Re: [mod-security-users] mod_security rules for specific IPs or subnets
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security rules for specific IPs or subnets
|
From: Ivan R. <iv...@we...> - 2004-05-24 08:42:12
|
Dionysios G. Synodinos wrote: > mod_security rules for specific IPs or subnets > > Since our site is edited only from within our LAN (subnet), I would like > to instruct mod_security to permit access to certain pages like eg. > admin.php only from a specific subnet, or IP. Something like: > > SecFilter "admin\.php" > SecFilter "user\.php" These filters are too broad. If you want to match script filename use a selective filter: SecFilterSelective SCRIPT_FILENAME "admin\.php$" SecFilter will apply the signature to the filename, the query_string, post data and result in false positives. > but only for IPs outside our LAN (people that visit the site). > > Does anyone know how to do that? Sure you can do it with mod_security, but it is natural to do it with Apache built-in features, using mod_access: http://httpd.apache.org/docs/mod/mod_access.html Like this: <Files ~ "(admin\.php|user\.php)$"> # deny everything by default order allow,deny # only allow access from the LAN allow from 192.168.254. </Files> With mod_security, something like this would equally work: SecFilterSelective REMOTE_ADDR "!^192.168.254" chain SecFilterSelective SCRIPT_FILENAME "(admin\.php|user\.php)$" (examples not tested, please make sure they work for you) -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
