: How to restrict site access to all countries except mine with .htaccess? I used this tool to download list in ".htaccess allow" format to allow traffic from my country and restrict all others
I used this tool to download list in ".htaccess allow" format to allow traffic from my country and restrict all others but it's still accessible when visiting from bunch of foreign proxies.
I'm restricting access to my home dev server where i certainly don't need traffic from China, Uganda, Russia and other countries i found while inspecting Apache logs.
Apparently, this format doesn't seem to work:
<Limit GET POST>
order deny,allow
allow from 37.18.184.0/22
allow from 37.18.188.0/22
allow from 37.19.104.0/22
allow from 37.19.108.0/22
allow from 37.35.8.0/22
allow from 37.35.12.0/22
allow from 37.35.64.0/22
allow from 37.35.68.0/22
allow from 37.77.168.0/22
allow from 37.77.172.0/22
deny from all
</Limit>
More posts by @Gretchen104
3 Comments
Sorted by latest first Latest Oldest Best
From the information in your question, it's hard to say what might be wrong. I'd suggest starting with the following test:
Write a simple script that echoes your IP address back, something like this (in PHP):
Your IP address is: <?= $SERVER['REMOTE_ADDR'] ?>
Visit the script from a foreign proxy, and note the address it reports. Compare the address to the Allow lines in your .htaccess file.
The results of this experiment should narrow down the possibilities a bit:
If the reported IP address doesn't match any of the Allow lines, then either Apache is not obeying your access controls at all for some reason, or there's another Allow line somewhere that's letting the request get through.
If the IP address does match one of the Allow lines, but appears to be the correct address of the proxy (try a reverse DNS lookup), then either your GeoIP database is wrong or the proxy is not located where you think it is.
If the reported IP address points to your own webhost, it may belong to a reverse HTTP proxy in front of your webserver. In that case, you'll need to figure out how to extract the real IP address of the client from the request headers (e.g. X-Forwarded-For) set by the proxy.
If the IP address reported by the script is your own, then either you didn't correctly configure your browser to use the proxy after all, or (unlikely) the proxy passed your IP address along in the request headers and, for some reason, your webserver is configured to blindly trust such headers (which is a bad idea — HTTP request headers are trivial to forge).
If none of the above hold, then something weird is going on. Doing a reverse DNS and/or WHOIS lookup on the reported IP address might help you figure out what.
Ps. You probably don't want to use <Limit> around you access controls, at least unless you really want to allow e.g. HEAD and PUT requests from any country.
Best way is use some existing of Apache-GeoIP tools (or modules)
mod-geoip (example for Debian)
MaxMind GeoLite Country (usage - Getting Visitor's Country with PHP using Geo IP)
Try with the netmask instead of the CIDR notation:
<Limit GET POST>
order deny,allow
allow from 37.18.184.0/255.255.252.0
...
allow from 37.77.172.0/255.255.252.0
deny from all
</Limit>
Alternatively do it like this:
<Limit GET POST>
order deny,allow
allow from 37.18.184.
allow from 37.18.185.
allow from 37.18.186.
allow from 37.18.187.
...
allow from 37.77.172.
allow from 37.77.173.
allow from 37.77.174.
allow from 37.77.175.
deny from all
</Limit>
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.