How to deny access to a site based on the criterion of belonging to a country?

M

Misty Hedgehog2014-08-08 14:00:16

PHP

Misty Hedgehog, 2014-08-08 14:00:16

Greetings, %username%.
Input :
There is a certain resource (with access for clients only via http). The resource stores various, including rather large files (conditionally - distributions, as on http://mirror.yandex.ru/) . Used hosting service (not VDS), on board Apache1.3 and php5.3. The file listing is output by Apache. The last time the number of requests to the server has greatly increased, and it began to fail to withstand the loads. On average - 3..10 requests per second.
Required :
Restrict access. Deny access to everyone, say, except for the "RF" and neighboring countries (a lot of requests have become just "because of the hillock").
Suggested Solution :
Use php to determine the country of the client (implemented) + "transparently resolve" access to files. Redirect all requests to php:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^([^\.]+)$ check.php?url=$1 [L,QSA,NC]
</IfModule>

check.php receives a query string in GET, plus we check the IP there. After processing, we decided what to do with the request (we found out the country by checking the IP with the geo-base) - skip it or block it - but now how to "return control" back?
Those. if the request is from the IP "RF", and the site root is requested - you just need to display the index of the site root; if the request is from the IP "RF" and the file is requested, it must be sent via a direct link, which it was previously, without changing the url .
If the request is from an IP not "Russian Federation" and neighboring countries, and the root of the site is requested, you need to send a 403 header and display the corresponding error; if a file is requested via a direct link - you need to report the same 403 error.
In theory it would be possible:
header('Location: '[email protected]$_GET['url'].'?redirect=no'); , and add RewriteCond %{QUERY_STRING} !(^|&)redirect=no($|&) to .htaccess (and if it is forbidden, redirect with header 403 code to the stub page), but this will entail a redirect (which you need avoid), and the inability to display the index of directories.
Is it possible to make php work "transparent"? Those. apache to work as it worked, but if the client's ip is in the "black list" - close access?
ps. I apologize for some tongue in cheek

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

Ivan Kiselev, 2014-08-08
@paramtamtam

I'm sorry, I'm not sure I know how to do this using bare apache and .htaccess, but why don't you use nginx built with one of the many GeoIP modules?
Firstly, nginx handles static better, and it is likely that the load will drop immediately after the introduction of nginxa as a front, and there will be no such urgent need to cut users by region, and secondly, this is implemented quite simply in nginx:
For example, using the geoip2 module, you can use the standard if construct in nginx locations to compare the value of the $region variable with the ones you need to prohibit / allow.
I apologize if you think my answer is offtopic.

N

Nikolai, 2014-08-08
@j_wayne

Also, keep in mind that determining the country by IP is not 100% accurate (all sorts of options are possible) and here you need to weigh everything well - how much false refusals are acceptable for completely valid users, etc.