Project

General

Profile

[Solved] Restricting access from several IP/Ranges

Added by rubenc over 9 years ago

Hi,

I have a setup in which I need to allow 8-10 individual IP's and 5-6 IP ranges to access a virtualhost, and deny the access to the rest. I've tried this:

$HTTP["host"] == "something.server.com" {

$HTTP["remoteip"] !~ "172.20.0.0/12|10.12.0.0/16|x.x.26.166|x.x.161.225|x.x.254.212|x.x.149.91|x.x.23.21|x.x.133.3|x.x.159.25|x.x.123.247" {
url.access-deny = ( "" )
}
server.document-root = "/something"

}

But it doesn't work (denies to any). What am I doing wrong? I'm using lighttpd-1.4.20

Regards.


Replies (4)

RE: Restricting access from several IP/Ranges - Added by nitrox over 9 years ago

The "== or !=" allows for netblocks, as regex "=~ or !~" allows for a single ip-address only.

So you can do sth. like this:

$HTTP["remoteip"] != "172.20.0.0/12" {
  url.access-deny = ( "" )
}

$HTTP["remoteip"] != "10.12.0.0/16" {
  url.access-deny = ( "" )
}

$HTTP["remoteip"] !~ "^(x\.x\.26\.166|x\.x\.161\.225|x\.x\.254\.212|x\.x\.149\.91|x\.x\.23\.21|x\.x\.133\.3|x\.x\.159\.25|x\.x\.123\.247)$" {
    url.access-deny = ( "" )
}

RE: RE: Restricting access from several IP/Ranges - Added by Lexus45 11 months ago

Hello all.
This seems not to work for me.

All that I want - is to deny access to anybody except certain IP and a /16 or /24 subnet.

I tried different variants but all the time the subnet is being blocked (and I'm trying to allow):

like this (single remoteip inside single url). But I get "403 Forbidden" to any src ip:

$HTTP["url"] =~ "^/adm/" {
$HTTP["remoteip"] != "33.222.0.0/16" {
        url.access-deny = ( "" )
    }
}

$HTTP["url"] =~ "^/adm/" {
$HTTP["remoteip"] !~ "^(75\.209\.116\.4|79\.31\.34\.79)$" {
    url.access-deny = ( "" )
}
}

like this ( several remoteip inside single url). In this case access is also blocked for all:

$HTTP["url"] =~ "^/adm/" {
    $HTTP["remoteip"] !~ "^(75\.209\.116\.4|79\.31\.34\.79)$" {
        url.access-deny = ("")
    }

    $HTTP["remoteip"] != "33.222.0.0/16" {
        url.access-deny = ( "" )
    }

}

The construction like (with "x"ses as wildcards) this still blocks subnet 33.222.0.0/16 whis is not what I want:

$HTTP["url"] =~ "^/zabbix/" {
    $HTTP["remoteip"] !~ "^(75\.209\.116\.4|79\.31\.34\.79|33\.222\.x\.x)$" {
        url.access-deny = ("")
    }
}

How do you restrict access to certain URL - both for fixed IP addresses and subnets simultaneously ?

Thank you.

RE: Restricting access from several IP/Ranges - Added by gstrauss 11 months ago

Explicitly allow what you want, and then deny the rest.

$HTTP["url"] =~ "^/adm/" {
    $HTTP["remoteip"] == "33.222.0.0/16" {
    }
    else $HTTP["remoteip"] == "75.209.116.4" {
    }
    else $HTTP["remoteip"] == "79.31.34.79" {
    }
    else $HTTP["remoteip"] != "" {  # (dummy match everything)
        url.access-deny = ( "" )
    }
}

RE: Restricting access from several IP/Ranges - Added by Lexus45 11 months ago

Works!
Thank you so much!

    (1-4/4)