mitchellkrogza
commented
4 years ago Please post your /etc/apache2/custom.d/whitelist-domains.conf
Closed Tealk closed 4 years ago
mitchellkrogza
commented
4 years ago Please post your /etc/apache2/custom.d/whitelist-domains.conf
Tealk
commented
4 years ago i didn't want to publish all my domains here now here a few examples SetEnvIfNoCase Referer anzahcraft.de SetEnvIfNoCase Referer discord.anzahcraft.de SetEnvIfNoCase Referer rollenspiel.wiki
mitchellkrogza
commented
4 years ago You did not follow the examples properly.
SetEnvIfNoCase Referer ~*yourdomain\.com good_ref
so
SetEnvIfNoCase Referer ~*anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*discord\.anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*rollenspiel\.wiki good_refI followed the example from the description.
# Make sure any domains have dots and special characters escaped as per the Regex examples below.
# For example myfirstowndomainname.com should be entered as myfirstowndomainname\.com
# and my-second-owndomainname.com should be entered as my\-second\-owndomainname\.combut it works now, thanks.
only I seem to have done something wrong.
# curl -I https://anzahcraft.de -e http://100dollars-seo.com
HTTP/2 200
date: Wed, 21 Aug 2019 16:03:46 GMT
server: Apache
x-powered-by: PHP/7.3.8-1+0~20190807.43+debian10~1.gbp7731bf
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: private, no-cache, max-age=0
strict-transport-security: max-age=31536000
set-cookie: anzah_csrf=55NccpkOy65pP3p5; path=/; secure; HttpOnly
last-modified: Wed, 21 Aug 2019 16:03:46 GMT
content-length: 151993
x-xss-protection: 1; mode=block
x-robots-tag: all
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: same-origin
expect-ct: enforce, max-age=86400,report-uri="https://anzahreport.uriports.com/reports/report"
feature-policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
report-to: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://anzahreport.uriports.com/reports"}],"include_subdomains":true}
nel: {"report_to":"default","max_age":2592000,"include_subdomains":true,"failure_fraction":1.0}
content-type: text/html; charset=utf-8# curl -IA "80legs" https://anzahcraft.de
HTTP/2 200
date: Wed, 21 Aug 2019 16:04:14 GMT
server: Apache
x-powered-by: PHP/7.3.8-1+0~20190807.43+debian10~1.gbp7731bf
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: private, no-cache, max-age=0
strict-transport-security: max-age=31536000
set-cookie: anzah_csrf=x4D2vHKMxJMYeIMU; path=/; secure; HttpOnly
last-modified: Wed, 21 Aug 2019 16:04:14 GMT
content-length: 151993
x-xss-protection: 1; mode=block
x-robots-tag: all
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: same-origin
expect-ct: enforce, max-age=86400,report-uri="https://anzahreport.uriports.com/reports/report"
feature-policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
report-to: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://anzahreport.uriports.com/reports"}],"include_subdomains":true}
nel: {"report_to":"default","max_age":2592000,"include_subdomains":true,"failure_fraction":1.0}
content-type: text/html; charset=utf-8Need to post all your config files before I can help you more. You've not done something crucial to make it work you can strip any domain names from your config files
mitchellkrogza
commented
4 years ago Most likely Step 6 https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/tree/master/Apache_2.4
GitHub
Apache Block Bad Bots, (Referer) Spam Referrer Blocker, Vulnerability Scanners, Malware, Adware, Ransomware, Malicious Sites, Wordpress Theme Detectors and Fail2Ban Jail for Repeat Offenders - mitc...
Tealk
commented
4 years ago but I would have inserted it
mitchellkrogza
commented
4 years ago Somewhere it is just not loading the blocker. Go through your config carefully
Compare your config files with these from my working build tests https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/tree/master/.dev-tools/_test_results/_conf_files_2.4
Apache Block Bad Bots, (Referer) Spam Referrer Blocker, Vulnerability Scanners, Malware, Adware, Ransomware, Malicious Sites, Wordpress Theme Detectors and Fail2Ban Jail for Repeat Offenders - mitc...
