> > > > > > > > > > > I am blocking most of amazon,google,azure clouds with ipsets. I > also seem > > > to have added (automatically) ranges that were abusive from > apple safe > > > browsing (or so?) > > > > > > I would like to remove these ip addresses of apple safe > browsing from the > > > tcp filter, but I want httpd to redirect all these ip clients > to a single > > > page. Telling users to disable safe browsing. > > > > > > How can I best do this? > > > > > > > I have currently these ranges on my abuse list that match ranges > apple is communicating as being used by them. I was also thinking about > this marking that you can do with ip tables and then based on the mark, > maybe redirect to some page? > > > > > > 104.28.30.0/25 <http://104.28.30.0/25> > > 104.28.30.128/27 <http://104.28.30.128/27> > > My first suggestion would have been a set of RewriteRule / > rewriteCond > to serve a static html page for all clients that match. Since > mod_rewrite doesn't support IP subnet matching, but only regexes on > e.g. "%{REMOTE_ADDR}", that's not really going to be a nice > solution > for such a long list of networks. > > As an alternative, you can use Require ip > (https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require) > and define a suitable ErrorDocument. > > If you're using ip tables, you can re-route the request to a > different > TCP port and configure a vhost that serves the chosen document for > any > request to any path. > > Rainer >
Yes this is probably the most efficient. I am surprised this seems to work for http and https traffic. I am testing with this now. Only thing I probably am stuck with is having this in GlobalLog. I prefer to return there everything with 4xx return code, but can't get this for /
