Jump to content

Recommended Posts

Hi,

 

I have 3 applications running on wampserver hosted on our intranet.

 

I would like to block the access of applications for a certain ip range. So I edited .htaccess files for each application as below. But the application is not blocked.

 

order deny,allow

allow from 10.212.4.

deny from all

 

 

After checking the logs I found that the ip address the client returning was different. Since all our machines use proxy settings by default.

 

Anyone could help me how to over come this ? 

Link to comment
https://forums.phpfreaks.com/topic/222971-block-local-ip-address-htaccess/
Share on other sites

I have been searching regarding this and found using "x-forwarded-for" may work.

 

So I came up with this

 

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-For} ^10\.212\.4\.$ [OR]
RewriteCond %{HTTP:X-Forwarded-For} ^10\.212\.5\.$
RewriteRule .* - [F]

order allow,deny
allow from 10.212.4.
allow from 10.212.5
deny from all

 

However I get 403 error even accessing from allowed ips

A) It's HTTP:X_FORWARDED_FOR (yes it matters)

 

B) Does your proxy server set the X_FORWARDED_FOR header so that doing this will even work? What HTTP headers does your proxy set?

 

C) If you provided information about which ip address/range should be permitted and which should be blocked, someone can probably help you.

 

D) Is there some reason you aren't using a real login/authentication system to prevent unauthorized access?

Thanks for your reply.

 

May I know how can I check http headers set by our proxy ?

 

I would like to just allow access only from ip address in the range 10.212.4.1    to 10.212.4.60  and 10.212.5.1 to 10.212.5.60

 

There is no particular reason. It was users request.

The simplest way of seeing what information is in a http request would be to make a .php script with a phpinfo(); statement in it and browse to the URL of the file. The PHP Variables section (near the end) will list all the information that was contained in the request.

 

For the ip address ranges you listed in your last post above, are those the IP addresses the destination server sees from the proxy server or are those the client IP addresses on the internal network? You have got to tell us exactly what information you are dealing with in order to get a solution that has anything to do with your problem. You have made statements, such as 'I found that the ip address the client returning was different', but you haven't supplied that information to us to help show what problem you are having.

Firstly I wanna apologize for not providing necessary info. I'm a total newbie to these things. You are right seems X_FORWARDED_FOR is not available. How about using REMOTE_ADDR ? But the Remote_Addr below shown is for my server and its actually showing the proxy returned Ip address. However when I test from different machine the Remote_Addr is showing correct IP.

 

Please find my HTTP Headers Information below. I have made the request from my server (10.212.4.53)

 

HTTP Request  GET /Hello/ HTTP/1.1  
Connection  keep-alive  
Accept  image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*  
Accept-Language  en-us  
User-Agent  Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)  
Accept-Encoding  gzip, deflate  
Cookie  
Host  10.212.4.53:8080  
X-IMForwards  20  
Via  1.1 abproxy01.cde.com.fg:8080 (IronPort-WSA/6.3.3-015)  
HTTP Response Headers 
X-Powered-By  PHP/5.3.3  

 

I have also added some more info which may be relevant

 

HTTP_CONNECTION  keep-alive  
HTTP_ACCEPT  image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*  
HTTP_ACCEPT_LANGUAGE  en-us  
HTTP_USER_AGENT  Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)  
HTTP_ACCEPT_ENCODING  gzip, deflate  
HTTP_COOKIE  
HTTP_HOST  10.212.4.53:8080  
HTTP_X_IMFORWARDS  20  
HTTP_VIA  1.1 abproxy01.cde.com.fg:8080 (IronPort-WSA/6.3.3-015)  
SERVER_SIGNATURE  no value  
SERVER_SOFTWARE  Apache/2.2.17 (Win32) PHP/5.3.3  
SERVER_NAME  10.212.4.53  
SERVER_ADDR  10.212.4.53  
SERVER_PORT  8080  
REMOTE_ADDR  10.168.2.174  

 

The Ipadress I mentioned are the client ip address the ip address sent by proxy server are different and in the range 10.168.2.174

The REMOTE_ADDR that the target/destination server sees (the server where the applications are at that you want to allow/deny requests to) when requests are made from the actual client computers, is the only thing that matters.

 

So far, the only relevant information you have posted appears to be - "when I test from different machine the Remote_Addr is showing correct IP." Was this one of the client computers you want to allow access or deny access (you didn't state either way) and what was the IP address that was correct? (Correct to you doesn't mean anything to us unless you actually tell us what you saw in front of you.)

When the requests are made from client machines the Remote_addr is showing their origial IP address.

 

ex: 10.212.4.57

ex: 10.212.5.63

 

These are ip addresses based on which I wanna allow/deny access.

 

However when I made requests from two servers (ip addresses 10.212.4.53 and 10.212.5.55)  to one server 10.212.4.53 the remote_addr is showing proxy Ip address which are

 

REMOTE_ADDR  10.168.2.174 

REMOTE_ADDR  10.168.2.177

 

why remote_addr is not showing their original ips when requests are made from them? Both of them are servers they wampserver installed and few applications. This is the common thing I can think of .

 

I came up with this , i didn't get a chance to test. what do you think ?

 

 

RewriteEngine On

RewriteCond %{REMOTE_ADDR} !^10\.212\.4\.  [OR]

RewriteCond %{REMOTE_ADDR} !^10\.212\.5\.

RewriteRule .* - [F]

 

order allow,deny

allow from 10.212.4.

allow from 10.212.5.

deny from all

 

 

 

Following settings are working partially for me

 

ErrorDocument 403 /403.php

 

RewriteEngine On

RewriteCond %{REMOTE_ADDR} !^10\.212\.5\.57

RewriteCond %{REMOTE_ADDR} !^10\.168\.2\.174

RewriteCond %{REMOTE_ADDR} !^10\.168\.2\.177

RewriteRule .* - [F]

 

 

The 10\.168\.2\.177 and 10\.168\.2\.174 are the two servers. And these IP keep changing. I don't have any problem with the client machines.

 

Any idea how to handle this ? I still can't figure out why only the servers are not showing correct Remote_addr when for the clients its correct.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.