Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: bulk denials |
|
Author |
|
Doug22
Joined: 02 Jun 2013 Posts: 57 Location: Houston TX
|
Posted: Tue 04 Jun '24 17:50 Post subject: bulk denials |
|
|
OK, this is strange. I need to deny access in my .htaccess file to a range of IP addresses. So I do this -
deny from 111.11.111/16 .
My system freaks out. What does *seem* to be digestable is
deny from 111.11.111.
Why does that CIDR notation NOT WORK in a .htaccess denial? Will the latter really block all of 111.11.111? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Wed 05 Jun '24 12:54 Post subject: |
|
|
Deny from is no longer supported by Apache.
use
Code: |
Require not ip 111.11
|
|
|
Back to top |
|
Doug22
Joined: 02 Jun 2013 Posts: 57 Location: Houston TX
|
Posted: Fri 07 Jun '24 1:25 Post subject: |
|
|
Not sure where that comes from. Sure isn't the case for my Apache on my Hostgator site. When I put my own IP into a "deny from" in my .htaccess, and I try to go there, I get "Access unavailable". That is, "deny from" seems to work fine for me on my site. |
|
Back to top |
|
Otomatic
Joined: 01 Sep 2011 Posts: 213 Location: Paris, France, EU
|
Posted: Fri 07 Jun '24 8:55 Post subject: |
|
|
Hi,
Doug22 wrote: | That is, "deny from" seems to work fine for me on my site. |
Probably because the "access_compat_module" is loaded.
However, this module is due to disappear. That's why it's preferable - by far - to use the full functionality of "Require". |
|
Back to top |
|
Doug22
Joined: 02 Jun 2013 Posts: 57 Location: Houston TX
|
Posted: Fri 07 Jun '24 14:03 Post subject: |
|
|
Hmmm. Thanks. access_compat isn't anything I have control of. But I guess it's good to know that I should be migrating to "Require". That all being said, does "Require" understand CIDR, which was my original question?
Actually, while I'm at it, let me say that this change, from Apache 2.2 to Apache 2.4 is kind of a pisser. Does this mean I have to rewrite my .htaccess file for Apache 2.4, and that my Apache 2.2 .htaccess file WON'T WORK with Apache 2.4? |
|
Back to top |
|
Otomatic
Joined: 01 Sep 2011 Posts: 213 Location: Paris, France, EU
|
Posted: Fri 07 Jun '24 14:44 Post subject: |
|
|
Hi,
Documentation Apache -> Access Control:
Code: | Require host address
Require ip ip.address
In the first form, address is a fully qualified domain name (or a partial domain name); you may provide multiple addresses or domain names, if desired.
In the second form, ip.address is an IP address, a partial IP address, a network/netmask pair, or a network/nnn CIDR specification. Either IPv4 or IPv6 addresses may be used. | When a question arises or a doubt persists, the best answer is always found using the old adage: always RTFM.
https://httpd.apache.org/docs/2.4/en/howto/access.html |
|
Back to top |
|
Doug22
Joined: 02 Jun 2013 Posts: 57 Location: Houston TX
|
Posted: Fri 07 Jun '24 15:29 Post subject: |
|
|
OK, thanks. I guess that means that "require not" obeys CIDR. "deny from" does not. Interesting. My Hostgator support tells me that "deny from" will ALWAYS work, though they use 2.4.x. So I guess they're in no rush to get rid of "access_compat_module". |
|
Back to top |
|
|
|
|
|
|