Denial of user access via ip-address through .htaccess files

itnifl
itnifl used Ask the Experts™
on
I am trying to deny all users except those with source address 192.168.1.0 access to the root of my web site, hosted with Apache2 on a Debian server. The root of the web server is /var/www. So I changed the relevant lines in httpd.conf:

DocumentRoot /var/www
AccessFileName .htaccess
<Directory "/var/www">
    AllowOverride AuthConfig
</Directory>

After this was done I created /var/www/.htaccess to contain this:

order allow,deny
allow from 192.168.1.
deny from all

I even tried to comment away the allow line, so that the .htaccess file would deny all. I aldo tried the same example with several other folders, without luck.

If I try to access the website, I am granted access. No matter if everyone is denied or not, no matter the source IP if the client accessing. I set up authentication on another folder /var/www/Secured through a similar process. The difference was only the content of the .htaccess file and the inclusion of the password file created by htpasswd. The authentication system I setup worked at that attempt, but the denial of all clients or all clients except those in the specified IP-range did not work.

Any suggestions?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015

Commented:
order deny,allow
deny from all
allow from 192.168.1.X

Fill in X to the correct number.
itniflProgrammer

Author

Commented:
That did not do the trick. The code was then as follows:

order deny,allow
deny from all
allow from 192.168.1.102

But still if it were to work, this is not what I want. I want to allow a IP range, 192.168.1.0 - 192.168.1.255. Not only one IP. I am not sure, but if the allowing and denying of access work in any way like iptable rules, then denying all at the beginning would never enable them to get to the allow part. They would just be dropped at the deny rule. Please correct me and explain if I am wrong, that is why I chose originally to allow first then deny all.
Hello itnifl,

Your logic of deny before allow is correct.

If you would like to encompass a whole network range, you would write it as such into the .htaccess file:

Allow From 192.168.1.0/24

Also, please make sure that the following is set in your httpd.conf file, in the section outlining the DocumentRoot:

AllowOverride Options AuthConfig Limit

The reason I mention the DocumentRoot is that if DocumentRoot is set not to permit an override on the options listed above, a child directory will not permit them either.

As always, please ensure that you restart Apache after changing the DocumentRoot permissions, and always check the logs for errors. Sometimes, you will find that a typo in configuration directives makes it seem like something is not working - thankfully, these are logged...

Cheers,

NotLogical
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most Valuable Expert 2015

Commented:
It does work -- that's how I do it on multiple apache configurations.  If you want a range, use 192.168.1.0/24.

"..does not work" means everyone still has access or no one has access?  What do the error logs indicate?
Most Valuable Expert 2015

Commented:
And ... the order of "allow,deny" changed between apache v1.3 and v2.  In v.13, I used "allow,deny".  In v2, I use "deny, allow".
itniflProgrammer

Author

Commented:
Seems as if Jesper gets support from some books I have been looking at. The order of allow and deny can be switched, at least in that example. But it is not working anyhow, even after taking your advice. Error log says nothing really.
Access.log says nothing out of the normal.
I flushed Iptables to be sure there wasnt any source addresses being changed.
I re-checked everythin according to your advices.
Denying access based on Ip-address is not working, but authentication is.
Most Valuable Expert 2015

Commented:
Actually, I'm basing it on experience.

The order does matter.  In your main configuration file, your AllowOverride needs to match your directive:

AllowOverride Limit

I don't see any authentication information in the .htaccess file.
itniflProgrammer

Author

Commented:
All recomendations are no carried out, but without effect. I have a virtual machine trying to access the web server(who is also virtual) via a virtual netwok and over a ip-range that is not allowed. But access is granted anyway.
Could it be that the virtual machines are going through the loopback interface, rather than a numbered interface?

Can you provide a detailed configuration file for Apache, an access_log showing the access which should be failing, an error_log to see if anything else may be amiss?
itniflProgrammer

Author

Commented:
Clients on the physical network cal also access the website, even though I have now blocked all access. There were no errors in the access.log. I could retry from a physical client and check the logs again, but I guess the results would be the same.



.htaccess at /var/www :
order deny,allow
deny from all
#allow from 192.168.1.102
 
access.log at /var/log/apache2 :
192.168.1.108 - - [12/Aug/2009:11:14:46 +0200] "GET / HTTP/1.1" 200 1196 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Browzar)"
192.168.1.108 - - [12/Aug/2009:11:14:46 +0200] "GET /favicon.ico HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Browzar)"
::1 - - [12/Aug/2009:11:14:49 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
::1 - - [12/Aug/2009:11:14:51 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
::1 - - [12/Aug/2009:11:15:00 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
::1 - - [12/Aug/2009:11:15:04 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
::1 - - [12/Aug/2009:11:15:05 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
::1 - - [12/Aug/2009:11:15:06 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
::1 - - [12/Aug/2009:11:15:08 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
::1 - - [12/Aug/2009:11:15:09 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
::1 - - [12/Aug/2009:11:15:19 +0200] "GET / HTTP/1.0" 200 1196 "-" "Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 (internal dummy connection)"
 
 
#Tried allowing only from a IP that is not in use, and reload the apache server:
 
.htaccess at /var/www changed to :
order deny,allow
deny from all
allow from 192.168.1.103
 
/etc/init.d/apache2 restart
 
#Same results
 
#/etc/apache2/httpd.conf :
 
ServerName 192.168.1.100
DocumentRoot /var/www
AccessFileName .htaccess
<Directory "/var/www">
    AllowOverride Limit 
</Directory>
 
<Directory "/var/www/Secured">
    AllowOverride AuthConfig
</Directory>
 
<Directory "/var/www/Restricted">
    AllowOverride AuthConfig
</Directory>
 
 
#The same info in apache2.conf :
 
<Directory "/var/www">
    AllowOverride Limit 
</Directory>

Open in new window

itniflProgrammer

Author

Commented:
Wonder why all those dummy connections from the Ipv6 loopback address are showing up...  ?
Programmer
Commented:
The error was found at last.
/etc/apache2/sites-enabled contains a file with the name 000-default that overrides all changes in httpd.conf, /var/www/.htaccess and apache2.conf. I understand this file sets up the site, and I can at this location also set up several other sites in my apache web-server?

Either way. Problem solved. I set up the correct rules as we have discussed here in this thread via /etc/apache2/sites-enabled/000-default and it worked! =)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial