can we use cidr in apache deny from env

Nix asked:

My requirement is:

  1. Block suspicious ip addresses on apache level, I have a list which contains millions or ip addresses with cidr.
  2. If blocked ip hits the site then they should get some message saying that they are blocked (I can use ErrorDocument)
  3. Log who all are being blocked (403 Error document will redirect to another page and check the hits to that page)

Apache server is behind elb on amazon EC2, so I have to check for X-Forwarded-For, in below configuration “SetEnvIf CLIENTIP “192.168.1.0/24″ block” doesn’t work, looks like it needs ip address instead of cidr, is there any way I can block the hits from millions of cidr ranges I have ?

SetEnvIf REMOTE_ADDR "(.+)" CLIENTIP=$1

SetEnvIf X-Forwarded-For "^([0-9.]+)" CLIENTIP=$1

SetEnvIf CLIENTIP "192.168.1.0/24" block   # this doesnt work

SetEnvIf CLIENTIP "192.168.1.5" block   # this works

Order allow,deny

Allow from all

Deny from env=block

My answer:


This doesn’t work because Deny from env will deny whenever the specified variable exists, regardless of its content, and SetEnvIf just does an exact match for the text you gave.

Since you’re behind an ELB you need to use something like mod_rpaf to pull in the actual IP address so Apache can work with it directly. Then you can just use the CIDR ranges in Deny directives.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.