Forum Discussion
stolivar_88319
Nimbostratus
Nimbostratus.htaccess no longer denying pages to non specified IP addresses
Seems i have ran into another problem. Websites that have .htaccess files in directories that restrict viewing a page if you don't match an IP isn't working anymore.
my .htaccess looks like
deny from all
allow from 169.147
allow from 10
I think the problem is that my F5 devices are on the 10.x.x.x subnet (so is the rest of our network) and apache sees these IPs as the requesting IPs and are letting them in. I am using the XForward rule to allow the apache logs to see the requesting IP addresses, but this doesn't seem to work when it comes to .htaccess files.
Any suggestions because I am stumped.
- dennypayne
Employee
Hmmm...so I'm guessing if you disallow the specific 10.x.x.x SNAT address then legitimate customers would also get denied.
I suppose you could use an iRule to SNAT clients from 169.147.x.x and 10.x.x.x to an allowed 10. address, and everyone else to a different address that was denied in .htaccess.
Something like this: (not syntax checked)when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr]/8 equals 10.0.0.0 ] || [IP::addr [IP::client_addr]/16 equals 169.147.0.0 ] } { snat to allowed address snat 10.x.x.A } else { snat to denied address snat 10.x.x.B } }
Denny 
stolivar_88319I will look at this and run this by my networking folks to make sure we can do it.
Thank you for the suggestion.- stolivar_88319I haven't head back from my network guys yet.
I did find this at http://www.it.emory.edu/showdoc.cfm?docid=11252&fr=1092
Apache Notes
Because of a quirk of our load balancer configuration, all incoming requests seem to come from the load balancer's IP address. If you want to restrict access to content based on source IP address in a .htaccess file, something like this will not work:
deny from all
allow from 170.140.0.0/16 163.246.0.0/16
Instead, use mod_rewrite to inspect the X-Forwarded-For header:
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-For} "!(170\.140|163\.246)\.[0-9]{1,3}\.[0-9]{1,3}$"
RewriteRule .* - [F]
But I can't get it to work when I change the condition to my IPs, just blocks everything. - stolivar_88319Okay, this works
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-For} "!(170\.140|163\.246)\.Ύ-9]{1,3}\.Ύ-9]{1,3}$"
RewriteRule .* - [F]
but now I have an the issue that a number of my .htaccess files have a double challenge. If you are in the list of allowed IP's then you are granted access, if you are denied via IP you are then prompted for basic authentication. The prompt for authentication no longer works when I use the Rewrite rule. Thoughts?
Example:
------------------------new addition-------------
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-For} "!^(10\.[0-9]{1,3}|129\.[0-9]{1,3}|169\.147})\.[0-9]{1,3}\.[0-9]{1,3}$"
RewriteRule .* - [F]
------------------------end new addition------------------
----------------------original file-------------------
order deny,allow
deny from all
allow from kumc.edu
allow from ukans.edu
allow from 169.147
allow from 129.237
allow from 10
AuthType Basic
AuthUserFile /pulse-root/lar/.htpasswd
AuthName "Directory Protected"
Require valid-user
Satisfy any
AddType text/html .html .htm
AddHandler server-parsed .html .htm
---------------------------end origianal file-------------------- - stolivar_88319Matt, thank you. Yes I realize I posted the [F] in there, I have played with mod_rewrite and can't seem to get it to go from checking IPs to providing auth.
I would look at going with iRules but I don't have control over all the .htaccess files that could be put on the server. This is a large university website where each dept has rights to their folder and can control access how they please. If I go with iRules, then I have to be made aware of any new changes and keep that updated.
Any other suggestions? - stolivar_88319Matt, thank you. Yes I realize I posted the [F] in there, I have played with mod_rewrite and can't seem to get it to go from checking IPs to providing auth.
I would look at going with iRules but I don't have control over all the .htaccess files that could be put on the server. This is a large university website where each dept has rights to their folder and can control access how they please. If I go with iRules, then I have to be made aware of any new changes and keep that updated.
Any other suggestions? - stolivar_88319also tried this in
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-For} "!^(10\.[0-9]{1,3}|192\.[0-9]{1,3}|169\.147})\.[0-9]{1,3}\.[0-9]{1,3}$"
RewriteRule .* - [F]
RewriteCond %{HTTP:Authorization} !^$
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^index\.html$ index.html_%{HTTP:Authorization}
RewriteRule ^([^_]*)_([^B|b]*)Basic.?([A-Za-z0-9]*) /index.html [L,QSA,R,NC]
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^.*$ - [L]
order deny,allow
deny from all
AuthType Basic
AuthUserFile /pulse-root/shawn/.htpasswd
AuthName "Directory Protected"
Require valid-user
Satisfy any
AddType text/html .html .htm
AddHandler server-parsed .html .ht
trying the different conditions and rules commentting them out as I went. nothing helped
