOCUMENT_ROOT}/banned_ips/%{HTTP_HOST}/%{HTTP:REMOTE_ADDR}" -f
RewriteRule .* - [F]

This way you never need to update your htaccess file and you can even programmatically add ips from honeypot lists our your own tracker.

Please let me know in the comment what you think about this method in terms of scalability and/or safety.

RafaSashi
  • 16,483
  • 8
  • 84
  • 94
0

From Apache httpd version 2.3.6 and later, you can use the directive

IncludeOptional /etc/myfilewithrequireip.conf

See https://httpd.apache.org/docs/2.4/mod/core.html#includeoptional

Using Include is also possible but an error will be reported if the file conf does not exists.

eldy
  • 498
  • 4
  • 7