Tealk
commented
4 years ago so the configs are created by froxler. i have added the include to all vhost files
i have set ssl forwarding for all domains and only in this vhost file is the include, but that shouldn't be a problem?
mitchellkrogza
commented
4 years ago Post your apache2.conf and vhost configs please
Tealk
commented
4 years ago apache2.conf
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#Mutex file:${APACHE_LOCK_DIR} default
#
# The directory where shm and other runtime files will be stored.
#
DefaultRuntimeDir ${APACHE_RUN_DIR}
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 500
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
IncludeOptional sites-froxlor/*.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
ServerSignature Off
ServerTokens Prod
# [For HTTPS Support]
Protocols h2 http/1.1
# [For HTTP Support]
Protocols h2c http/1.1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparams4096.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r135_froxlor_normal_vhost_anzahcraft.de.conf
# 35_froxlor_normal_vhost_anzahcraft.de.conf
# Created 21.08.2019 18:10
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.
# Domain ID: 23 - CustomerID: 1 - CustomerLogin: Anzah
<VirtualHost 185.170.112.156:80 [2a03:4000:15:68f::b9aa:709c]:80>
ServerName anzahcraft.de
ServerAlias www.anzahcraft.de
ServerAdmin MAIL
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R=301;L,NE]
</IfModule>
<IfModule !mod_rewrite.c>
Redirect 301 / https://anzahcraft.de/
</IfModule>
</VirtualHost>35_froxlor_ssl_vhost_anzahcraft.de.conf
# 35_froxlor_ssl_vhost_anzahcraft.de.conf
# Created 21.08.2019 18:10
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.
# Domain ID: 23 (SSL) - CustomerID: 1 - CustomerLogin: Anzah
<VirtualHost 185.170.112.156:443 [2a03:4000:15:68f::b9aa:709c]:443>
ServerName anzahcraft.de
ServerAlias www.anzahcraft.de
ServerAdmin MAIL
SSLEngine On
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
Protocols h2 http/1.1
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
SSLVerifyDepth 10
SSLCertificateFile /etc/ssl/froxlor-custom/anzahcraft.de.crt
SSLCertificateKeyFile /etc/ssl/froxlor-custom/anzahcraft.de.key
SSLCACertificateFile /etc/ssl/froxlor-custom/anzahcraft.de_CA.pem
SSLCertificateChainFile /etc/ssl/froxlor-custom/anzahcraft.de_chain.pem
SSLUseStapling on
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000"
</IfModule>
DocumentRoot "/var/customers/webs/Anzah/anzahcraft.de/"
SuexecUserGroup "USER" "USER"
<FilesMatch \.(php)$>
SetHandler proxy:unix:/var/lib/apache2/fastcgi/4-anzah-anzahcraft.de-php-fpm.socket|fcgi://localhost
</FilesMatch>
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
Require all granted
AllowOverride All
</Directory>
Alias /webalizer "/var/customers/webs/Anzah/webalizer/anzahcraft.de"
LogLevel warn
ErrorLog "/var/customers/logs/Anzah-anzahcraft.de-error.log"
CustomLog "/dev/null" combined
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
AllowOverride All
Options FollowSymLinks
Include custom.d/globalblacklist.conf
</Directory>
</VirtualHost>If you compare your apache2.conf with the one I told you look at in the test results folder it will hit you in the face.
Your main Directory block must have AllowOverride All
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>but still the same:
# curl -IA "80legs" https://anzahcraft.de
HTTP/2 200
date: Wed, 21 Aug 2019 18:11:08 GMT
server: Apache
x-powered-by: PHP/7.3.8-1+0~20190807.43+debian10~1.gbp7731bf
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: private, no-cache, max-age=0
strict-transport-security: max-age=31536000
set-cookie: anzah_csrf=iGXiIOVINd9HVuZ0; path=/; secure; HttpOnly
last-modified: Wed, 21 Aug 2019 18:11:08 GMT
content-length: 152921
x-xss-protection: 1; mode=block
x-robots-tag: all
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: same-origin
expect-ct: enforce, max-age=86400,report-uri="https://anzahreport.uriports.com/reports/report"
feature-policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
report-to: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://anzahreport.uriports.com/reports"}],"include_subdomains":true}
nel: {"report_to":"default","max_age":2592000,"include_subdomains":true,"failure_fraction":1.0}
content-type: text/html; charset=utf-8But my web directory is also "/var/customers/webs" and there are many subfolders for each website.
