cancel
Showing results for 
Search instead for 
Did you mean: 

.htaccess - 'deny from' is not working

Tony_W
Grafter
Posts: 745
Registered: ‎11-08-2007

.htaccess - 'deny from' is not working

I am trying to block keymachine.de (IP address is  87.118.108.229) from my sites on ccgi and homepages.
I have put an .htaccess file into the relevant areas (CHMOD 644) which starts:
order deny,allow
deny from 196.219.108.155
deny from 87.118.108.229
deny from keymachine.de

My previous attempt started:
order allow,deny
deny from 196.219.108.155
deny from 87.118.108.229
deny from keymachine.de
allow from all

Has anyone any suggestions as to why both of these fail to prevent keymachine.de looking at my sites and triggereing my PHP-based trackers?
Any suggestions would be welcome.
Tony
9 REPLIES 9
Peter_Vaughan
Grafter
Posts: 14,469
Registered: ‎30-07-2007

Re: .htaccess - 'deny from' is not working

htaccess files cannot block access to php files because php is run in cgi mode (i.e. outside of the Apache webserver rather than as a php module) thus htaccess is not parsed for php files.
Also I have never seen blocking by IP address or domain working in htaccess in the past anyway.
Tony_W
Grafter
Posts: 745
Registered: ‎11-08-2007

Re: .htaccess - 'deny from' is not working

Thanks Peter.
How can they read the PHP file (to be able to execute it) when it is located on the ccgi server with an .htaccess file in the same directory?
In tests, I have been able to block myself from an html file located in a test directory on the ccgi server with a .htaccess file containing my IP address.
I will try further tests with a PHP file tomorrow and see if that is blocked.
Tony
Peter_Vaughan
Grafter
Posts: 14,469
Registered: ‎30-07-2007

Re: .htaccess - 'deny from' is not working

htaccess will block all other file types except php because when a php file is requested from Apache, it is parsed by the php program outside of Apache and thus does not read the htaccess file.
It sounds like the IP blocking is working but it did not in the past.
Tony_W
Grafter
Posts: 745
Registered: ‎11-08-2007

Re: .htaccess - 'deny from' is not working

It looks like I will just have to do the detection in each of my PHP files and check the IP or hostname. If it matches, then I will do an 'exit'.
It could be done as an 'include' file at the start of all of my PHP files although it would, of course, mean increased file access access and processing time. At least with an include file I would only have one list to maintain.
SoulBriski
Grafter
Posts: 179
Registered: ‎15-06-2007

Re: .htaccess - 'deny from' is not working

It's true, you cant protect php files directly but I found a way to protect php files using .htaccess
I created a folder called 'protected' in the root of my website and put a .htaccess file in there
I then created another folder called 'admin' inside the 'protected' folder
so now i have got
mainarea/protected/admin
all my php files that i want to protect are in the 'admin' folder which itself is protected by .htaccess
if anybody attempts to get to any file in the 'admin' folder, they have to log on
I know it's a slightly different application than yours Tony W but it works for me so maybe you can prevent unwanted ip addresses by using the lines in your .htaccess file but put your php files in a protected folder
Tony_W
Grafter
Posts: 745
Registered: ‎11-08-2007

Re: .htaccess - 'deny from' is not working

I have tried your suggestion SoulBriski and still could not prevent the PHP code from being run with either a 'deny from' .htaccess file in the 'protected' folder or the 'admin' folder or both.
As you say, the problem I have is slightly different from yours in that I do not want everyone to have to enter a password to run the PHP file.
I have just had a thought and will try a PHP file which is blank except for one line which includes another file. I will give the other file a .htm extension. With a bit of luck they won’t be able to read the contents of the .htm file.
I will post later with the results.
Ianwild
Grafter
Posts: 3,835
Registered: ‎05-04-2007

Re: .htaccess - 'deny from' is not working

Is that on CCGI Soulbriski?
Does .htaccess work better on Plesk? Have you considered that route Tony?
Ian
SoulBriski
Grafter
Posts: 179
Registered: ‎15-06-2007

Re: .htaccess - 'deny from' is not working

Ian, yes, that's on the CCGI platform
My way of thinking was that the 'admin' folder is protected by the .htaccess file and therefore anything thats in the 'admin' folder is protected by virtue of the fact that it's inside a proteced area regardless of php or html or any other file type.
The more i think about this though the more i think it's not going to suit Tony's application because of the fact that in my case the .htaccess was accompanied by a .htpasswd file which meant that if you want to view the files inside 'admin', you have to log on which I know is not what Tony wants.
Sorry Tony if I gave you false hopes.
The plesk control panel provides a 'Protected Directories' feature which creates a similar scenario to that of mine so that might not suit Tony either.
Tony_W
Grafter
Posts: 745
Registered: ‎11-08-2007

Re: .htaccess - 'deny from' is not working

Hi everyone - thanks for your continued help.
Huge apologies to Peter Vaughan - I actually got IP blocking to work on my Homepages site and have failed totally with the ccgi server.
I thought that I might be able to have a nearly blank PHP file on the ccgi server which just does an 'include' of a file on the Homepages server. I could then set up an .htaccess file on the Homepages server to deny the IPs.
That way I could stop the active contents of the PHP file from being accessed by the blocked IPs since they would not be able to read the Homepages content and would just see a blank PHP file.
I tried this and failed again. The PHP file could still read (and use) the Homepages include file, although attempts to access it directly - by putting its URL straight into a browser - were blocked.
So, it looks like it is going to have to be filtering in PHP and exiting if the IP matches e.g. if (eregi("keymachine",$hostname)) {exit;};
I was also looking at this as a way of blocking bandwidth hogs - particular visitors using download accelerators which can do many partial-content downloads totaling of tens of megabytes even though the visitor has actually only requested a single sub-megabyte file. We are penalised for going over the webspace bandwidth limit but seem to have too few tools available to counter rogue visitors.
Tony