I am running CentOS 5.5 with the stock Apache httpd-2.2.3.
I have enabled mod_status at the Location /server-status. I would like to allow access to this single Location in the following way:
- Deny from all
- Allow from the subnet 192.168.16.0/24
- Deny from a the IP 192.168.16.100, which is within the 192.168.16.0/24 subnet.
1 & 2 are easy. However, since I "Allow from 192.168.16.0/24", is it possible to Deny from 192.168.16.100?
I tried to add a Deny statement for 192.168.16.100 but it doesn't work. Here is the relevant config:
<Location /server-status>
SetHandler server-status
Order Allow,Deny
Deny from all
Deny from 192.168.16.100 # This does not deny access from 192.168.16.100
Allow from 192.168.16.0/24
</Location>
Or:
<Location /server-status>
SetHandler server-status
Order Allow,Deny
Deny from all
Deny from 192.168.16.100 # This does not deny access from 192.168.16.100
Allow from 192.168.16.0/24
</Location>
However, this doesn't prevent access to this particular page, as demonstrated in the Access logs:
www.example.org 192.168.16.100 - - [11/Mar/2011:16:01:14 -0800] "GET /server-status HTTP/1.1" 200 9966 "-" "
According to the manual for mod_authz_host:
Allow,Deny
First, all Allow directives are evaluated; at least one must match, or the request is rejected. Next, all Deny directives are evaluated. If any matches, the request is rejected
The IP address matches the Deny directive, so shouldn't the request be rejected?
According to the table on the mod_authz_host page, this IP address should "Match both Allow & Deny", and thus the "Final match controls: Denied" rule should apply.
Match Allow,Deny result Deny,Allow result Match Allow only Request allowed Request allowed Match Deny only Request denied Request denied No match Default to second directive: Denied Default to second directive: Allowed Match both Allow & Deny Final match controls: Denied Final match controls: Allowed
I haven't tested, but I think you are almost there.
Deny from all
is not needed. In fact it will screw up because everything will matchall
, and thus denied (and I think Apache is trying to be smart and do something stupid). I have always found Apache'sOrder
,Allow
andDeny
directives confusing, so always visualize things in a table (taken from the docs):With the above settings:
I would probably look at also adding IPTables rules for this to deny the single host on port 80, deny from all, and allow the subnet.
You should have no problem setting up a deny rule from a specific address after you have allowed the subnet. Just do it in that order.
Can you use php? If so add a php statement to exit/redirect for that one specific IP address
Example:
$deny = array("111.111.111", "222.222.222", "333.333.333");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny))
{ header("location: http://www.google.com/");
exit();
Reference: http://perishablepress.com/press/2007/07/03/how-to-block-ip-addresses-with-php/