|
Home > Archive > Apache Server configuration support > October 2005 > ip2country database to .htaccess files
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
ip2country database to .htaccess files
|
|
| Andero Koplus 2005-10-28, 4:47 pm |
| Hi,
i have already an ip2country database with ip ranges i would like to
block, but having difficulty figuring out the right netmasks for
..htaccess file. please can anyone direct me to script that calculates
the mask(s) on given ip range (ip from- ip to)
also wold appriciate any help on that matter
thank you
| |
| Newsgroup Poster 2005-10-28, 4:47 pm |
| iptables would be much easier for this
"Andero Koplus" <anderoko@hot.ee> wrote in message news:4361e4fe$1_1@news.estpak.ee...
> Hi,
>
> i have already an ip2country database with ip ranges i would like to block, but having difficulty figuring out the right netmasks
> for .htaccess file. please can anyone direct me to script that calculates the mask(s) on given ip range (ip from- ip to)
>
> also wold appriciate any help on that matter
>
>
> thank you
| |
| Purl Gurl 2005-10-28, 4:47 pm |
| Andero Koplus wrote:
> i have already an ip2country database with ip ranges i would like to
> block, but having difficulty figuring out the right netmasks for
> .htaccess file. please can anyone direct me to script that calculates
> the mask(s) on given ip range (ip from- ip to)
http://www.purlgurl.net/~tools/range2subnet.html
However, you do not want to use subnet masks in an .htaccess file.
Older versions of Apache will generate an internal error message.
Those versions of Apache which handle netmask or cidr notation,
will use tremendous amounts of system resources doing so.
Use of netmask / cidr is ok, but know you will slow down Apache.
In general, Apache 1.3.x will crash, Apache 2.x will run slower.
You will need to test your specific version for compatability.
Use shortened IP addresses instead.
An example, you want to deny access to a range 192.168.1.0 to 192.168.1.100
In your .htaccess Deny from entry:
Deny from 192.168.1.
That entry will deny a broad range 192.168.1.0 to 192.168.1.255
Deny from 192.168.1.1
That entry will deny a broad range 192.168.1.1 to 192.168.1.199
Developing entries which will block a very specific range are challenging.
Usually, for efficiency, you end up blocking a greater range than needed.
Short versions of an IP address simply require "matching" per your entry,
while netmask / cidr require (simplified) building a table and comparing.
Research and read about Allow Deny usage in .htaccess files for fine tuning
your IP addresses to specific ranges.
http://www.purlgurl.net/manual/mod/mod_access.html
If you are running a firewall, especially a firmware firewall, do your
blocking there, rather than with Apache; keep Apache efficient.
Purl Gurl
| |
| Purl Gurl 2005-10-28, 4:47 pm |
|
Purl Gurl wrote:
> Andero Koplus wrote:
(snipped)
> Those versions of Apache which handle netmask or cidr notation,
> will use tremendous amounts of system resources doing so.
I should add, you can block by hostname, such as purlgurl.net
if you like. However, like netmask and cidr use of hostname
blocking is _extremely_ system resource intensive. For each
hostname, a DNS lookup must be performed.
Apache porters suggest you NOT use hostname lookup for both
logging and access blocking. With hostname lookup enabled,
you will "human eye" notice a great slowdown of Apache.
When you, as a visitor, notice this difference in efficiency,
it is an extreme loss in efficiency.
Stick with IP addresses only, lookup a hostname by hand.
Purl Gurl
|
|
|
|
|