Home / server / Questions / 922214
In Process
夏期劇場
Asked: 2018-07-17 22:25:05 +0800 CST

Apache: Common SetEnvIF Deny rules for Server-wide / apply on all the Domains?

  • 772

In my Apache, I have a long list of IPs to be blocked (for some reasons). And then I'm currently putting those rules inside the .htaccess files of the each and every single docroot (domains) I have.

The rules look like this:

SetEnvIF X-Forwarded-For "1.2.3.*" DenyIP
SetEnvIF X-Forwarded-For "100.200.*.*" DenyIP
..
..
..
..
..
..
Order Deny,Allow
Deny from env=DenyIP

These same .htaccess files are now located like:

/var/www/html/www.site-a.com/.htaccess
/var/www/html/www.site-b.com/.htaccess
/var/www/html/www.site-c.com/.htaccess
/var/www/html/www.site-d.com/.htaccess
/var/www/html/www.site-e.com/.htaccess
/var/www/html/www.site-f.com/.htaccess
/var/www/html/www.site-g.com/.htaccess
..

It works that way. But then whenever I have to update the IPs, I have to edit in all of these files.

Question:

How do I apply these common rules Server-wide (Apache-wide), so that they are applied on every single websites docroots (domains) I have in my Apache?

linux

1 Answers

  1. Take a look at Apache 2.2 Configuration Sections and Access Control.

    • Directives Allow and Deny belongs to context: Directory and .htaccess.
    • The .htaccess is a in-place equivalent for <Directory>, but with limitations, e.g.
      • You can't use Include inside .htaccess.
      • AllowOverride controls what you can change with your .htaccess configuration.

    • Configuration sections have merging order, shortened:

      1. <Directory> (except regular expressions) and .htaccess done simultaneously (with .htaccess, if allowed, overriding <Directory>)
      2. <DirectoryMatch> (and <Directory ~>)
      3. <Files> and <FilesMatch> done simultaneously
      4. <Location> and <LocationMatch> done simultaneously

    • You can have global <Directory> sections outside <VirtualHost> sections:

      Sections inside <VirtualHost> sections are applied after the corresponding sections outside the virtual host definition. This allows virtual hosts to override the main server configuration.

    In short, inside your main httpd.conf, have this and don't override it in <VirtualHost>:

    <Directory /var/www/html>
    SetEnvIF X-Forwarded-For "1.2.3.*" DenyIP
    SetEnvIF X-Forwarded-For "100.200.*.*" DenyIP
    ..
    Order Deny,Allow
    Deny from env=DenyIP
</Directory>

    If you don't want to have the long SetEnvIF list in httpd.conf, use [Include][6]:

    <Directory /var/www/html>
    Include /path/to/SetEnvIF-list.conf
    Order Deny,Allow
    Deny from env=DenyIP
</Directory>

    Notice what all the documentation linked here mentions:

    This document refers to the 2.2 version of Apache httpd, which is no longer maintained. The active release is documented here. If you have not already upgraded, please follow this link for more information.

    Access Control in Apache 2.4 is a bit different, but you'll be able to use environment variables with its mod_authz_core Requireenv. As you set the variable for deny instead of allow, you'd need to use not before the env entity-name.

    SetEnvIF X-Forwarded-For "1.2.3.*" DenyIP
<Directory "/var/www/html">
    Require not env DenyIP
</Directory>
    • 0