mitchellkrogza
commented
4 years ago I'll have a look in the morning very hard to diagnose on my mobile. Very silly question but you have restarted Apache every time
mitchellkrogza
commented
4 years ago Are you testing from the machine that is whitelisted? Have you tested externally?
mitchellkrogza
commented
4 years ago Your main Directory Block for www also must have AllowOverride All. Please compare with this config file https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/blob/master/.dev-tools/_test_results/_conf_files_2.4/apache2.conf
Apache Block Bad Bots, (Referer) Spam Referrer Blocker, Vulnerability Scanners, Malware, Adware, Ransomware, Malicious Sites, Wordpress Theme Detectors and Fail2Ban Jail for Repeat Offenders - mitc...
mitchellkrogza
commented
4 years ago You also have duplicate Directory blocks
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
Require all granted
AllowOverride All
</Directory>
Alias /webalizer "/var/customers/webs/Anzah/webalizer/anzahcraft.de"
LogLevel warn
ErrorLog "/var/customers/logs/Anzah-anzahcraft.de-error.log"
CustomLog "/dev/null" combined
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
AllowOverride All
Options FollowSymLinks
Include custom.d/globalblacklist.conf
</Directory>i have tested from the machine that is whitelisted
i have fixed the Directory Block for www
the first block is created by the froxlor script, i don't know how to intervene
Tealk
commented
4 years ago so i wrote the whole thing in apache2.conf now and still get status 200 when i run the test
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
<Directory "/var/customers/webs">
AllowOverride All
Options FollowSymLinks
Include custom.d/globalblacklist.conf
</Directory>This is very strange, can you try specifying the full path to the blocker?
Include /etc/apache2/custom.d/globalblacklist.conf it appears it is just not being loaded or not being seen by Apache.
Tealk
commented
4 years ago it is loaded, because if I enter an error at the "whitelist-domains.conf", apache does not start
even with full path i get a status 200
curl -IA "80legs" https://anzahcraft.de
HTTP/2 200Please post your output of
apache2ctl -M
mitchellkrogza
commented
4 years ago Also your contents of whitelist-domains and whitelist-ips
Tealk
commented
4 years ago apache2ctl -M
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
filter_module (shared)
geoip_module (shared)
headers_module (shared)
http2_module (shared)
mime_module (shared)
mpm_event_module (shared)
negotiation_module (shared)
perl_module (shared)
proxy_module (shared)
proxy_balancer_module (shared)
proxy_fcgi_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
slotmem_shm_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
suexec_module (shared)# Add One Entry Per Line
##############################################################################
# ___ __ #
# / _ | ___ ___ _____/ / ___ #
# / __ |/ _ \/ _ `/ __/ _ \/ -_) #
# /_/ |_/ .__/\_,_/\__/_//_/\__/ #
# __/_/ __ ___ __ ___ __ __ #
# / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ #
# / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ #
# /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ #
# #
##############################################################################
# BY DEFAULT THE EXAMPLES BELOW ARE COMMENTED OUT AND HENCE NOT ENABLED
# ADD ONLY ONE "Require ip" COMMAND PER LINE !
#Require ip 192.168.1.0
#Require ip 192.168.2.0
# !!!!!! ********************************************************
# DO NOT EVER USE 127.0.0.1 only real public facing IP addresses.
# !!!!!! ********************************************************
Require ip 185.170.112.156# EDIT THIS FILE AS YOU LIKE TO WHITELIST YOUR OWN DOMAIN NAMES AND SPARE THEM FROM ANY REFERRER CHECKING ###
