Re: Identifying banned networks correctly, but unable to block access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 On 10/12/10 4:14 PM, Philip Prindeville wrote:

 On 10/12/10 10:32 AM, Eric Covener wrote:

On Tue, Oct 12, 2010 at 12:42 PM, Philip Prindeville
<philipp_subx@xxxxxxxxxxxxxxxxxxxxx>  wrote:

  I'm trying to use mod_geoip and mod_setenvif to blacklist certain
countries.  The tests seem to work an correctly identify the sources... it's
the mod_authz_host part that's tripping me up.

And the end of my mod_setenvif.conf I have:

LogFormat "is_a_bogon=%{is_a_bogon}e CC=%{GEOIP_COUNTRY_CODE}e" env
CustomLog logs/env_log env env=is_a_bogon

<Directory "/var/www/html">
    Deny from env=is_a_bogon
</Directory>

What's the effective value of "Order" at this point (hopefully 'allow, deny')

Do you have Allow in htaccess or<location>  that might be getting merged in?



It's a pretty stock RPM config:

conf/httpd.conf:

DocumentRoot "/var/www/html"

...

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/var/www/html">
...
    Order allow,deny
    Allow from all
</Directory>

...
AccessFileName .htaccess

...
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

...
Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
...
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

...
Alias /cgi-bin /var/www/cgi-bin
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options +ExecCGI
    Order allow,deny
    Allow from all
</Directory>

...
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
#    Allow from .example.com
    Allow from .redfish-solutions.com
    Allow from .localdomain
</Location>

...


then conf.d/mod_setenvif.conf:

...
<Directory "/var/www/html">
    Deny from env=is_a_bogon
</Directory>
...


Not seeing any application Location directives.

The only Files directives are in conf.d/ssl.conf and wouldn't apply here.



Well, I've not been able to resolve this... Next step will be to build my own mod_authz_host.c binaries with debugging statements added in.  Didn't think this would get so involved...



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux