[Resolved] Problem with GeoIP & .htaccess

[milliondollar]

I successfully install mod_geoip in my server. I test by using the following code & it show the right country

<?php

    if (getenv(HTTP_X_FORWARDED_FOR)) {
        $pipaddress = getenv(HTTP_X_FORWARDED_FOR);
        $ipaddress = getenv(REMOTE_ADDR);
        echo "Your Proxy IP address is : ".$pipaddress. " (via $ipaddress) " ;
    } else {
        $ipaddress = getenv(REMOTE_ADDR);
        echo "My IP address is : $ipaddress";
    }
    $country = getenv(GEOIP_COUNTRY_NAME);
    echo "<br />My Country : $country";

    $country2 = $_SERVER['GEOIP_COUNTRY_CODE'];
    echo "<br />My Country Code : $country2";
?>

I want to block wp-login.php by using GeoIP. Only to allow for certain country by using .htaccess but seem to be not working. This is my code in .htaccess

<IfModule mod_geoip.c>
<FilesMatch "wp-login.php">

SetEnvIf GEOIP_COUNTRY_CODE CA AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE MX AllowCountry
Deny from all
Allow from env=AllowCountry

</FilesMatch>
</IfModule>

The same code showed in http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Allowing_clients_based_on_country

Any ideas what is wrong?

 

[NiteWave]

I successfully install mod_geoip in my server.

lsws won't load apache's mod_geoip module. instead, need install and enable GEO IP at lsws web admin, please refer the documents:
https://www.litespeedtech.com/docs/webserver/config/general#enableIpGeo
https://www.litespeedtech.com/docs/webserver/config/general#geolocationDB

 

[milliondollar]

Already done that. As I told in my first post, it is already working except it not blocking as specified in .htaccess.

I do more testing, even the redirect using .htaccess is working. I use the code below

<IfModule mod_geoip.c>
<FilesMatch "wp-login.php|xmlrpc.php">
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(US|AU)$
RewriteRule ^(.*)$ http://example.com/$1 [L]
</FilesMatch>
</IfModule>

It just the blocking don't work.

By the way I'm using LSWS 4.2.24

 

[NiteWave]

ok, to summary. the issue is:

Deny from all
Allow from env=AllowCountry

not working by your test -- I think our dev will look into it.

since following is working:

<IfModule mod_geoip.c>
<FilesMatch "wp-login.php|xmlrpc.php">
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(US|AU)$
RewriteRule ^(.*)$ http://example.com/$1 [L]
</FilesMatch>
</IfModule>

following rule

<IfModule mod_geoip.c>
<FilesMatch "wp-login.php|xmlrpc.php">
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(US|AU)$
RewriteRule ^(.*)$ - [F,L]
</FilesMatch>
</IfModule>

should work as well ? it blocks the request by F flag instead of "Deny from ..." directive.

 

[milliondollar]

OK TQ. It works

 

[milliondollar]

Hi,

Now, I'm using Cloudflare CF-IPCOUNTRY to do this. The code below works very well to block access wp-login.php except in my country.

However after I upgrade to the latest version 5.1.2, it cause redirect loop instead of 403 forbidden error. Any idea what is wrong?

<FilesMatch "wp-login.php|xmlrpc.php">
RewriteEngine on
RewriteCond %{HTTP:CF-IPCOUNTRY} !^(AU)$
RewriteRule ^ - [F,L]
</FilesMatch>

 

[NiteWave]

I did similar test, looks it's working with latest 5.1.2 build 5.

#cat /usr/local/lsws/autoupdate/build
5

if above file "build" not exist, or less than 5, please force-reinstall 5.1.2 to latest build, see if the issue gone.

 

[milliondollar]

I upgraded to 5.1.2 build 5 but the problem still there.

 

[NiteWave]

My test didn't include

RewriteCond %{HTTP:CF-IPCOUNTRY} !^(AU)$

can you test if FilesMatch works on your server ? it works on my test server.

suggested steps:
1.add following in .htaccess:

<FilesMatch "abc.php">
RewriteEngine on
RewriteRule ^ - [F,L]
</FilesMatch>

2. access it by

#curl -I your-domain.com/abc.php

expected result:

HTTP/1.1 403 Forbidden
...

 

[milliondollar]

Yes file matching works but the result is the same redirect loop instead of 403 on the specified file. Other files is having a normal access.

 

[milliondollar]

I found out that redirect loop issue start with v5.1 and above.

All version 5.0+ return the correct 403 forbidden error.

 

[NiteWave]

it looks more clear.

it may relate to other rewrite rules ... in my simple unit test, only a few lines of rules, no redirect loop.

 

[milliondollar]

then why v5.0.12 give the correct 403 forbidden error?

 

[NiteWave]

yes, should be an issue with 5.1.2
5.1.3 may be out within next 24 hours. please test if it's gone with the new release.

also you can enable rewrite debug log (
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritelog
RewriteLog
RewriteLogLevel
)
to know which steps has been wrong. (by comparing 5.0.12 and 5.1.2)

 

[milliondollar]

5.1.3 still give the same redirect loop.

5.0.13 is giving the correct 403 forbidden.

 

[NiteWave]

probably bug in 5.1.x, but to fix it, we need reproduce the issue. can you enabled rewrite debug log, and access the problem URL, send the log here ?

 

[milliondollar]

Yes, I try to get rewrite log but sure what I did correct as I don't see "rewrite.log" file in /usr/local/apache/logs/

<FilesMatch "wp-login.php|xmlrpc.php">
RewriteEngine on
RewriteLog "/usr/local/apache/logs/rewrite.log"
RewriteCond %{HTTP:CF-IPCOUNTRY} !^(AU)$
RewriteRule ^ - [F,L]
</FilesMatch>

 

[NiteWave]

http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritelog
RewriteLog Directive
Context: server config, virtual host

RewriteLogLevel Directive
Syntax: RewriteLogLevel Level
Default: RewriteLogLevel 0
Context: server config, virtual host

please note above "Context", not include ".htaccess", mean the directive only effective in "server config, virtual host" or httpd.conf
maybe you only need put

RewriteLogLevel 9

in virtual host section of httpd.conf
and can find the log in error.log or error_log

 

[milliondollar]

I send you a private message containing the log file.

 

[mistwang]

Please try the latest build 5.1.3

/usr/local/lsws/admin/misc/lsup.sh -f -v 5.1.3

should be fixed.