##############################################################################
# ___ __ #
# / _ | ___ ___ _____/ / ___ #
# / __ |/ _ \/ _ `/ __/ _ \/ -_) #
# /_/ |_/ .__/\_,_/\__/_//_/\__/ #
# __/_/ __ ___ __ ___ __ __ #
# / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ #
# / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ #
# /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ #
# #
##############################################################################
# Add One Entry Per Line - List all your own domains of the sites you host on the server
# This file must exist on your system or Nginx will fail a reload due to a missing file
# Automatic updates will never be able to remove this custom list of yours
# Add One Entry Per Line
# Make sure any domains have dots and special characters escaped as per the Regex examples below.
# For example myfirstowndomainname.com should be entered as myfirstowndomainname\.com
# and my-second-owndomainname.com should be entered as my\-second\-owndomainname\.com
# BY DEFAULT ALL THE EXAMPLES BELOW ARE COMMENTED OUT AND HENCE NOT ENABLED
#SetEnvIfNoCase Referer ~*yourdomain\.com good_ref
#SetEnvIfNoCase Referer ~*your\-domain\.com good_ref
SetEnvIfNoCase Referer ~*anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*analytics\.anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*ark\.anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*discord\.anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*img\.anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*linkus\.anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*pap\.anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*papdiscord\.anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*poll\.anzahcraft\.de good_ref
SetEnvIfNoCase Referer ~*anzah\.network good_ref
SetEnvIfNoCase Referer ~*search\.anzah\.network good_ref
SetEnvIfNoCase Referer ~*anzah\.tools good_ref
SetEnvIfNoCase Referer ~*rollenspiel\.monster good_ref
SetEnvIfNoCase Referer ~*discord\.rollenspiel\.monster good_ref
SetEnvIfNoCase Referer ~*poll\.rollenspiel\.monster good_ref
SetEnvIfNoCase Referer ~*rollenspiel\.wiki good_refThis is too weird. The only difference I can find between the working tests and my server is you have access_compat enabled which "should not" make a difference but please try
sudo a2dismod access_compat
sudo service apache2 restartLet me know.
If that does not work, then please try disabling any whitelisting or mods made to any of the includes. BEST to just back up the entire /custom.d folder and grab a fresh copy of everything without making a single modification to anything.
Tealk
commented
4 years ago wow it shouldn't but somehow it does influence.
root:~# a2dismod access_compat
Module access_compat disabled.
To activate the new configuration, you need to run:
systemctl restart apache2
root:~# service apache2 restart
root:~# curl -IA "80legs" https://anzahcraft.de HTTP/2 500
date: Thu, 22 Aug 2019 14:17:37 GMT
server: Apache
strict-transport-security: max-age=31536000
content-type: text/html; charset=iso-8859-1but then I can no longer use my geoip block :(
.htaccess: Invalid command 'Deny', perhaps misspelled or defined by a module not included in the server configuration
<IfModule mod_geoip.c>
GeoIPEnable On
# https://dev.maxmind.com/geoip/legacy/codes/iso3166/
SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KR DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KP DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RO DenyCountry
deny from env=DenyCountry
deny from 193.31
<RequireAll>
Require all granted
</RequireAll>
</IfModule>That's very weird indeed, my tests though with access_compat disabled / enabled yield the same results, a working blocker.
It's likely you have a conflict, perhaps even the geoip module that is causing a problem?
Try disabling the mod_geoip and then testing with access_compat enabled and disabled.
mitchellkrogza
commented
4 years ago This block in geoip, if loaded in the wrong place "could" break the entire workings of the blocker.
<RequireAll>
Require all granted
</RequireAll>Any <RequireAll> or <RequireAny> block in the wrong place could break things horribly, not only the blocker but all of Apache's security. I spent months figuring out the new Apache 2.4 mechanisms to get this blocker to work properly so I know how one <RequireAny> or <RequireAll> block can break everything.
Really worth disabling any extra modules you have loaded, start with getting the blocker working, and then one by one bring in an extra module at a time, if things break then you know where to look.
Tealk
commented
4 years ago Is it wrong how I used the
mitchellkrogza
commented
4 years ago The blocker will never break a live site it will only block what is has been told to block. Start with getting the blocker working without access_compat enabled. When the blocker is working then we can look at your geoip module.
You must know access_compat is not good to use on Apache 2.4 because it leads to using old security directives mixed with new.
mitchellkrogza
commented
4 years ago This guide for using geoip makes no use of any <RequireAll> blocks
https://znil.net/index.php/Ubuntu_14.04.x_Apache_2.4.7_GeoIP_Blocking_mit_IPv4_und_IPv6_einrichten
mitchellkrogza
commented
4 years ago Tested and Working 100% !!! Does not break blocker and DOES block the countries. I tested through a VPN.
