.htaccess no longer denying pages to non specified IP addresses

Hmmm...so I'm guessing if you disallow the specific 10.x.x.x SNAT address then legitimate customers would also get denied.

I suppose you could use an iRule to SNAT clients from 169.147.x.x and 10.x.x.x to an allowed 10. address, and everyone else to a different address that was denied in .htaccess.

Something like this: (not syntax checked)

 
 when CLIENT_ACCEPTED { 
    if { [IP::addr [IP::client_addr]/8 equals 10.0.0.0 ] || [IP::addr [IP::client_addr]/16 equals 169.147.0.0 ] } { 
        snat to allowed address 
        snat 10.x.x.A 
       } else { 
        snat to denied address 
        snat 10.x.x.B 
   } 
 } 
 

Denny

I will look at this and run this by my networking folks to make sure we can do it.

 

 

Thank you for the suggestion.

I haven't head back from my network guys yet.

 

 

I did find this at http://www.it.emory.edu/showdoc.cfm?docid=11252&fr=1092

 

Apache Notes

 

 

Because of a quirk of our load balancer configuration, all incoming requests seem to come from the load balancer's IP address. If you want to restrict access to content based on source IP address in a .htaccess file, something like this will not work:

 

 

deny from all

 

allow from 170.140.0.0/16 163.246.0.0/16

 

 

Instead, use mod_rewrite to inspect the X-Forwarded-For header:

 

 

RewriteEngine on

 

RewriteCond %{HTTP:X-Forwarded-For} "!(170\.140|163\.246)\.[0-9]{1,3}\.[0-9]{1,3}$"

 

RewriteRule .* - [F]

 

 

 

But I can't get it to work when I change the condition to my IPs, just blocks everything.

Okay, this works

 

 

 

RewriteEngine on

 

RewriteCond %{HTTP:X-Forwarded-For} "!(170\.140|163\.246)\.Ύ-9]{1,3}\.Ύ-9]{1,3}$"

 

RewriteRule .* - [F]

 

 

 

but now I have an the issue that a number of my .htaccess files have a double challenge. If you are in the list of allowed IP's then you are granted access, if you are denied via IP you are then prompted for basic authentication. The prompt for authentication no longer works when I use the Rewrite rule. Thoughts?

 

 

Example:

 

------------------------new addition-------------

 

RewriteEngine on

 

RewriteCond %{HTTP:X-Forwarded-For} "!^(10\.[0-9]{1,3}|129\.[0-9]{1,3}|169\.147})\.[0-9]{1,3}\.[0-9]{1,3}$"

 

RewriteRule .* - [F]

 

------------------------end new addition------------------

 

----------------------original file-------------------

 

 

order deny,allow

 

deny from all

 

allow from kumc.edu

 

allow from ukans.edu

 

allow from 169.147

 

allow from 129.237

 

allow from 10

 

AuthType Basic

 

AuthUserFile /pulse-root/lar/.htpasswd

 

AuthName "Directory Protected"

 

Require valid-user

 

Satisfy any

 

AddType text/html .html .htm

 

AddHandler server-parsed .html .htm

 

 

 

---------------------------end origianal file--------------------

 

Matt, thank you. Yes I realize I posted the [F] in there, I have played with mod_rewrite and can't seem to get it to go from checking IPs to providing auth.

 

 

I would look at going with iRules but I don't have control over all the .htaccess files that could be put on the server. This is a large university website where each dept has rights to their folder and can control access how they please. If I go with iRules, then I have to be made aware of any new changes and keep that updated.

 

 

Any other suggestions?

 

 

Matt, thank you. Yes I realize I posted the [F] in there, I have played with mod_rewrite and can't seem to get it to go from checking IPs to providing auth.

 

 

I would look at going with iRules but I don't have control over all the .htaccess files that could be put on the server. This is a large university website where each dept has rights to their folder and can control access how they please. If I go with iRules, then I have to be made aware of any new changes and keep that updated.

 

 

Any other suggestions?

 

 

also tried this in

 

RewriteEngine on

 

RewriteCond %{HTTP:X-Forwarded-For} "!^(10\.[0-9]{1,3}|192\.[0-9]{1,3}|169\.147})\.[0-9]{1,3}\.[0-9]{1,3}$"

 

RewriteRule .* - [F]

 

 

RewriteCond %{HTTP:Authorization} !^$

 

RewriteCond %{QUERY_STRING} ^$

 

RewriteRule ^index\.html$ index.html_%{HTTP:Authorization}

 

RewriteRule ^([^_]*)_([^B|b]*)Basic.?([A-Za-z0-9]*) /index.html [L,QSA,R,NC]

 

RewriteCond %{ENV:REDIRECT_STATUS} 200

 

RewriteRule ^.*$ - [L]

 

order deny,allow

 

deny from all

 

AuthType Basic

 

AuthUserFile /pulse-root/shawn/.htpasswd

 

AuthName "Directory Protected"

 

Require valid-user

 

Satisfy any

 

AddType text/html .html .htm

 

AddHandler server-parsed .html .ht

 

 

 

trying the different conditions and rules commentting them out as I went. nothing helped