Ping a Specific Port

Question

BlaM

Asked: 2009-12-14 05:25:09 +0800 CST2009-12-14 05:25:09 +0800 CST 2009-12-14 05:25:09 +0800 CST

Apache 2: SetEnvIf "IP Range"

772

In my Apache config I want to set an environment variable if I see that the visitor comes from an specific IP range. Currently I do it this way:

SetEnvIfNoCase Remote_Addr "^194\.8\.7[45]\." banned=spammer-ip
SetEnvIfNoCase Remote_Addr "^212\.156\.170\." banned=spammer-ip

What I would prefer is something like this:

SetEnvIfIpRange 194.8.74.0/23 banned=spammer-ip
SetEnvIfIpRange 212.156.170.0/24 banned=spammer-ip

... because I think that converting an IP address to a string and then do an regular expression is a total waste of ressources.

I could do an

Deny From 194.8.74.0/23

... but then I don't get a variable that I can check in my 403 error page - to find the reason why access has been denied.

Any suggestions what I might miss? Is there an Apache2 MOD that can set environment variables based on "IP Address Ranges"?

4 Answers

Voted

Greg · Answer 1 · 2011-05-03T12:08:41+08:00

Greg

2011-05-03T12:08:41+08:002011-05-03T12:08:41+08:00

You may use CIDR formatting with Apache 2.4 which allows <If>:

<If "%{REMOTE_ADDR} -ipmatch 194.8.74.0/23">
    SetEnv banned = spammer-ip
</If>

9

Hans-Joachim Kliemeck · Answer 2 · 2015-12-05T04:13:24+08:00

Hans-Joachim Kliemeck

2015-12-05T04:13:24+08:002015-12-05T04:13:24+08:00

be aware that variables set through SetEnv are not visible on some operations (see matrix):

http://www.onlinesmartketer.com/2010/05/27/apache-environment-variables-visibility-with-setenv-setenvif-and-rewriterule-directives/

your solution is

SetEnvIfExpr "-R '10.0.0.0/8' || -R '172.16.0.0/12' || -R '192.168.0.0/16'" rfc1918

see https://httpd.apache.org/docs/trunk/mod/mod_setenvif.html#SetEnvIfExpr

8

Lockie · Answer 3 · 2009-12-14T09:54:01+08:00

Best Answer

Lockie

2009-12-14T09:54:01+08:002009-12-14T09:54:01+08:00

What you've got (SetEnvIfNoCase Remote_Addr "^a.b.c." env_key=env_value) is the best you'll easily do. I've seen this configuration style implemented on a heavily loaded cluster of machines, without any noticeable performance degradation. I agree using regular expressions, when CIDR ranges are more appropriate is annoying. You could write a small program to automatically generate the config from a list of CIDR ranges.

If you're familiar with Perl, you could create a modperl handler, which would allow/deny requests in whichever way you choose. modperl allows your code to run at different points throughout a HTTP request - mod_perl 2.0 HTTP Request Cycle Phases. PerlAuthzHandler would be the appropriate handler to use.

Lockie

3

BlaM · Answer 4 · 2010-05-25T03:56:35+08:00

BlaM

2010-05-25T03:56:35+08:002010-05-25T03:56:35+08:00

This is not really a solution to go from RegExp to IP Ranges, but I found a nice script hosted by Google to convert an IP range to a matching regexp. Could be of use for some of you, too...

How do I exclude traffic from a range of IP addresses?

[Update]

It looks as if Google has removed the IP Address Tool (or at least the link they have on their site is broken), but there is a similar tool here: http://www.analyticsmarket.com/freetools/ipregex

0

Apache 2: SetEnvIf "IP Range"

Ping a Specific Port

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What's the command-line utility in Windows to do a reverse DNS look-up?

How to check if a port is blocked on a Windows machine?

What port should I open to allow remote desktop?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?