Add this to your vhost config just before the closing </Virtualhost>
<Location />
GeoIPEnable On
# https://dev.maxmind.com/geoip/legacy/codes/iso3166/
SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KR DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KP DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RO DenyCountry
Deny from env=DenyCountry
</Location>
:point_up: requires mod access_compat
Tealk
commented
4 years ago I haven't finished everything yet but I wanted to say thank you that you invest so much time and effort to help me.
The blocker will never break a live site i
I didn't mean to say that either. I meant disabling all modules.
Tealk
commented
4 years ago geoip is in vhost according to your model and status remains at 200
curl -IA "80legs" https://anzahcraft.de
HTTP/2 200Post your latest apache2.conf and virtualhost config I've tested with geoip and blocker and it works 100% so you have something else wrong
Tealk
commented
4 years ago # This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#Mutex file:${APACHE_LOCK_DIR} default
#
# The directory where shm and other runtime files will be stored.
#
DefaultRuntimeDir ${APACHE_RUN_DIR}
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 500
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
<Directory "/var/customers/webs">
AllowOverride All
Options FollowSymLinks
Include /etc/apache2/custom.d/globalblacklist.conf
</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
IncludeOptional sites-froxlor/*.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
ServerSignature Off
ServerTokens Prod
# [For HTTPS Support]
Protocols h2 http/1.1
# [For HTTP Support]
Protocols h2c http/1.1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparams4096.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1# 35_froxlor_normal_vhost_anzahcraft.de.conf
# Created 22.08.2019 19:55
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.
# Domain ID: 23 - CustomerID: 1 - CustomerLogin: Anzah
<VirtualHost 185.170.112.156:80 [2a03:4000:15:68f::b9aa:709c]:80>
ServerName anzahcraft.de
ServerAlias www.anzahcraft.de
ServerAdmin MAIL
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R=301;L,NE]
</IfModule>
<IfModule !mod_rewrite.c>
Redirect 301 / https://anzahcraft.de/
</IfModule>
</VirtualHost># 35_froxlor_ssl_vhost_anzahcraft.de.conf
# Created 22.08.2019 19:55
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.
# Domain ID: 23 (SSL) - CustomerID: 1 - CustomerLogin: Anzah
<VirtualHost 185.170.112.156:443 [2a03:4000:15:68f::b9aa:709c]:443>
ServerName anzahcraft.de
ServerAlias www.anzahcraft.de
ServerAdmin MAIL
SSLEngine On
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
Protocols h2 http/1.1
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
SSLVerifyDepth 10
SSLCertificateFile /etc/ssl/froxlor-custom/anzahcraft.de.crt
SSLCertificateKeyFile /etc/ssl/froxlor-custom/anzahcraft.de.key
SSLCACertificateFile /etc/ssl/froxlor-custom/anzahcraft.de_CA.pem
SSLCertificateChainFile /etc/ssl/froxlor-custom/anzahcraft.de_chain.pem
SSLUseStapling on
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000"
</IfModule>
DocumentRoot "/var/customers/webs/Anzah/anzahcraft.de/"
SuexecUserGroup "USER" "USER"
<FilesMatch \.(php)$>
SetHandler proxy:unix:/var/lib/apache2/fastcgi/4-anzah-anzahcraft.de-php-fpm.socket|fcgi://localhost
</FilesMatch>
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
Require all granted
AllowOverride All
</Directory>
Alias /webalizer "/var/customers/webs/Anzah/webalizer/anzahcraft.de"
LogLevel warn
ErrorLog "/var/customers/logs/Anzah-anzahcraft.de-error.log"
CustomLog "/dev/null" combined
<Location />
GeoIPEnable On
# https://dev.maxmind.com/geoip/legacy/codes/iso3166/
SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KR DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KP DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RO DenyCountry
Deny from env=DenyCountry
</Location>
</VirtualHost>You must know access_compat is not good to use on Apache 2.4 because it leads to using old security directives mixed with new.
