I'm having some trouble with getting the Order
directive right in a vhost configuration in Apache.
I have some IP addresses that I want to totally deny access to the entire vhost. These have been previously flagged as malicious.
I also want to deny all requests apart from GET and HEAD from all IP addresses, apart from our internal IP range.
I'm having trouble with the first Directory
directive and figuring out how is best to arrange it with the Order
directive.
This is what I've got so far and it doesn't appear to work so I'd like to get some advice on how is best to order this block...
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www.test.com
ServerAlias test.com
DocumentRoot /var/www/html/www.test.com
<Directory /var/www/html/www.test.com>
Options +FollowSymLinks
Order Deny,Allow
# Deny suspect IPs previously flagged
Deny from 111.111.111.111
Deny from 222.222.222.222
Deny from 333.333.333.333
# But only internal IPs can POST
<LimitExcept GET HEAD>
Deny from all
Allow from 10.10.0.0/22
</LimitExcept>
Allow from all
</Directory>
# CLI directory not web accessible
<Directory /var/www/html/www.test.com/cli>
Order Deny,Allow
Deny from all
</Directory>
# Restrict access to admin internal IPs only
<Directory /var/www/html/www.test.com/admin>
Order Deny,Allow
Deny from all
Allow from 10.10.0.0/22
</Directory>
</VirtualHost>
My head is so scrambled with this now that I'm unable to see it clearly. Anyone know how to do this?
Can I use multiple Directory
directives for the same directory?
So I separate out my denying the malicious IPs from the denying all requests apart from GET and HEAD?