[Solved] Restricting access from several IP/Ranges
Added by rubenc over 15 years ago
Hi,
I have a setup in which I need to allow 8-10 individual IP's and 5-6 IP ranges to access a virtualhost, and deny the access to the rest. I've tried this:
$HTTP["host"] == "something.server.com" {
$HTTP["remoteip"] !~ "172.20.0.0/12|10.12.0.0/16|x.x.26.166|x.x.161.225|x.x.254.212|x.x.149.91|x.x.23.21|x.x.133.3|x.x.159.25|x.x.123.247" {
url.access-deny = ( "" )
}
server.document-root = "/something"
}
But it doesn't work (denies to any). What am I doing wrong? I'm using lighttpd-1.4.20
Regards.
Replies (5)
RE: Restricting access from several IP/Ranges - Added by nitrox over 15 years ago
The "== or !=" allows for netblocks, as regex "=~ or !~" allows for a single ip-address only.
So you can do sth. like this:
$HTTP["remoteip"] != "172.20.0.0/12" { url.access-deny = ( "" ) } $HTTP["remoteip"] != "10.12.0.0/16" { url.access-deny = ( "" ) } $HTTP["remoteip"] !~ "^(x\.x\.26\.166|x\.x\.161\.225|x\.x\.254\.212|x\.x\.149\.91|x\.x\.23\.21|x\.x\.133\.3|x\.x\.159\.25|x\.x\.123\.247)$" { url.access-deny = ( "" ) }
RE: RE: Restricting access from several IP/Ranges - Added by Lexus45 about 7 years ago
Hello all.
This seems not to work for me.
All that I want - is to deny access to anybody except certain IP and a /16 or /24 subnet.
I tried different variants but all the time the subnet is being blocked (and I'm trying to allow):
like this (single remoteip inside single url). But I get "403 Forbidden" to any src ip:
$HTTP["url"] =~ "^/adm/" { $HTTP["remoteip"] != "33.222.0.0/16" { url.access-deny = ( "" ) } } $HTTP["url"] =~ "^/adm/" { $HTTP["remoteip"] !~ "^(75\.209\.116\.4|79\.31\.34\.79)$" { url.access-deny = ( "" ) } }
like this ( several remoteip inside single url). In this case access is also blocked for all:
$HTTP["url"] =~ "^/adm/" { $HTTP["remoteip"] !~ "^(75\.209\.116\.4|79\.31\.34\.79)$" { url.access-deny = ("") } $HTTP["remoteip"] != "33.222.0.0/16" { url.access-deny = ( "" ) } }
The construction like (with "x"ses as wildcards) this still blocks subnet 33.222.0.0/16 whis is not what I want:
$HTTP["url"] =~ "^/zabbix/" { $HTTP["remoteip"] !~ "^(75\.209\.116\.4|79\.31\.34\.79|33\.222\.x\.x)$" { url.access-deny = ("") } }
How do you restrict access to certain URL - both for fixed IP addresses and subnets simultaneously ?
Thank you.
RE: Restricting access from several IP/Ranges - Added by gstrauss about 7 years ago
Explicitly allow what you want, and then deny the rest.
$HTTP["url"] =~ "^/adm/" { $HTTP["remoteip"] == "33.222.0.0/16" { } else $HTTP["remoteip"] == "75.209.116.4" { } else $HTTP["remoteip"] == "79.31.34.79" { } else { url.access-deny = ( "" ) } }
RE: Restricting access from several IP/Ranges - Added by Lexus45 about 7 years ago
Works!
Thank you so much!
RE: RE: Restricting access from several IP/Ranges - Added by jonathanlee 20 days ago
This worked for me too
$HTTP["remoteip"] != "192.168.1.0/27" { url.access-deny = ( "" ) }
after you can get more granular
$HTTP["remoteip"] != "192.168.1.0/27" { $HTTP["url"] =~ "^/(?:wpad.dat?|proxy.pac)" { url.access-deny = ( "" ) } }