5

I'm trying to understand what's going on. If i add a single IP to my blacklist using

Require not ip xxx.xxx.xxx.xxx

It just works, Apache 2.4 throws a 403. Now i've tried to use the whole range and it still let the request go through. I used:

Require not ip xxx.xxx.xxx.1 xxx.xxx.xxx.255

Apache 2.4 returns 200 instead of 403. What am i doing wrong?

Thanks

Edit: Here's a simple test case from my local network.

Require not ip 192.168.1.180/192.168.1.185

Used computer on ip 192.168.1.183, and wasn't blocked at all.

Here's my httpd.conf and the ips are in a seperate blacklist.txt. Also it works with a single ip, the issue is only related to a RANGE of IPs.

    <Directory "f:/root">  
    Options Indexes FollowSymLinks  
    AllowOverride All   
    <LimitExcept GET POST HEAD>  
    </LimitExcept>
    <RequireAll>
      Require all granted
      Include conf/blacklist.txt
   </RequireAll>   
   </Directory>

Edit2: Did another test and it seems that the issue comes from using a blacklist + GEOIP. Blacklist alone works with xxx.xxx.xxx.0/xxx.xxx.xxx.255 but as soon as mod_geoip is active, the blacklist is ignored.

Here is my GEOIP config:

<IfModule geoip_module>
    GeoIPEnable On
    GeoIPEnableUTF8 On
    GeoIPOutput Env
    GeoIPScanProxyHeaders On
    GeoIPDBFile bin/GeoIP.dat MemoryCache
    SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
</IfModule>

If there a way to have BOTH blacklist and GEOIP working together??

Eric
  • 9,870
  • 14
  • 66
  • 102

3 Answers3

3

Your IP range format is wrong. It should be as mentioned below.

Require not ip xxx.xxx.xxx.1/xxx.xxx.xxx.255
KNOWARTH
  • 912
  • 7
  • 14
  • apache doc says: Require ip 192.168.1.104 192.168.1.205 or A network/netmask pair: Require ip 10.1.0.0/255.255.0.0 - will try anyway – Eric Aug 13 '14 at 19:29
  • Not working. Still returns 200 instead of 403 with xxx.xxx.xxx.1/xxx.xxx.xxx.255 – Eric Aug 19 '14 at 20:55
  • Can you mention which IP range you want to block and what are you putting in httpd.conf – KNOWARTH Aug 20 '14 at 04:33
  • This works but the issue is in fact from blacklist + GEOIP, post edited – Eric Sep 05 '14 at 15:25
3

Ok so found the issue for real this time haha. This is a WAMP server btw with Apache 2.4.10, not sure if relevant. The only way I could block an IP range is by blocking the entire range with:

Require not ip 192.168.1

which blocks the whole 192.168.1.0 to 192.168.1.255 block. If i tried

Require not ip xxx.xxx.xxx.0/xxx.xxx.xxx.255

it would in fact never work and would let the visitor pass through. For some reason along my tests, I though it was related to GEOIP but it was not (not sure what I did).

I have never found a solution to only block a partial range unfortunately and tried pretty much everything. So I can live with it but the mystery isn't entirely solved...

Eric
  • 9,870
  • 14
  • 66
  • 102
2

While I know my answer is a little late, hopefully this helps someone else.

I'm pretty sure the easiest way to do IP ranges with Apache 2.4 is CIDR. You can look up "CIDR generator" on Google to set your specific ranges.

I used this one: http://www.ipaddressguide.com/cidr

For your original question I would try this instead of blocking the entire internal range.

Require not ip 192.168.1.180/30 192.168.1.184/31

Also, since the IP is specifically being entered I'm pretty sure the GeoIP module has no affect.

David
  • 66
  • 4