Answer the question
In order to leave comments, you need to log in
M
M
Max2019-01-26 22:23:11
Max, 2019-01-26 22:23:11
Apache Nginx Cloudflare does not work .htaccess as it should by IP, what should I do?
Good time!
Task: allow some subnets to access the site, do it through modrewrite, and deny the rest.
Given: Server, it has a VestaCP panel, a domain on Cloudflare and an A record on the server, the domain works through Nginx> Apache, everything is OK, the site is working. So far, it is not possible to correctly configure blocking / allowing certain IPs.
IP rules in htaccess do not work at all, any of the RewriteCond was tested one by one. I also used this guide from Cloud where he writes IP https://support.cloudflare.com/hc/en-us/articles/2... ( CF-Connecting-IP + X-Real-IP )
1. Why not works and what's wrong?
2. What is the order in which headers are passed? Why does getallheaders() see one thing but $_SERVER shows another?
The code:
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_ADDR} ^XXX.YY.*
RewriteCond %{HTTP_X_REAL_IP} ^XXX.YY.*
RewriteCond %{CF-Connecting-IP} ^XXX.YY.*
RewriteCond %{HTTP_CF_CONNECTING_IP} ^XXX.YY.*
RewriteCond %{X-Real-IP} ^XXX.YY.*
RewriteRule (.*) - [F]
</IfModule>So it didn't work.
I do this to see the headers:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule (.*) print_headers.php [L]
</IfModule>spoiler
print_headers.php
GETALLHEADERS :
array(18) {
["Host"]=>
string(12) "my_domain.com"
["X-Real-IP"]=>
string(14) "MY_IP"
["X-Forwarded-For"]=>
string(30) "MY_IP, MY_IP"
["Connection"]=>
string(5) "close"
["Accept-Encoding"]=>
string(4) "gzip"
["CF-IPCountry"]=>
string(2) "RU"
["CF-RAY"]=>
string(20) "49f53f0c0b4426f0-FRA"
["X-Forwarded-Proto"]=>
string(5) "https"
["CF-Visitor"]=>
string(18) "{"scheme":"https"}"
["cache-control"]=>
string(9) "max-age=0"
["upgrade-insecure-requests"]=>
string(1) "1"
["user-agent"]=>
string(113) "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
["dnt"]=>
string(1) "1"
["accept"]=>
string(85) "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
["accept-language"]=>
string(32) "ru-RU,ru;q=0.9,en;q=0.8,fr;q=0.7"
["cookie"]=>
string(52) "__cfduid=d6c6e497231d7f0eaa5af707861ad08e61548522097"
["CF-Connecting-IP"]=>
string(14) "MY_IP"
["CDN-Loop"]=>
string(10) "cloudflare"
}
$_SERVER
Array
(
[REDIRECT_STATUS] => 200
[HTTP_HOST] => my_domains.com
[HTTP_X_REAL_IP] => MY_IP
[HTTP_X_FORWARDED_FOR] => MY_IP, MY_IP
[HTTP_CONNECTION] => close
[HTTP_ACCEPT_ENCODING] => gzip
[HTTP_CF_IPCOUNTRY] => RU
[HTTP_CF_RAY] => 49f53f0c0b4426f0-FRA
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_CF_VISITOR] => {"scheme":"https"}
[HTTP_CACHE_CONTROL] => max-age=0
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
[HTTP_DNT] => 1
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
[HTTP_ACCEPT_LANGUAGE] => ru-RU,ru;q=0.9,en;q=0.8,fr;q=0.7
[HTTP_COOKIE] => __cfduid=d6c6e497231d7f0eaa5af707861ad08e61548522097
[HTTP_CF_CONNECTING_IP] => MY_IP
[HTTP_CDN_LOOP] => cloudflare
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[SERVER_SIGNATURE] =>
[SERVER_SOFTWARE] => Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.0g
[SERVER_NAME] => my_domain.com
[SERVER_ADDR] => *
[SERVER_PORT] => 80
[REMOTE_ADDR] => *
[DOCUMENT_ROOT] => /home/admin/web/my_domain.com/public_html
[REQUEST_SCHEME] => http
[CONTEXT_PREFIX] =>
[CONTEXT_DOCUMENT_ROOT] => /home/admin/web/my_domain.com/public_html
[SERVER_ADMIN] => [email protected]
[SCRIPT_FILENAME] => /home/admin/web/my_domain.com/public_html/print_headers.php
[REMOTE_PORT] => 56802
[REDIRECT_URL] => /
