httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <>
Subject Re: [users@httpd] Configuring <Limit GET HEAD POST> in httpd.conf file.
Date Mon, 14 Mar 2011 19:11:34 GMT
  On March 14, 2011 14:12 , Carmel <>  wrote:
> I do not need users from China to have access to my server. I would like
> to use something like the list that follows to stop it. Unfortunately,
> I am not sure exactly where in my httpd.conf file I should put this so
> it works correctly.
> order allow,deny
> # Country: CHINA
> # ISO Code: CN
> # Total Networks: 1,927
> # Total Subnets:  308,311,808
> deny from
> deny from
> deny from
> deny from
> #more entries
> #
> allow from all
> </Limit>

Normally, you would put the Deny directives in a <Directory /> or 
<Location /> stanza inside your <VirtualHost> stanza in order to have 
them apply to the entire file or entire URI namespace.  You can put them 
inside of other <Directory> or <Location> stanzas, instead, if you'd 
like the Deny directives to apply less broadly.

Putting the Deny directives inside a <Limit> stanza -- as you have done 
above -- is discouraged.  See the documentation at which says:

> Access controls are normally effective for *all* access methods, and 
> this is the usual desired behavior. *In the general case, access 
> control directives should not be placed within a |<Limit>| section.*

I have never used it myself, so I don't know how good it is, but you may 
want to investigate using mod_geoip2 as an alternative to having a long 
list of networks in your configuration file.  See

The advantages should be:  shorter, easier-to-read and 
easier-to-maintain configuration files; a more comprehensive list of 
networks for each country; no need to restart httpd when the list of 
networks for a blocked country changes.

   Mark Montague

View raw message