httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] <directory> and deny directives
Date Fri, 14 Sep 2007 13:06:13 GMT
On 9/14/07, Mark A. Craig <mark.a.craig@gmail.com> wrote:
> Joshua:
>
> Thanks for the quick and comprehensive reply.  Lemme address everything in order:
>
> 1. Whatcha mean by "the config is inherited"?  Did you mean to address my
> question about sub-directories?  I suspect so, but if not please clarify.
>
> 2. The status codes are in fact mostly 403s, but not ALL... some that match my
> deny directives, notably ".svservers.com", are still being allowed with 200s.
> The 403s that are occurring could also be the result of the http:BL module in
> the blog software itself, which checks the IPs of attempted commenters against
> the Project Honeypot DNS blacklist and bounces them with a 403 if the IP is a
> match (there's a lot of 403s for hostnames not in my little DENY list).  At
> least that's the only explanation I can imagine for the inconsistency.
>
> My goal here is to nail the spammy GETs; at first I'd considered a <LIMIT GET>
> directive, but I couldn't figure out where/how to apply it and so resorted to
> this current technique.

Don't use <Limit GET>. See the docs on <Limit> for why that would be a mistake.

Your config looks basically correct. But of course, other things in
your config file could be overriding it. If you replace all those Deny
directives with a "Deny from all", do you block all access? If not,
then either you aren't editing the correct place in the config file,
or you are overriding this config someplace else (such as in a
<Location> section).

Another likely issue is your use of hostnames. The hostnames that are
getting the 200 response above have messed-up reverse lookups. (The
domain you get when looking up the IP address does not map back to
that IP address.) Although I haven't checked the code, it is possible
that apache is ignoring those ones because it can't confirm whether or
not the client is really in that domain.

In general, it is better to use IP addresses for blocking instead of domains.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message