I’m have a setup where I need block a few IPs and user agents as well as completely whitelist a few other IPs and URLs, regardless of what is blacklisted.
My old configuration with Apache 2.2 authorization was to deny all items either by IP or by environment variable for the blacklists and at the end to re-allow my whitelisted IPs and URLs (Order deny, allow
). I’m trying to convert this to Apache 2.4 authorization containers.
What I’m tried so far is this:
<Location />
# whitelist by URI
SetEnvIf Request_URI "^/robots.txt" robotsTXT
SetEnvIf Request_URI "^/login.html" whitelistURI
#blacklist by UA
SetEnvIf User-Agent "^$" badUA
SetEnvIf User-Agent "Go-http-client" badUA
<RequireAll>
Require all granted
<RequireAll>
Require all granted
Require method GET POST HEAD
# blacklist by IP
Require not ip 1.2.0.0/16
Require not ip 3.4.5.0/24
# blacklist by env
Require not env badUA
Require not env otherReason
</RequireAll>
<RequireAny>
# whitelist by IP
Require ip 192.168.1.188
#Require ip 192.168.1.189
# whitelist by env
Require env robotsTXT
Require env whiltelistURI
</RequireAny>
</RequireAll>
</Location>
But this doesn’t achieve the same effect of blocking all blacklisted items and then override the blocks with the whitelisting rules.
Any ideas how to achieve the same effect as the old “Order deny, allow
” ?