I didn't know that at all but unfortunately it is needed for the geoip :'(
mitchellkrogza
commented
4 years ago Your main Directory block in the SSL host is missing the blocker include
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
Require all granted
AllowOverride All
</Directory>I wrote this in the apache2.conf because froxlor doesn't give me the possibility to intervene there.
mitchellkrogza
commented
4 years ago I don't think it will work properly from apache2.conf not sure I'd have to test that but I doubt it, should be enclosed in the <Virtualhost> block
Tealk
commented
4 years ago yes only unfortunately I have no possibility to install it there :(
mitchellkrogza
commented
4 years ago I will look tomorrow it will need a mod to their templates
Tealk
commented
4 years ago If it helps you with that: https://github.com/Froxlor/Froxlor
The server administration software for your needs - The official Froxlor development Git repository - Froxlor/Froxlor
mitchellkrogza
commented
4 years ago Thanks I already forked a copy to look through tomorrow
mitchellkrogza
commented
4 years ago @Tealk please try this.
Backup this config file (wherever froxlor is installed?) change froxlordir below to the correct folder
sudo cp froxlordir/lib/Froxlor/Cron/Http/Apache.php froxlordir/lib/Froxlor/Cron/Http/Apache.bakThen edit the original file
sudo nano froxlordir/lib/Froxlor/Cron/Http/Apache.phpChange lines 653-655
FROM THIS
if (Settings::Get('system.apache24') == '1') {
$webroot_text .= ' Require all granted' . "\n";
$webroot_text .= ' AllowOverride All' . "\n";TO THIS
if (Settings::Get('system.apache24') == '1') {
$webroot_text .= ' Require all granted' . "\n";
$webroot_text .= ' AllowOverride All' . "\n";
$webroot_text .= ' Include /etc/apache2/custom.d/globalblacklist.conf' . "\n";Let me know.
NOTE: This is very temporary hack and should work just fine, when you update Froxlor however you will need to re-do this step. Unfortunately I don't have time to contribute any proper changes to Froxlor to have it as an option in the admin menu but it really should not be difficult at all for someone to do.
If this works then you can further edit that block to add your geoip block as follows.
if (Settings::Get('system.apache24') == '1') {
$webroot_text .= ' Require all granted' . "\n";
$webroot_text .= ' AllowOverride All' . "\n";
$webroot_text .= ' Include /etc/apache2/custom.d/globalblacklist.conf' . "\n";
$webroot_text .= ' <Location />' . "\n";
$webroot_text .= ' GeoIPEnable On' . "\n";
$webroot_text .= ' SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry' . "\n";
$webroot_text .= ' SetEnvIf GEOIP_COUNTRY_CODE KR DenyCountry' . "\n";
$webroot_text .= ' SetEnvIf GEOIP_COUNTRY_CODE KP DenyCountry' . "\n";
$webroot_text .= ' SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry' . "\n";
$webroot_text .= ' SetEnvIf GEOIP_COUNTRY_CODE RO DenyCountry' . "\n";
$webroot_text .= ' Deny from env=DenyCountry' . "\n";
$webroot_text .= ' </Location>' . "\n";NOTE: This will apply it to every single Vhost.
Tealk
commented
4 years ago NOTE: This will apply it to every single Vhost. Yes that would be a problem, I would like to use the GEOIP only with certain web pages.
i have now entered this in line 681 but i have nothing in the vhost
mitchellkrogza
commented
4 years ago Did you re-generate the host file?
Tealk
commented
4 years ago yes I have rebuilt all configs. geoip I entered in the webinterface that was taken over
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
Require all granted
AllowOverride All
</Directory>
Alias /webalizer "/var/customers/webs/Anzah/webalizer/anzahcraft.de"
LogLevel warn
ErrorLog "/var/customers/logs/Anzah-anzahcraft.de-error.log"
CustomLog "/dev/null" combined
<Location />
GeoIPEnable On
# https://dev.maxmind.com/geoip/legacy/codes/iso3166/
SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KR DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KP DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RO DenyCountry
Deny from env=DenyCountry
</Location>
</VirtualHost>Try make the very same changes on lines 73-75
Describe the problem you are experiencing If i try to load the config i get the following error:
Server (please complete the following information):