Pages

[chromerep]

I turn off mod_authz_host,but it shows syntax error when I use "require".I can't believe it can accept allow and deny directives under apache2.4.x still.I am sure I use apache 2.4.x now.Though I load mod_access_compat for compatibility with old configurations.

I should use both allow and require directives.Isn't it?
But,the allow from 192.168.0.0/16 doesn't take effects.I can't understand..

[Gregg]

Is it apache 2.4.4 bug?

No.

To use Require, mod_authz_core must be loaded!
http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
See in the box at the top of the docs for Require, where it says "Module: mod_authz_core"

To use Require ip or Require host, mod_authz_host must be loaded
http://httpd.apache.org/docs/2.4/mod/mod_authz_host.html

Yes, you can use Order/Allow/Deny in 2.4 if mod_access_compat is loaded. I have found that you can not use both Require and Order/Allow/Deny in your config. One of them will win and usually Require loses the fight. So if you are using both, anything configured with Require will 403.

It is recommended to use Require only in 2.4 and just unload mod_access_compat.

[chromerep]

Thanks.
I unload mod_access_compat and load mod_authz_core,mod_authz_host,it can run the "require" directive now.

But,I require ip X.X.X.X from blockcountry code,it can't access to the web.
Does it mean the require ip not to take effects?

[Gregg]

Post your require statements so I can see what you have. It should still allow the IP but it may depend on what you are doing.

[chromerep]

my require statements:
<IfModule geoip_module>
GeoIPEnable On
GeoIPEnableUTF8 On
GeoIPScanProxyHeaders On
GeoIPUseLastXForwardedForIP On
GeoIPOutput Env
GeoIPDBFile /path/GeoIP.dat
SetEnvIf GEOIP_COUNTRY_CODE XX BlockCountry
<Directory "/path/to/some/website">
Require ip X.X.X.X
<RequireAll>   
    Require all granted
    <RequireNone>
      Require env BlockCountry
    </RequireNone>
  </RequireAll>
</Directory>
</IfModule>

[Gregg]

try
<RequireAll>   
    Require all granted
    Require ip X.X.X.X
    <RequireNone>
      Require env BlockCountry
    </RequireNone>
  </RequireAll>

[chromerep]

It works now.But,the loading of web page become unstable when load the mod_geoip.The web's component(such as icon,images...) can't load normally.Some become unloaded.

I make a try,I unload the mod_geoip,the web page loads normally.

Maybe it's mod_geoip's minor issue?And,is the mod_geoip same as the maxmind provieded?(http://dev.maxmind.com/geoip/legacy/mod_geoip2/)Can AH compile this version?

[Gregg]

Yes, it is that version.

[Gregg]

You know, this version isn't 100%. As a matter of fact, I have not ever had a version of mod_geoip that was ever 100%. A problem is that if you look at a typical request, the majority will be correct, but some will not. So if you are using mod_geoip to block, then some things may not show up.

I use mod_geoip mainly for knowing where visitors come from, nothing more. I add the country to the end of each line in my access log. Doing this, I can see that it fails on occasion. For instance, if you go to my server's index.html page, it will make 14 requests, index.html, 3 fonts and 10 images. Looking at one such request in today's log I have:

203.147.5.xxx
10 of the 14 say Thailand, 1 United States, 1 Greece, 1 Bhutan and one that came back as nothing.

Obviously Thailand is the correct one, but if I had a block on the country Bhutan, this visitor wouldn't get the image /icons/blank.gif.

This problem was discussed before here. I got to thinking about this after my short answer that this is the latest version.

I think if I really cared to block a country, I'd only block the .html, .php and any other similar file like that. I've never seen the first request fail to the server fail, and blocking these files would not stop images loading for people that were allowed to see the .html/php/etc. files because a mod_geoip failed on a subsequent request.

Just a thought.

[chromerep]

Yeah.Your thought is a good way to think.

If I just want to block the country to view "php/html..",what is the directives it need to add the conf file?Can you post a detail sample for me to reference?I can't find that at maxmind documents.

[Gregg]

No, you will not find an example at maxmind, but you do have an example in your conf making the viewing/downloading of .ht(access|passwd) files impossible. There are also a lot of examples of access control in the Apache docs, you just use a little imagination with what you know.

Outside of any virtualhost or directory containers, you may be able to use something similar to:

<Files ~ "\.(html?|php|cgi)$">
    #Put your access stuff here
</Files>

[chromerep]

In this sample,how to block some country codes to access php/html only..except icon,images..?I am so fool to figure out it.(I check apache access control documents before)Can give any advanced sample?

<Files ~ "\.(html?|php|cgi)$">
    #Put your access stuff here
</Files>

[DnvrSysEngr]

I find that using mod_geoip is a great way to keep unwanted visitors from certain countries.  I am mean in that i block visitors from certain countries from viewing everything.  I do not want them to have the opportunity to even begin to search for any sort of exploit/s nor do i want them to scavenge any info to use for their spamming / bots / hacks / etc.

[Gregg]

chromerep, how about replacing
#Put your access stuff here

with

<RequireAll>   
    Require all granted
    Require ip X.X.X.X
    <RequireNone>
      Require env BlockCountry
    </RequireNone>
</RequireAll>

[chromerep]

After add those directives,the former web loading issue occurs again.It seems the mod_geoip issue,can't get resolved untile turn it off.