Develop Reference

Complex Apache Limit/SetEnvIf, allow all from domain except for IP

I have the following .htaccess:
<Limit GET POST>
SetEnvIf Host www.livedomain.com allow
SetEnvIf Remote_Addr 1.1.1.1 allow
SetEnvIf Remote_Addr 2.2.2.2 allow
SetEnvIf Remote_Addr 3.3.3.3 allow
Order deny,allow
Deny from all
Allow from env=allow
</Limit>
This .htaccess is used on two domains. On www.livedomain.com I want everyone access. On www.stagingdomain.com I only want the IPs 1.1.1.1, 2.2.2.2, 3.3.3.3 to have access.
This works fine.
Now, on the live site, I want to make a change to allow everyone except one IP (let's say 9.9.9.9).
I've tried doing something like this:
<Limit GET POST>
SetEnvIf Host www.livedomain.com allow
SetEnvIf Remote_Addr 9.9.9.9 deny
SetEnvIf Remote_Addr 1.1.1.1 allow
SetEnvIf Remote_Addr 2.2.2.2 allow
SetEnvIf Remote_Addr 3.3.3.3 allow
Order deny,allow
Deny from all
Allow from env=allow
</Limit>
But this doesn't work. I would have thought the env variable was overwritten with 'deny' and then the final Allow statement wouldn't apply. Is this not the case?
What's the simplest way to allow everyone from the one domain except one IP in this case?

You should use !varname to unset or remove an already defined variable:
<Limit GET POST>
SetEnvIf Host www.livedomain.com allow
SetEnvIf Remote_Addr 9.9.9.9 !allow
SetEnvIf Remote_Addr 1.1.1.1 allow
SetEnvIf Remote_Addr 2.2.2.2 allow
SetEnvIf Remote_Addr 3.3.3.3 allow
Order deny,allow
Deny from all
Allow from env=allow
</Limit>
Read more about SetEnvIf here

My conf looks a bit different but works as expected:
SetEnvIf Host staging.mydomain.tld passreq
SetEnvIf Remote_Addr 1.1.1.1 !passreq
AuthType Basic
AuthName "Password Required"
AuthUserFile /home//html/.htpasswd
Require valid-user
Order allow,deny
Allow from all
Deny from env=passreq
Satisfy any

how to block ip address of country

I've the following code to block single ip address in htaccess and it works fine
SetEnvIF X-Forwarded-For 182.65.209.192 DenyIP
Order allow,deny
Deny from env=DenyIP
Allow from all
Now I want to block country ip addresses from visiting my site.
I tried this but not works
SetEnvIF X-Forwarded-For 37.230.192.0/19 DenyIP
and
SetEnvIF X-Forwarded-For 37.230.192.[0-19] DenyIP
instead of
SetEnvIF X-Forwarded-For 182.65.209.192 DenyIP
How to block the ip range or subnet ip (for ex: 37.230.192.0/19)?

SetEnvIF use regex:
http://httpd.apache.org/docs/current/en/mod/mod_setenvif.html#setenvif
You can use:
SetEnvIF X-Forwarded-For ^37\.230\.192\.[01][0-9]?$ DenyIP

You can't match against CIDR address ranges, you need to use a regular expression. You want something like this:
SetEnvIF X-Forwarded-For 37\.230\.(19[2-9]|2[01][0-9]|22[0-3])\.[0-9]+ DenyIP
SetEnvIf Remote_Addr 37\.230\.(19[2-9]|2[01][0-9]|22[0-3])\.[0-9]+ DenyIP
SetEnvIF X-Forwarded-For 37\.230\.2[23][0-9]\.[0-9]+ DenyIP
SetEnvIf Remote_Addr 37\.230\.2[23][0-9]\.[0-9]+ DenyIP

SetEnvIf not working on specific URL

I've got a password protected site, and I'm trying to allow a specific URL through so that it works for a Payment callback. The site is built using CakePHP.
The below works great however the Allow from env=allow is just not being taken into account (I've tried with my own IP address too). The setenvif mod is enabled in Apache and the other "Allow from" lines work fine. FYI it's running on Ubuntu on EC2. I've also searched on the site for similar issues and solutions but to no avail.
I've checked the $_SERVER global array in PHP for the "allow" environment variable and it exists so running out of ideas. Any help would be much appreciated!
SetEnvIf Request_URI ^/secure_trading/callback allow=1
SetEnvIf Request_URI ^/secure_trading/callback$ allow=1
SetEnvIf Request_URI "/secure_trading/callback" allow=1
SetEnvIf Request_URI "/app/weboot/secure_trading/callback" allow=1
AuthName "Protected"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /var/www/domain.co.uk/.htpasswd
Order deny,allow
Satisfy Any
Deny from all
Allow from 127.0.0.1
Allow from env=allow
require valid-user
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
</IfModule>

GeoIP and Ontario Canada?

I've had several users from Ontario, Canada contact me and saying they can't access my site. Using the GeoIP Module in my htaccess file I have allowed Canada. Any idea what might be causing this?
Here's my entry in the htaccess file
<IfModule mod_geoip.c>
GeoIPEnable On
# US - United States
# CA - Canada
SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE CA AllowCountry
Deny from all
Allow from env=AllowCountry
</IfModule>
The interesting thing is if I do the opposite, they have access like so:
<IfModule mod_geoip.c>
GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE NG BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RO BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE VN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE GH BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE SN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE TN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE IN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE KE BlockCountry
Deny from env=BlockCountry
</IfModule>
Any idea what might be happening?

Don't trust geographical informations picked up by IP addresses. There are high possibilities that the information associated to the IP is not valid or get outdated quickly.
IP addresses can be dynamically routed, the client user could come via a proxy or tunnel, and so on.

Have .htaccess ask for password depending on domain name

We have several domain name aliases all pointing to the same server and directory (just aliases).
But I'd like to password-protect (htaccess) the site when people come from certain domain names.
Thanks

You can do this using SetEnvIf and <IfDefine>:
SetEnvIfNoCase Host ^www\.example\.com$ host_a
SetEnvIfNoCase Host ^www\.example\.org$ host_b
SetEnvIfNoCase Host ^www\.example\.net$ host_c
<IfDefine host_a>
…
</IfDefine>
<IfDefine host_b>
…
</IfDefine>
<IfDefine host_c>
…
</IfDefine>