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.0
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /
[SCRIPT_NAME] => /print_headers.php
[PHP_SELF] => /print_headers.php
[REQUEST_TIME_FLOAT] => 1548529476.491
[REQUEST_TIME] => 1548529476
)
<?php
echo '<pre>', var_dump(getallheaders()). '</pre>';
echo '<pre>', print_r($_SERVER, 1), '</pre>';
?>GETALLHEADERS :
array(18) {
["Host"]=>
string(12) "my_domain.com"
["X-Real-IP"]=>
string(14) "MY_IP"
["X-Forwarded-For"]=>
string(30) "MY_IP, MY_IP"
["Connection"]=>
string(5) "close"
["Accept-Encoding"]=>
string(4) "gzip"
["CF-IPCountry"]=>
string(2) "RU"
["CF-RAY"]=>
string(20) "49f53f0c0b4426f0-FRA"
["X-Forwarded-Proto"]=>
string(5) "https"
["CF-Visitor"]=>
string(18) "{"scheme":"https"}"
["cache-control"]=>
string(9) "max-age=0"
["upgrade-insecure-requests"]=>
string(1) "1"
["user-agent"]=>
string(113) "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
["dnt"]=>
string(1) "1"
["accept"]=>
string(85) "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
["accept-language"]=>
string(32) "ru-RU,ru;q=0.9,en;q=0.8,fr;q=0.7"
["cookie"]=>
string(52) "__cfduid=d6c6e497231d7f0eaa5af707861ad08e61548522097"
["CF-Connecting-IP"]=>
string(14) "MY_IP"
["CDN-Loop"]=>
string(10) "cloudflare"
}
$_SERVER
Array
(
[REDIRECT_STATUS] => 200
[HTTP_HOST] => my_domains.com
[HTTP_X_REAL_IP] => MY_IP
[HTTP_X_FORWARDED_FOR] => MY_IP, MY_IP
[HTTP_CONNECTION] => close
[HTTP_ACCEPT_ENCODING] => gzip
[HTTP_CF_IPCOUNTRY] => RU
[HTTP_CF_RAY] => 49f53f0c0b4426f0-FRA
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_CF_VISITOR] => {"scheme":"https"}
[HTTP_CACHE_CONTROL] => max-age=0
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
[HTTP_DNT] => 1
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
[HTTP_ACCEPT_LANGUAGE] => ru-RU,ru;q=0.9,en;q=0.8,fr;q=0.7
[HTTP_COOKIE] => __cfduid=d6c6e497231d7f0eaa5af707861ad08e61548522097
[HTTP_CF_CONNECTING_IP] => MY_IP
[HTTP_CDN_LOOP] => cloudflare
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[SERVER_SIGNATURE] =>
[SERVER_SOFTWARE] => Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.0g
[SERVER_NAME] => my_domain.com
[SERVER_ADDR] => *
[SERVER_PORT] => 80
[REMOTE_ADDR] => *
[DOCUMENT_ROOT] => /home/admin/web/my_domain.com/public_html
[REQUEST_SCHEME] => http
[CONTEXT_PREFIX] =>
[CONTEXT_DOCUMENT_ROOT] => /home/admin/web/my_domain.com/public_html
[SERVER_ADMIN] => [email protected]
[SCRIPT_FILENAME] => /home/admin/web/my_domain.com/public_html/print_headers.php
[REMOTE_PORT] => 56802
[REDIRECT_URL] => /
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.0
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /
[SCRIPT_NAME] => /print_headers.php
[PHP_SELF] => /print_headers.php
[REQUEST_TIME_FLOAT] => 1548529476.491
[REQUEST_TIME] => 1548529476
)
2 answer(s)
@wtfowned
Websaytovsky @ws17
D
dodo512, 2019-01-28 @wtfowned
RewriteCond %{CF-Connecting-IP} ^XXX.YY.*
RewriteCond %{X-Real-IP} ^XXX.YY.*RewriteCond %{HTTP:CF-Connecting-IP} !^XXX\.YY\.
RewriteCond %{HTTP:X-Real-IP} !^XXX\.YY\.RewriteEngine On
RewriteCond %{HTTP:X-Real-IP} !^XXX\.YY\.
RewriteRule (.*) - [F]A
Anton, 2021-11-09 Websaytovsky @ws17
Here's another option. (works for me on domains that are through the cloud).
#if the domain is via cloudflare, the rules for banning access to the site for everyone except your own ip
Order Deny,Allow
SetEnvIf X-Forwarded-For ^100\.50\.30\.61 AllowIP
SetEnvIf X-Forwarded-For ^90\.100\.100\.62 AllowIP
SetEnvIf X-Forwarded-For ^100\.50\.30\.63 AllowIP
Deny from all
Allow from env=AllowIP
Similar questions
D
V
B
Z
E
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question