httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Clarke <acla...@civica.com.au>
Subject [users@httpd] Applying a universal rewrite
Date Mon, 10 Jul 2006 01:31:06 GMT

Hi folks,

I've downloaded and installed the free "Lite" version of a very nice little 
tool which will allow me to know the country a connection is coming from; 
I'm going to use it to block users of my website based on country so that I 
can eliminate vast ranges of script kiddies trying to attack my server. (it 
also lets you use the country knowledge for other reasons more positive 
reasons - check it out at http://www.maxmind.com/)

Once loaded, the module defines an environment variable GEOIP_COUNTRY_CODE 
and then the doco suggested this rule to choose countries to block:

<IfModule mod_geoip.c>
    GeoIPEnable On
    GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat MemoryCache

    SetEnvIf GEOIP_COUNTRY_CODE ^(AT|BR|CN|DE|EE|ES|FR|HK|IE|IN|IT|JP|KR|MX|
MY|NL|NO|PE|PH|RU|SG|TH|TW)$ BlockCountry=1
</IfModule>

That list of country codes is where all my script kiddy traces have come 
from.

Finally, using the BlockCountry env variable, you can do the following in a 
Location block:

    RewriteEngine on
    RewriteCond %{ENV:BlockCountry} =1
    RewriteRule .* http://somewhereunpleasant.com/ [L,R=301]

I inserted this into a Location block, added my own country code (actually 
added -- which is the country code when it can't determine where you are 
from. This happens when you ask for the country of a local IP on a private 
subnet in the 10. or 192.168. range) The rewrite works admirably so I know 
I have it installed properly and the rewrite rule written correctly.

My problem is, how do I make this rewrite work site-wide without having to 
insert it into every Location block on the server? Rewrites don't appear to 
work outside of Location blocks, and unless I'm doing something wrong, it 
doesn't work in the <Directory /> block either.

[second posting; looks like the mailing list filters out messages containing 
the name of real "somewhere unpleasant" websites...]



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message