Httpd – Apache deny from CIDR range but allow from IP within that range

apache-2.2httpdhttpd.confip-blocking

I am using a long CIDR blacklist to block several countries from a site, but I need to allow specific IP addresses within the blocked CIDR ranges. Here's an excerpt of my conf file (this is the order that I am currently trying, though I have tried moving the "allow" lines above the "deny" lines as well):

order allow,deny
deny from 27.116.56.0/22
deny from 58.147.128.0/19
deny from 61.5.192.0/20
deny from 83.140.0.0/16
# ...
allow from 83.140.19.38

The blacklist works fine, but the "allow" lines are not honored whether I place them above the "deny" section or below it. Is there any other configuration that I should need to get this to work? Apache documentation led me to believe that "allow" should come after "deny," but it did not seem to answer this question directly either way.

Best Answer

The Apache manual section on mod_authz_host is instructive here. The order of your allow and deny statements does not matter. With order allow,deny, you must match at least one allow and no deny directives for your request to be accepted. I think you want order deny,allow.

Related Solutions

Ssl – Apache 2.2.14: SSLCARevocation location

I think you have already found the answer but I may help someone else. I have had the same error because I generated my crl with this parameter : "crl_hours 1". 1 hour after the crl creation, the error appears.

If you didn't use this parameter, check the "default_crl_days" of your "openssl.conf" and compare it to the date of last update of the crl.

Apache Access Control – How to Deny from All, Allow from Subnet, but Deny from IP Within Subnet

I haven't tested, but I think you are almost there.

<Location /server-status>
    SetHandler server-status
    Order Allow,Deny
    Deny from  192.168.16.100
    Allow from 192.168.16.0/24
</Location>

Deny from all is not needed. In fact it will screw up because everything will match all, and thus denied (and I think Apache is trying to be smart and do something stupid). I have always found Apache's Order, Allow and Deny directives confusing, so always visualize things in a table (taken from the docs):

Match      | Allow,Deny result   | Deny,Allow result
-------------------------------------------------------
Allow only | Allowed             | Allowed
Deny only  | Denied              | Denied
No match   | Default: Denied     | Default: Allowed
Match both | Final match: Denied | Final match: Allowed

With the above settings:

Requests from 192.168.16.100 get "Match both" and thus denied.
Requests from 192.168.16.12 get "Allow only" and thus allowed.
Requests from 123.123.123.123 get "No match" and thus denied.

Best Answer

Related Solutions

Ssl – Apache 2.2.14: SSLCARevocation location

Apache Access Control – How to Deny from All, Allow from Subnet, but Deny from IP Within Subnet

Related Topic