httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Prindeville <>
Subject Fwd: Quick 2.4 question
Date Thu, 30 Mar 2017 01:04:18 GMT
We weren’t able to figure out the way to do this, and we’re both wondering if this isn’t
a bug.

If you can say:

<Location />
    Require env is_local_client

to allow access contingent on the presence of a flag, it should also be possible to do the
inverse: allow access contingent on the absence of a flag:

<Location />
    Require not env is_a_bogon

Where is_a_bogon gets set via:

LoadModule setenvif_module modules/

BrowserMatch “^$” is_a_bogon
BrowserMatch “^ZmEu$” is_a_bogon
BrowserMatch “^Morfeus “ is_a_bogon

<IfModule mod_geopi.c>
    SetEnvIf GEOIP_COUNTRY_CODE CN is_a_bogon
    SetEnvIf GEOIP_COUNTRY_CODE IR is_a_bogon
    SetEnvIf GEOIP_COUNTRY_CODE RU is_a_bogon
    SetEnvIf GEOIP_COUNTRY_CODE VN is_a_bogon


So is_a_bogon only gets set if we’re seeing a User-Agent which is suspect, or if the traffic
is originating from hacker havens.

But this doesn’t seem to be doable in any obvious way.

This looks a bit like BZ 53069.

For what it’s worth, though, I also tried:

<Location />
        Require all granted
        Require not env is_a_bogon

but that results in:

[29/Mar/2017:18:47:29 --0600] WNxVoSGJcKzTWLcEbdzNJgAAAAA 50909 443
GET /downloads/powercodebmu-r3813-964ba7a-x86-xeon-combined-squashfs.img HTTP/1.1
User-Agent: Wget/1.14 (darwin12.3.0)
Accept: */*
Connection: Keep-Alive

HTTP/1.1 403 Forbidden
Content-Length: 276
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1


Apache-Error: [file "mod_authz_core.c"] [line 873] [level 3] AH01630: client denied by server
configuration: %s%s
Stopwatch: 1490834849214254 1971 (- - -)
Stopwatch2: 1490834849214254 1971; combined=850, p1=725, p2=0, p3=1, p4=86, p5=38, sr=452,
sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (; OWASP_CRS/2.2.8.
Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2k-fips mod_nss/1.0.12 NSS/3.23 Basic ECC mod_perl/2.0.10
Engine-Mode: "ENABLED"


so it’s not clear to me if there’s any way to achieve what I’m trying to do, or why
the solution in BZ 53069 wouldn’t be applicable (by analogy) here.

More broadly on a philosophical level, looking at Comment 3 by Daniel Gruno:

He writes:

“[…] I have made some changes to the access howto to emphasize that a negation cannot
stand on its own.”

Just out of curiosity, why can’t it stand on its own?

I don’t see anything intrinsically wrong about gating on the _absence_ of _negative factors_.

Can someone please set me straight?



> Begin forwarded message:
> From: Philip Prindeville <>
> Subject: Quick 2.4 question
> Date: March 28, 2017 at 2:32:03 PM MDT
> To: "William A. Rowe Jr." <>
> Hi William,
> Sorry to bother you with a triviality, but I’ve been wracking my brain with this one
for a couple of hours now.
> I had an httpd-2.4 server that’s been humming for years, but recently (like 2 days
ago following a Fedora 24 update) it started balking at ALL requests.
> Yes, I had been using Allow/Deny and mod_access_compat…  I’ll turn that off momentarily.
> The culprit (and it took me a long time to find it!) was:
> <Location />
>    Deny from env=is_a_bogon
> </Location>
> which I tried to rewrite as:
> <Location />
>    Require not env is_a_bogon
> </Location>
> but that complains about:
> Mar 28 14:04:49 mail httpd[2964]: AH00526: Syntax error on line 81 of /etc/httpd/conf.d/mod_setenvif.conf:
> Mar 28 14:04:49 mail httpd[2964]: negative Require directive has no effect in <RequireAny>
> I’ve also tried:
>    Require env !is_a_bogon
> but that gets me a syntax error.
> I looked at the 2.4 mod_setenvif pages but unfortunately it doesn’t go into a lot of
detail of how to tie the tests together in with the actual Require directives.
> Can you set me straight here?
> Thanks,
> -Philip

View raw message