26

I am running CentOS 5.5 with the stock Apache httpd-2.2.3.

I have enabled mod_status at the Location /server-status. I would like to allow access to this single Location in the following way:

  1. Deny from all
  2. Allow from the subnet 192.168.16.0/24
  3. Deny from a the IP 192.168.16.100, which is within the 192.168.16.0/24 subnet.

1 & 2 are easy. However, since I "Allow from 192.168.16.0/24", is it possible to Deny from 192.168.16.100?

I tried to add a Deny statement for 192.168.16.100 but it doesn't work. Here is the relevant config:

<Location /server-status>
    SetHandler server-status
    Order Allow,Deny
    Deny from  all
    Deny from  192.168.16.100 # This does not deny access from 192.168.16.100
    Allow from 192.168.16.0/24
</Location>

Or:

<Location /server-status>
    SetHandler server-status
    Order Allow,Deny
    Deny from  all
    Deny from  192.168.16.100 # This does not deny access from 192.168.16.100
    Allow from 192.168.16.0/24
</Location>

However, this doesn't prevent access to this particular page, as demonstrated in the Access logs:

www.example.org 192.168.16.100 - - [11/Mar/2011:16:01:14 -0800] "GET /server-status HTTP/1.1" 200 9966 "-" "

According to the manual for mod_authz_host:

Allow,Deny

First, all Allow directives are evaluated; at least one must match, or the request is rejected. Next, all Deny directives are evaluated. If any matches, the request is rejected

The IP address matches the Deny directive, so shouldn't the request be rejected?

According to the table on the mod_authz_host page, this IP address should "Match both Allow & Deny", and thus the "Final match controls: Denied" rule should apply.

    Match                       Allow,Deny result                   Deny,Allow result
    Match Allow only            Request allowed                     Request allowed
    Match Deny only             Request denied                      Request denied
    No match                    Default to second directive: Denied Default to second directive: Allowed
    Match both Allow & Deny     Final match controls: Denied        Final match controls: Allowed
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
  • Deny from all 192.168.16.100 -- Since you are using "all" here, I would expect all requests to be denied from any IP address. Think something else is going on here. – micah Apr 06 '11 at 19:48
  • @Michah: I am also doing a `Allow from 192.168.16.0/24`. As I understand the documentation, any requestor IPs in the 192.168.16.0/24 network will match this Allow statement, the request is allowed. – Stefan Lasiewski Apr 06 '11 at 20:34
  • Following the documentation pasted above. "First, all Allow directives are evaluated; at least one must match, or the request is rejected" ==> This should match your "Allow from 192.168.16.0/24", but the second part of "Next, all Deny directives are evaluated. If any matches, the request is rejected" With "Deny from all", won't every request match that second part and therefore be denied? – micah Apr 11 '11 at 15:10
  • You should really consider if you want to deny that IP address complete access to your system or only from httpd. If the former continue with your approach at using apache directives. If the latter this should be done in the firewall. – Andrew Case Oct 07 '11 at 17:20
  • Thanks ACase. I only want to deny access from 192.168.16.100to this particular page. I want 192.168.16.100 to be able to access all other pages on this webserver. – Stefan Lasiewski Oct 07 '11 at 19:01

3 Answers3

36

I haven't tested, but I think you are almost there.

<Location /server-status>
    SetHandler server-status
    Order Allow,Deny
    Deny from  192.168.16.100
    Allow from 192.168.16.0/24
</Location>

Deny from all is not needed. In fact it will screw up because everything will match all, and thus denied (and I think Apache is trying to be smart and do something stupid). I have always found Apache's Order, Allow and Deny directives confusing, so always visualize things in a table (taken from the docs):

Match      | Allow,Deny result   | Deny,Allow result
-------------------------------------------------------
Allow only | Allowed             | Allowed
Deny only  | Denied              | Denied
No match   | Default: Denied     | Default: Allowed
Match both | Final match: Denied | Final match: Allowed

With the above settings:

  • Requests from 192.168.16.100 get "Match both" and thus denied.
  • Requests from 192.168.16.12 get "Allow only" and thus allowed.
  • Requests from 123.123.123.123 get "No match" and thus denied.
phunehehe
  • 731
  • 2
  • 8
  • 17
1

I would probably look at also adding IPTables rules for this to deny the single host on port 80, deny from all, and allow the subnet.

You should have no problem setting up a deny rule from a specific address after you have allowed the subnet. Just do it in that order.

Mike
  • 792
  • 3
  • 5
  • I've updated my answer. I included a "Deny from 192.168.16.100" rule, but access is still allowed from 192.168.16.100 – Stefan Lasiewski Mar 11 '11 at 20:57
  • I want to allow access to all other locations from this host. However, I want to Deny specific locations. IPTables does not help me here. – Stefan Lasiewski Mar 11 '11 at 21:00
  • IPTables will not specifically deny outbound traffic unless you tell it to. You can however, deny inbound traffic from world, and a specific address, but all allow a subnet. – Mike Mar 11 '11 at 21:29
  • I think you misunderstand my request. I want to apply this access control to /server-status only, not the entire host. IPtables cannot do this easily, to my knowledge. – Stefan Lasiewski Apr 05 '11 at 15:23
-4

Can you use php? If so add a php statement to exit/redirect for that one specific IP address

Example:

$deny = array("111.111.111", "222.222.222", "333.333.333");

if (in_array ($_SERVER['REMOTE_ADDR'], $deny))

{ header("location: http://www.google.com/");

exit();

Reference: http://perishablepress.com/press/2007/07/03/how-to-block-ip-addresses-with-php/

John
  • 567
  • 2
  • 4
  • 2
    This would have to be in every single page hosted by the webserver. This solution is impractical and not where you would want to filter access to a webserver. – Andrew Case Oct 07 '11 at 17:18