htaccess deny from lasts nine numbers - .htaccess

I have a little question,
how can I use deny from on my .htaccess to deny connection from:
111.111.111.11* ?
I tried to use * and *.* but didn't work.
I would deny all number from
111.111.111.110
to
111.111.111.119
Any ideas?

I think you'll need to use SetEnvIf, like so:
SetEnvIf Remote_Addr ^111\.111\.111\.11[0-9]$ GetOut=1
Order allow,deny
Allow from all
Deny from env=GetOut
See the docs for SetEnvIf and a document about Access Control with a similar example.

Deny from doesn't take regex but you can use mod_rewrite to that effect:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} 111\.111\.111\.11[0-9]
RewriteRule ^ - [F]

Related

Create new .htaccess file to deny

Let me start by saying I am new to creating an htaccess file. I want to deny certain IPs from access to our site. I created this and I am looking for validation that this is correct. I know that there is no advanced redirect page within this as I am not sure how to accomplish that yet. I am more concerned that this snippet would work to block IPs. Thanks in advance for any and all help.
#.htaccess
DirectoryIndex index.htm
#deny list
order allow,deny
allow from all
deny from xxx.xxx.xxx.xxx
deny from yyy.yyy.yyy.yyy
Looks good to me, assuming you're on Apache 2.2 To block individual visitors, you can use the following directives:
Order Allow,Deny
Allow from all
Deny from 123.123.123.123
Instead of blocking visitors, you can redirect them to another location. Here's how to do it using Apache's mod_rewrite:
#<IfModule mod_rewrite.c>
RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123$
RewriteRule .* https://www.google.com [R=301,L]
#</IfModule>
See also: https://htaccessbook.com/block-ip-address/
Alternatively, try this to block a range if IPS (here 10.0.8.0-10.0.8.21:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^10\.0\.8\.(2[01]|[0-9][0-9]|[0-9])
#or RewriteCond %{HTTP_HOST} 12\.34\.56\.789
RewriteRule .* https://www.google.com [L,R=301]
If you are on Apache 2.4 this link from the htaccess book shows the differences between 2.2 and 2.4: https://htaccessbook.com/access-control-apache-2-4/

.htaccess allow from REMOTE_HOST

l'm trying to set up an .htaccess file that will restrict access to a specific file, unless the request has come from the same server.
Here's what l expected to work (but it doesn't seem to):
<Files /some/secret/cron.php>
Order deny,allow
Deny from all
Allow from %{REMOTE_HOST}
</Files>
In this instance l can't just hard code in the IP address of the server, as it changes/rolls over to other servers throughout the day.
You cannot use %{REMOTE_HOST} in Allow from. Use it in a mod_rewrite rule like this:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !=11.22.33.44
RewriteRule cron\.php$ - [F,NC]
Replace 11.22.33.44 by your IP address.
You might try this
SetEnvIf Remote_Addr 127.0.0.1 Allowed=1
<Files "/some/secret/cron.php">
Order deny,allow
Deny from All
Allow from env=Allowed
</Files>

htaccess: block specific IPs, then allow only partial site access

I manage a website and I have a list of banned IPs, like this:
order allow,deny
deny from xxx.xxx.xxx.xxx
deny from yyy.yyy.yyy.yyy
etc...
allow from all
So far so good.
Now, it has been decided that only some specific files&folders should be public,
and ALL the rest should be private.
What I did is as follows: at the bottom of the banned IPs list, I added this in
order to block everything:
Order allow,deny
deny from All
Then, in order to allow acces to the public stuff I added:
<FilesMatch foo.html>
order deny,allow
</FilesMatch>
<FilesMatch bar.jpg>
order deny,allow
</FilesMatch>
AND, inside the folders that need public access, I added a specific htacces like this:
satisfy any
Order allow,deny
Allow from all
BUT the problem now is that the banned IPs by the root htacces have access to
these public files, whereas we would like to have them banned from everything.
Combining IP-specific Denys with Deny from all does not make sense – the latter encompasses every specific one already.
You will have to set Deny from all for your non-public files and folders specifically.
This might be easier using mod_rewrite rules. Consider this code:
RewriteEngine On
# ban all the IP addresses you want here
RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx|yyy\.yyy\.yyy\.yyy)$
RewriteRule ^ - [F,L]
# ban all except few allowed files/folders here
RewriteCond %{REQUEST_URI} !/(foo\.html|bar\.jpg|folder1/|folder2/) [NC]
RewriteRule ^ - [F,L]
This should be placed in root .htaccess and make sure to remove all other .htaccess from sub folders.

SetEnvIf not working on specific URL

I've got a password protected site, and I'm trying to allow a specific URL through so that it works for a Payment callback. The site is built using CakePHP.
The below works great however the Allow from env=allow is just not being taken into account (I've tried with my own IP address too). The setenvif mod is enabled in Apache and the other "Allow from" lines work fine. FYI it's running on Ubuntu on EC2. I've also searched on the site for similar issues and solutions but to no avail.
I've checked the $_SERVER global array in PHP for the "allow" environment variable and it exists so running out of ideas. Any help would be much appreciated!
SetEnvIf Request_URI ^/secure_trading/callback allow=1
SetEnvIf Request_URI ^/secure_trading/callback$ allow=1
SetEnvIf Request_URI "/secure_trading/callback" allow=1
SetEnvIf Request_URI "/app/weboot/secure_trading/callback" allow=1
AuthName "Protected"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /var/www/domain.co.uk/.htpasswd
Order deny,allow
Satisfy Any
Deny from all
Allow from 127.0.0.1
Allow from env=allow
require valid-user
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
</IfModule>

