On March 14, 2011 14:12 , Carmel <carmel...@hotmail.com> wrote:
I do not need users from China to have access to my server. I would like
to use something like the list that follows to stop it. Unfortunately,
I am not sure exactly where in my httpd.conf file I should put this so
it works correctly.
<Limit GET HEAD POST>
order allow,deny
# Country: CHINA
# ISO Code: CN
# Total Networks: 1,927
# Total Subnets: 308,311,808
deny from 1.12.0.0/14
deny from 1.24.0.0/13
deny from 1.45.0.0/16
deny from 1.48.0.0/15
#more entries
#
allow from all
</Limit>
Normally, you would put the Deny directives in a <Directory /> or
<Location /> stanza inside your <VirtualHost> stanza in order to have
them apply to the entire file or entire URI namespace. You can put them
inside of other <Directory> or <Location> stanzas, instead, if you'd
like the Deny directives to apply less broadly.
Putting the Deny directives inside a <Limit> stanza -- as you have done
above -- is discouraged. See the documentation at
http://httpd.apache.org/docs/2.2/mod/core.html#limit which says:
Access controls are normally effective for *all* access methods, and
this is the usual desired behavior. *In the general case, access
control directives should not be placed within a |<Limit>| section.*
I have never used it myself, so I don't know how good it is, but you may
want to investigate using mod_geoip2 as an alternative to having a long
list of networks in your configuration file. See
http://www.maxmind.com/app/mod_geoip
http://www.indiangnu.org/2010/how-to-install-geoip-and-mod_geoip2-on-centos-for-apache-2/
http://www.kaliphonia.com/content/linux/how-to-install-mod-geoip2-for-apache2-on-centos-server
The advantages should be: shorter, easier-to-read and
easier-to-maintain configuration files; a more comprehensive list of
networks for each country; no need to restart httpd when the list of
networks for a blocked country changes.
--
Mark Montague
m...@catseye.org
