httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] Configuring <Limit GET HEAD POST> in httpd.conf file.
Date Mon, 14 Mar 2011 19:11:34 GMT
  On March 14, 2011 14:12 , Carmel <carmel_ny@hotmail.com>  wrote:
> I do not need users from China to have access to my server. I would like
> to use something like the list that follows to stop it. Unfortunately,
> I am not sure exactly where in my httpd.conf file I should put this so
> it works correctly.
>
>
> <Limit GET HEAD POST>
> order allow,deny
> # Country: CHINA
> # ISO Code: CN
> # Total Networks: 1,927
> # Total Subnets:  308,311,808
> deny from 1.12.0.0/14
> deny from 1.24.0.0/13
> deny from 1.45.0.0/16
> deny from 1.48.0.0/15
> #more entries
> #
> allow from all
> </Limit>

Normally, you would put the Deny directives in a <Directory /> or 
<Location /> stanza inside your <VirtualHost> stanza in order to have 
them apply to the entire file or entire URI namespace.  You can put them 
inside of other <Directory> or <Location> stanzas, instead, if you'd 
like the Deny directives to apply less broadly.

Putting the Deny directives inside a <Limit> stanza -- as you have done 
above -- is discouraged.  See the documentation at 
http://httpd.apache.org/docs/2.2/mod/core.html#limit which says:

> Access controls are normally effective for *all* access methods, and 
> this is the usual desired behavior. *In the general case, access 
> control directives should not be placed within a |<Limit>| section.*

I have never used it myself, so I don't know how good it is, but you may 
want to investigate using mod_geoip2 as an alternative to having a long 
list of networks in your configuration file.  See

http://www.maxmind.com/app/mod_geoip
http://www.indiangnu.org/2010/how-to-install-geoip-and-mod_geoip2-on-centos-for-apache-2/
http://www.kaliphonia.com/content/linux/how-to-install-mod-geoip2-for-apache2-on-centos-server

The advantages should be:  shorter, easier-to-read and 
easier-to-maintain configuration files; a more comprehensive list of 
networks for each country; no need to restart httpd when the list of 
networks for a blocked country changes.

--
   Mark Montague
   mark@catseye.org


Mime
View raw message