Deny all, allow only one IP through htaccess

I'm trying to deny all and allow only for a single IP. But, I would like to have the following htaccess working for that single IP. I'm not finding a way to have both working: the deny all and allow only one, plus the following options:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
#Removes access to the system folder by users.
#Additionally this will allow you to create a System.php controller,
#previously this would not have been possible.
#'system' can be replaced if you have renamed your system folder.
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
#When your application folder isn't in the system folder
#This snippet prevents user access to the application folder
#Submitted by: Fabdrol
#Rename 'application' to your applications folder name.
RewriteCond %{REQUEST_URI} ^application.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
#Checks to see if the user is attempting to access a valid file,
#such as an image or css document, if this isn't true it sends the
#request to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
# If we don't have mod_rewrite installed, all 404's
# can be sent to index.php, and everything works as normal.
# Submitted by: ElliotHaughin
ErrorDocument 404 /index.php
</IfModule>
Is there a way to make this work?
order deny,allow
deny from all
allow from <your ip>
I know this question already has an accepted answer, but the Apache documentation says:
The Allow, Deny, and Order directives, provided by mod_access_compat,
are deprecated and will go away in a future version. You should avoid
using them, and avoid outdated tutorials recommending their use.
So, a more future-proof answer would be:
<RequireAll>
Require ip xx.xx.xx.xx yy.yy.yy.yy
</RequireAll>
Hopefully, I've helped prevent this page from becoming one of those "outdated tutorials". :)
This can be improved by using the directive designed for that task.
ErrorDocument 403 /specific_page.html
Order Allow,Deny
Allow from 111.222.333.444
Where 111.222.333.444 is your static IP address.
When using the "Order Allow,Deny" directive the requests must match either Allow or Deny, if neither is met, the request is denied.
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order
Slightly modified version of the above, including a custom page to be displayed to those who get denied access:
ErrorDocument 403 /specific_page.html
order deny,allow
deny from all
allow from 111.222.333.444
...and that way those requests not coming from 111.222.333.444 will see specific_page.html
(posting this as comment looked terrible because new lines get lost)
Improving a bit more the previous answers, a maintenance page can be shown to your users while you perform changes to the site:
ErrorDocument 403 /maintenance.html
Order Allow,Deny
Allow from #.#.#.#
Where:
#.#.#.# is your IP: What Is My IP Address?
For maintenance.html there is a nice example here: Simple Maintenance Page
Add the following command in .htaccess file. And place that file in your htdocs folder.
Order Deny,Allow
Deny from all
Allow from <your ip>
Allow from <another ip>
Just in addition to #David Brown´s answer, if you want to block an IP, you must first allow all then block the IPs as such:
<RequireAll>
Require all granted
Require not ip 10.0.0.0/255.0.0.0
Require not ip 172.16.0.0/12
Require not ip 192.168
</RequireAll>
First line allows all
Second line blocks from 10.0.0.0 to 10.255.255.255
Third line blocks from 172.16.0.0 to 172.31.255.255
Fourth line blocks from 192.168.0.0 to 192.168.255.255
You may use any of the notations mentioned above to suit your CIDR needs.
I wasn't able to use the 403 method because I wanted the maintenance page and page images in a sub folder on my server, so used the following approach to redirect to a 'maintenance page' for everyone but a single IP*
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !**.**.**.*
RewriteRule !^maintenance/ http://www.website.co.uk/maintenance/ [R=302,L]
Source: Creating a holding page to hide your WordPress blog
order deny,allow
deny from all
allow from set your IP
using htaccess to restrict access by ip
You can use the following in htaccess to allow and deny access to your site :
SetEnvIf remote_addr ^1\.2\3\.4\.5$ allowedip=1
Order deny,allow
deny from all
allow from env=allowedip
We first set an env variable allowedip if the client ip address matches the pattern, if the pattern matches then env variable allowedip is assigned the value 1 .
In the next step, we use Allow,deny directives to allow and deny access to the site. Order deny,allow represents the order of deny and allow . deny from all this line tells the server to deny everyone. the last line allow from env=allowedip allows access to a single ip address we set the env variable for.
Replace 1\.2\.3\.4\.5 with your allowed ip address.
Refrences :
https://httpd.apache.org/docs/2.4/mod/mod_setenvif.html
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
You can have more than one IP or even some other kind of allow like user, hostname, ... more info here https://www.askapache.com/htaccess/setenvif/
SetEnvIf remote_addr ^123.123.123.1$ allowedip=1
SetEnvIf remote_addr ^123.123.123.2$ allowedip=1
SetEnvIf remote_addr ^123.123.123.3$ allowedip=1
SetEnvIf remote_addr ^123.123.123.4$ allowedip=1
Order deny,allow
deny from all
allow from env=allowedip
ErrorDocument 403 /maintenance.html
Order Allow,Deny
Allow from #:#:#:#:#:#
For me, this seems to work (Using IPv6 rather than IPv4) I don't know if this is different for some websites but for mine this works.
If you want to use mod_rewrite for access control you can use condition like user agent, http referrer, remote addr etc.
Example
RewriteCond %{REMOTE_ADDR} !=*.*.*.* #you ip address
RewriteRule ^$ - [F]
Refrences:
https://httpd.apache.org/docs/2.4/rewrite/access.html

Resources