Apache deny from list of ip's in external file

Question

I'd like to maintain a file which includes a list of ip's which are blocked from using a site. I understand deny from can be used to achieve this (e.g Deny from 127.0.0.1 10.0.0.1 some.other.ip.address).

However, I'd like an external file so that an individual who does not have access to the config can update a txt file with ip's and this will then be included in the deny from.

Does anyone have any reccomendations on how this can be achieved? Any help is greatly appriciated.

Answer 1

From Apache httpd version 2.3.6 and later, you can use the directive

IncludeOptional /etc/myfilewithrequireip.conf

See https://httpd.apache.org/docs/2.4/mod/core.html#includeoptional

Using Include is also possible but an error will be reported if the file conf does not exists.

Answer 2

I have a walk around using .htaccess, a folder and a list of files with the banned ip as title.

If the IP file in banned_ips exists then return the forbidden flag:

RewriteCond "%{DOCUMENT_ROOT}/banned_ips/%{HTTP:X-FORWARDED-FOR}" -f
RewriteRule .* - [F]

My example is for AWS Cloudfrontbut you can replace HTTP:X-FORWARDED-FOR by REMOTE_ADDR or any variable containing the visitor ip.

Alternatively you can use HTTP_HOST to keep a directory by sites like:

RewriteCond "%{DOCUMENT_ROOT}/banned_ips/%{HTTP_HOST}/%{HTTP:REMOTE_ADDR}" -f
RewriteRule .* - [F]

This way you never need to update your htaccess file and you can even programmatically add ips from honeypot lists our your own tracker.

Please let me know in the comment what you think about this method in terms of scalability and/or safety.

Answer 3

'In windows httpd.conf'
'<Directory />'
'Include "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/deny.txt"'
'</Directory>'
'deny.txt contain'
'Deny from xxx.xxx.xxx.xxx'
'etc'

Answer 4

Using a RewriteMap map as the external IP address file works for a list of individual IP addresses:

RewriteEngine on
RewriteMap allowed "txt:${site_dir}/etc/allowed_ip_addresses"

UnsetEnv ALLOWED

RewriteCond ${allowed:%{REMOTE_ADDR}} 1
RewriteRule ^ - [E=ALLOWED]

<Location />
  Deny  from all
  Allow from env=ALLOWED
</Location>

Then allowed_ip_addresses contains lines like:

10.42.1.123      1
192.168.100.456  1

That maps allowed IP addresses to the value 1, and all other IP addresses to the empty string.

The RewriteCond looks up REMOTE_ADDR in the map, and if it's 1 then it sets an environment variable. UnsetEnv ensures that the variable is definitely unset otherwise.

Then Allow from only permits access when that environment variable has been set.

The external map file can have different filesystem permissions from your Apache config, and changes to it take effect immediately, without requiring restarting Apache.

Answer 5

Look at the Apache Include directive:

http://httpd.apache.org/docs/2.2/mod/core.html#include

You can create a seperate configuration file contain you denied list and include in any other configuration file i.e a site in sites-available. Example usage below:

In /etc/apache2/sites-enabled/yoursite.conf

<VirtualHost *:80>
...

Include /etc/apache2/sites-access/yoursite.conf

...
</VirtualHost>

In /etc/apache2/sites-access/yoursite.conf

order allow,deny
deny from 10.0.0.1
allow from all

Answer 6

this is not a real security method, but you can put this txt file in a shared directory and with a cron job update apache config...

another method is with htaccess..

order allow,deny
deny from 10.0.0.1
allow from all