Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Apache 2.4 require not ip range not working (blacklist ignored when GEOIP active)

Tags:

apache

apache2

geoip

I'm trying to understand what's going on. If i add a single IP to my blacklist using

Require not ip xxx.xxx.xxx.xxx

It just works, Apache 2.4 throws a 403. Now i've tried to use the whole range and it still let the request go through. I used:

Require not ip xxx.xxx.xxx.1 xxx.xxx.xxx.255

Apache 2.4 returns 200 instead of 403. What am i doing wrong?

Thanks

Edit: Here's a simple test case from my local network.

Require not ip 192.168.1.180/192.168.1.185

Used computer on ip 192.168.1.183, and wasn't blocked at all.

Here's my httpd.conf and the ips are in a seperate blacklist.txt. Also it works with a single ip, the issue is only related to a RANGE of IPs.

    <Directory "f:/root">  
    Options Indexes FollowSymLinks  
    AllowOverride All   
    <LimitExcept GET POST HEAD>  
    </LimitExcept>
    <RequireAll>
      Require all granted
      Include conf/blacklist.txt
   </RequireAll>   
   </Directory>

Edit2: Did another test and it seems that the issue comes from using a blacklist + GEOIP. Blacklist alone works with xxx.xxx.xxx.0/xxx.xxx.xxx.255 but as soon as mod_geoip is active, the blacklist is ignored.

Here is my GEOIP config:

<IfModule geoip_module>
    GeoIPEnable On
    GeoIPEnableUTF8 On
    GeoIPOutput Env
    GeoIPScanProxyHeaders On
    GeoIPDBFile bin/GeoIP.dat MemoryCache
    SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
</IfModule>

If there a way to have BOTH blacklist and GEOIP working together??

like image 294
Eric Avatar asked Aug 13 '14 00:08

Eric

2 Answers

Your IP range format is wrong. It should be as mentioned below.

Require not ip xxx.xxx.xxx.1/xxx.xxx.xxx.255
like image 63
KNOWARTH Avatar answered Sep 27 '22 23:09

KNOWARTH

Ok so found the issue for real this time haha. This is a WAMP server btw with Apache 2.4.10, not sure if relevant. The only way I could block an IP range is by blocking the entire range with:

Require not ip 192.168.1

which blocks the whole 192.168.1.0 to 192.168.1.255 block. If i tried

Require not ip xxx.xxx.xxx.0/xxx.xxx.xxx.255

it would in fact never work and would let the visitor pass through. For some reason along my tests, I though it was related to GEOIP but it was not (not sure what I did).

I have never found a solution to only block a partial range unfortunately and tried pretty much everything. So I can live with it but the mystery isn't entirely solved...

like image 40
Eric Avatar answered Sep 28 '22 00:09

Eric
Sign in to Comment

Related questions

Can't access php files copied into /var/www/ or other folders
"os.environ" in django settings.py cannot get system environment variables with apache and wsgi
Apache 2.4 mod_status configuration with virtual hosts Getting Forbidden error
Velocity Throwing NPE when getting template
memcache for php - unable to connect
Apache: virtualhost on each sub-domain to corresponding directory
htaccess password protect files with different users
Sonatype Nexus: Proxy from SSL using Apache
PHP Script Running Twice
Errors not written to Apache error log
Vagrant - start apache at boot
Using Java Apache PoolingClientConnectionManager leaks the Memory,How to solve it?
Remove or add trailing slash from CakePHP 2.x on Apache using .htaccess
LDAP - Not able to create a new person with country
jsvc 1.0.15 installation on CentOS 6.x
Apache 2.4 not loading php5.5 with Mac OS 10.8
.NET Mutual SSL handshake 'Client Authentication'
Simple Rails 4 ActionController::Live example not working with Apache + Passenger
(13)Permission denied: access to /~me denied
How to use Require directive to limit file access in apache 2.4

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!