Complex Apache Limit/SetEnvIf, allow all from domain except for IP

Question

I have the following .htaccess:

<Limit GET POST>
    SetEnvIf Host www.livedomain.com allow
    SetEnvIf Remote_Addr 1.1.1.1 allow
    SetEnvIf Remote_Addr 2.2.2.2 allow
    SetEnvIf Remote_Addr 3.3.3.3 allow
    Order deny,allow
    Deny from all
    Allow from env=allow
</Limit>

This .htaccess is used on two domains. On www.livedomain.com I want everyone access. On www.stagingdomain.com I only want the IPs 1.1.1.1, 2.2.2.2, 3.3.3.3 to have access.

This works fine.

Now, on the live site, I want to make a change to allow everyone except one IP (let's say 9.9.9.9).

I've tried doing something like this:

<Limit GET POST>
    SetEnvIf Host www.livedomain.com allow
    SetEnvIf Remote_Addr 9.9.9.9 deny
    SetEnvIf Remote_Addr 1.1.1.1 allow
    SetEnvIf Remote_Addr 2.2.2.2 allow
    SetEnvIf Remote_Addr 3.3.3.3 allow
    Order deny,allow
    Deny from all
    Allow from env=allow
</Limit>

But this doesn't work. I would have thought the env variable was overwritten with 'deny' and then the final Allow statement wouldn't apply. Is this not the case?

What's the simplest way to allow everyone from the one domain except one IP in this case?

Answer 1

My conf looks a bit different but works as expected:

SetEnvIf Host staging.mydomain.tld passreq
SetEnvIf Remote_Addr 1.1.1.1 !passreq
AuthType Basic
AuthName "Password Required"
AuthUserFile /home//html/.htpasswd
Require valid-user
Order allow,deny
Allow from all
Deny from env=passreq
Satisfy any

Answer 2

You should use !varname to unset or remove an already defined variable:

<Limit GET POST>
    SetEnvIf Host www.livedomain.com allow
    SetEnvIf Remote_Addr 9.9.9.9 !allow
    SetEnvIf Remote_Addr 1.1.1.1 allow
    SetEnvIf Remote_Addr 2.2.2.2 allow
    SetEnvIf Remote_Addr 3.3.3.3 allow
    Order deny,allow
    Deny from all
    Allow from env=allow
</Limit> 

Read more about SetEnvIf here