On March 14, 2011 14:12 , Carmel <carmel_ny@xxxxxxxxxxx>
wrote:
I do not need users from China to have access to my server. I would like to use something like the list that follows to stop it. Unfortunately, I am not sure exactly where in my httpd.conf file I should put this so it works correctly. <Limit GET HEAD POST> order allow,deny # Country: CHINA # ISO Code: CN # Total Networks: 1,927 # Total Subnets: 308,311,808 deny from 1.12.0.0/14 deny from 1.24.0.0/13 deny from 1.45.0.0/16 deny from 1.48.0.0/15 #more entries # allow from all </Limit> Normally, you would put the Deny directives in a <Directory /> or <Location /> stanza inside your <VirtualHost> stanza in order to have them apply to the entire file or entire URI namespace. You can put them inside of other <Directory> or <Location> stanzas, instead, if you'd like the Deny directives to apply less broadly. Putting the Deny directives inside a <Limit> stanza -- as you have done above -- is discouraged. See the documentation at http://httpd.apache.org/docs/2.2/mod/core.html#limit which says:
Access controls are normally effective for all
access methods, and this is the usual desired behavior. In
the general case, access control directives should not be placed
within a
I have never used it myself, so I don't know how good it is, but you may want to investigate using mod_geoip2 as an alternative to having a long list of networks in your configuration file. See http://www.maxmind.com/app/mod_geoip http://www.indiangnu.org/2010/how-to-install-geoip-and-mod_geoip2-on-centos-for-apache-2/ http://www.kaliphonia.com/content/linux/how-to-install-mod-geoip2-for-apache2-on-centos-server The advantages should be: shorter, easier-to-read and easier-to-maintain configuration files; a more comprehensive list of networks for each country; no need to restart httpd when the list of networks for a blocked country changes. -- Mark Montague mark@xxxxxxxxxxx |
|