Search code examples
apachemod-access

Moving to new Apache 2.4 access control syntax

I am updating my original question as I was confusing "Require not host" for the hostname contained in a referrer string.

So what I need to make sure of now. In Apache 2.2 I was doing the following to allow/deny certain ip ranges, user-agents and domain names / referrers.

This is a very shortened example as I don't want to burden anyone with too much code. I've tested the Apache 2.4 code block which appears to work fine but is the the correct way now of doing things?

Is it necessary to specify whitelisted IP's and domains as I was doing before or is it only necessary just to blacklist due to the Require all granted ??

The old 2.2 method works 100% on Apache 2.4 as long as the mod_access_compat module is loaded but obviously getting things right for Apache 2.4 without using a compatibility module is first prize.

Apache 2.2:

<Directory /var/www/html>
    Order Allow,Deny
    Allow from all
    Allow from env=good_bot
    Allow from env=good_ref
    Allow from 131.253.24.0/22
    Allow from 131.253.46.0/23
    deny from 104.197.51.76
    deny from 108.167.189.81
    deny from env=bad_bot
    deny from env=spam_ref
</Directory>

Apache 2.4:

<Directory /var/www/html>
<RequireAny>
    <RequireAll>
    Require all granted
    Require not ip 104.197.51.76
    Require not ip 54.242.250.203
    Require not env bad_bot
    Require not env spam_ref
    </RequireAll>

    <RequireAny>
    Require ip 131.253.24.0/22
    Require ip 131.253.46.0/23
    Require env good_ref
    Require env good_bot
    </RequireAny>

</RequireAny>
</Directory>
Solution

  • I can confirm that my apache 2.4 example is correct. I've tested it with a huge list of referrers, user-agents, blacklisted and whitelisted ip's and it appears to be perfect. I also confirmed by unloading the mod_access_compat module and reloading apache with a2dismod access_compat

    So this is now the correct way to do things in Apache 2.4.

    <Directory /var/www/html>
<RequireAny>
    <RequireAll>
    Require all granted
    Require not ip 104.197.51.76
    Require not ip 54.242.250.203
    Require not env bad_bot
    Require not env spam_ref
    </RequireAll>

    <RequireAny>
    Require ip 131.253.24.0/22
    Require ip 131.253.46.0/23
    Require env good_ref
    Require env good_bot
    </RequireAny>

</RequireAny>
</Directory>