search

mitchellkrogza / apache-ultimate-bad-bot-blocker

Apache Block Bad Bots, (Referer) Spam Referrer Blocker, Vulnerability Scanners, Malware, Adware, Ransomware, Malicious Sites, Wordpress Theme Detectors and Fail2Ban Jail for Repeat Offenders
Other
775 stars 173 forks source link

Access control before and after bot blocker #112

Open hybiepoo opened 5 years ago

hybiepoo commented 5 years ago

I'm trying to get this working on an apache 2.4 system, but it seems to be all or nothing. If I don't include a Require all granted, I get 403 from everywhere. However if I add the Require all granted, the tests fail.

I'm using the following at the bottom of httpd.conf, which is AFTER the virtualhosts are included. <Location "/">

AND-combine with preceding configuration sections

    AuthMerging And
    # include black list
    Include custom.d/globalblacklist.conf

Does globalblacklist replace all other permissions, or do I still need to have a Require all granted line somewhere? I have tried so many combinations, but nothing seems to work.

StefanS-O commented 5 years ago

+1

mitchellkrogza commented 5 years ago

Hi @hypieboo and @StefanS-O apologies for the delayed response. It took some time to get the current version working on 2.4 and passing the tests thrown at it inside the TravisCI build environment. It's not been tested in cases where any other permissions have been added into the config. My best suggestion is to strip it down to the way my templates and configs are setup for the Travis tests try get that working and then one by one start introducing any additional configs to see which breaks the permission chain. Personally I can't say I'm a fan of the new 2.4 structure of permissions it seems rather easy to mess up. The 2.2 version of the blocker can work on 2.4 using the mod_access_compat module. Let me know if you have any success.

StefanS-O commented 5 years ago

Hi @mitchellkrogza ,

thanks for your reply! I will try to use the 2.2 Version with mod_access_compat and see if it fixes the issue. I hope to report back till Friday.

StefanS-O commented 5 years ago

Hi @mitchellkrogza

i tried it using 2.2 with mod_access_compat and that seems to work correctly. I used it without automerging.

mitchellkrogza commented 5 years ago

Thanks for reporting back @StefanS-O

Anyone with time to really iron out the permissions blocks for 2.4 please go ahead.

uleodolter commented 5 years ago

Seems to be related to #113

mitchellkrogza commented 5 years ago

Thanks for referencing this issue @uleodolter your discovery and help to isolate the bug should address a number of issues where 2.4 has not been playing along as it should.

mitchellkrogza commented 5 years ago

@hypieboo @StefanS-O please pull latest update including latest blacklist-ips.conf include as a critical flaw in logic has been addressed thanks to the help of @uleodolter