Portal Home > Knowledgebase > Articles Database > Block IP ranges in http.conf
Block IP ranges in http.conf
| Posted by strato, 10-02-2008, 06:09 AM |
| Hi guys
I have a lot of sites on my cPanel server and I need to block access to all of them for some IP ranges. Doing this on the firewall level is not appropriate because my server may need to talk back to those ranges at some point. I only want to prevent the serving of web pages to those ranges.
I figure the best way to do this is within httpd.conf but I have no idea how to add these rules for all sites in one go.
Any ideas?
thanks
|
| Posted by relichost, 10-02-2008, 07:48 AM |
| Hi
I would suggest .htaccess files
I am not aware of any way to do this in the httpd.conf setup (although I maybe wrong)
Thanks
|
| Posted by david510, 10-02-2008, 08:01 AM |
| You may use below in the VH of httpd.conf file.
|
| Posted by blessen, 10-02-2008, 08:12 AM |
| I suggest using .htaccess But if you are so keen on working on httpd.conf then you can try the below option
Try this
Ref: http://httpd.apache.org/docs/1.3/mod...ess.html#order
|
| Posted by strato, 10-02-2008, 10:42 AM |
| a htaccess file would be simple but I have over 100 sites and it would be a nightmare to keep track of that many htaccess files
blessen, your suggestion doesnt work, apache dosnt start with the code in httpd.conf
|
| Posted by david510, 10-02-2008, 10:49 AM |
| Its seems the HEAD option will not work. Did you try the other option?
|
| Posted by strato, 10-02-2008, 10:54 AM |
| which other option?
|
| Posted by strato, 10-02-2008, 11:17 AM |
| I have tried this but where is says "/path/to/protect".... what do I put when I want to protect the every site on the etire server in one go?
|
| Posted by Xous, 10-02-2008, 11:31 AM |
| Why not block incoming connections on tcp port 80 (and maybe tcp port 443) as this would save work for the httpd process and still allow you server to talk to these hosts.
|
| Posted by strato, 10-02-2008, 11:46 AM |
| Thanks for the suggestion but this is not possible as I have scripts running on my server that need 2way communication on port 80 with some of those ip addresses.
the simplest way I can describe what I need is to block access to apache on my server from particular IP ranges. basically I want to access thier websites but I dont want them to access mine.
|
| Posted by relichost, 10-02-2008, 11:52 AM |
| Hi
Firewall can be setup to only drop the incoming requests, any out going requests would be fine ?
Thanks
|
| Posted by strato, 10-02-2008, 11:55 AM |
| but if my server requested a page from a remote server who's IP was blocked, the reqest would reach the remote server, but the attempt to send the page back would be blocked. is this right?
|
| Posted by relichost, 10-02-2008, 12:10 PM |
| Normally the return port is not 80
Thanks
|
| Posted by tulix, 10-02-2008, 06:18 PM |
| If you don't want for occasional viewer to see the pages - httpd.conf based blocking will be ok.
If it is for security reasons (like an attack or something like that) I would recommend iptables.
|
| Posted by Tim Greer, 10-03-2008, 12:50 AM |
| Do _not_ use Limit for denying and allowing, because unless you list every single type of request method, then you're only disallowing the one's you list. Instead, just deny without limit and it'll account for any type of request method anyone can make to the web server. Beyond that, you needn't add this to httpd.conf, but you certainly can. You can also do it globally in an .htaccess file in /home/.htaccess, for example, assuming all sites and domain document root's are located somewhere within the /home/username path. That makes management much easier.
|
| Posted by david510, 10-03-2008, 03:19 AM |
| If you need this globally, you need to put this outside the VH section. Path would be /home/username/public_html or whatever.
|
| Posted by strato, 10-03-2008, 04:32 AM |
| put what exactly.... and what would the path be if i wanted to block access to EVERY home folder?
I have tried the few suggestions that people have given in this thread (thank you) but the result is always that apache wont start.
OK, lets say I wanted to block the ip ranage 123.123.123.0/24 from accessing ANY SITE on my server.... what would I put in httpd.conf?
|
| Posted by relichost, 10-03-2008, 04:39 AM |
| Hi
I wouldnt put it in the httpd.conf, but a firewall rule.
or
edit /etc/hosts.deny
http: 123.123.123.0/24
https: 123.123.123.0/24
Untested - but if I understand it correctly then it should block any port 80/443 traffic for that ip range
That way it shouldnt affect any other services like email etc.
Thanks
Just tested the /etc/hosts.deny -- didnt work for me...
Last edited by relichost; 10-03-2008 at 04:42 AM.
Reason: update
|
| Posted by Tim Greer, 10-03-2008, 05:54 AM |
| The OP stated they didn't want to use firewalls and probably wants to give a 403 (forbidden error), and still accept emails. Denying the IPs with deny in httpd.conf or .htaccess will deny all web access (port 80 or 443 (ssl)).
Just create an .htaccess file at /home/.htaccess. Ensure it's chmod 644
Add the following:
order deny,allow
deny from 123.123.123.
allow from all
That will deny 123.123.123.* (the /24 C class of 123.123.123.0) It should work and Apache should still work. This allows you easier control than editing the httpd.conf file and shouldn't cause Apache not to start. It'll also override all of the user's own personal .htaccess files so it covers all sites on the server, since it's in everyone's web root path.
By the way, hosts.deny doesn't work because that's for TCP wrappers and will not effect access to web sites over Apache. If you want to add the deny rules in httpd.conf itself for whatever reason, you can just add those same lines. You can do it by directory if you want or need to (i.e., /home or /home/*/public_html). Or /home/[-a-z]{2,24}/public_html (assuming any account username is 2 to 24 characters long (using that character class).
|
| Posted by albunix, 10-03-2008, 10:05 AM |
| Strato,
I concur with Xous findings/suggestions.
You are able to fully block only connections which are /not/ generated
from your servers first.
In essence, if the server generates communication, you'd be OK, otherwise, if the IP's generate the communication handshake first, they'd be banned.
Iptables is not also much faster, but you can also script it in order
to dynamically track and lock connections.
You can use the functionality of the switch --state ESTABLISHED
to take advantage and block only what's not already established
Thanks.
|
Add to Favourites 
Print this Article
Also Read
