Loading ...Lighttpd restrict or deny access by IP address
So how do you restrict or deny access by IP address using Lighttpd web server?
Lighttpd has mod_access module. The access module is used to deny access to files with given trailing path names. You need to combine this with remoteip conditional configuration. Syntax is as follows:
$HTTP["remoteip"] == "IP" : Match on the remote IP
$HTTP["remoteip"] !~ "IP1|IP2" : Do not match on the remote IP (perl style regular expression not match)
$HTTP["remoteip"] =~ "IP1|IP2" : Match on the remote IP (perl style regular expression match)
Task: Match on the remote IP
For example block access to http://theos.in/stats/ url if IP address is NOT 192.168.1.5 and 192.168.1.10 (restrict access to these 2 IPs only):
Open /etc/lighttpd/lighttpd.conf file
# vi /etc/lighttpd/lighttpd.conf
Append following configuration directive:
$HTTP["remoteip"] !~ "200.19.1.5|210.45.2.7" {
$HTTP["url"] =~ "^/stats/" {
url.access-deny = ( "" )
}
}
Save and restart lighttpd:
# /etc/init.d/lighttpd restart
Task: Block single remote IP
Do not allow IP address 202.54.1.1 to access our site:
$HTTP["remoteip"] == "202.54.1.1" {
url.access-deny = ( "" )
}
Do not allow IP address 202.54.1.1,202.54.2.5 to access our site:
Do not allow IP address 202.54.1.1 to access our site:
$HTTP["remoteip"] =~ "202.54.1.1|202.54.2.5" {
url.access-deny = ( "" )
}
See also
=> Lighttpd deny access to certain files
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Lighttpd deny access to certain files
- Stop Hotlinking with Lighttpd
- OpenSSH Root user account restriction - revisited
- Lighttpd: How do I use more than two IP address (bind) for virtual hosting?
- Lighttpd block wget useragent for specific urls
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: 192, access module, append, combine, configuration directive, configuration syntax, init, ip address, ip2, ips, lighttpd, match, path names, perl style, regular expression, remote ip, restrict access, task block, theos, web server
Great article! I have a question relating to restricting access to a local server.
I have two applications(Radiant & Mephisto) on the same shared server. I want to be able to restrict access to RSS feeds generated by Mephisto to the other application (Radiant).
I reasoned that this could be accomplished using either the servers IP address or localhost. When I tried 127.0.0.1, it did not restrict anyone.
Am I on the right track with my logic for this type of mod_access module? Alternatively, is it possible to restrict by domain?
Thanks,
Bryan
Hello Bryan,
127.0.0.1 is local loopback IP address. This ip address is not routable so you cannot use this IP for restriction i.e. any traffic that a server program sends on the loopback network is addressed to the same server.
To solve your problem use IP address. For example
IF user agent is not foo and if it is not our server IP address do something or
deny access
$HTTP["useragent"] !~ “foo” {
$HTTP["remoteip" ] != “SERVER-IP” {
do-something
}
}
You can restrict RSS usage using URL match also.
Hello,
Thanks for the information. I tried several variations without success.
I spoke with my hosting provider. He explained that the remote ips will be 127.0.0.1 because of the Apache 2 proxy.
Is there a way to use the Apache HTTP_X_FORWARDED_FOR in the conditional instead of remoteip?
The access seems to use that to record ips. This article talks about it a little. http://forum.lighttpd.net/topic/1372#3626
Thanks again for your help. I know this isn’t a standard question but there are probably a lot people in similiar Apache 2/Lighttpd setups.
Thanks,
Bryan
I don’t think so you can get HTTP_X_FORWARDED_FOR in conditional tags. However you can try something as follows:.
$HTTP["url"] =~ “^/path/to/rss/” {$HTTP["remoteip"] != “your-shared-server-ip” {
url.access-deny = ( “” )
}
}
Or just paste your current config (removing your actual domain and IP for security purpose) and exact requirements (output) you want. Then may be I can help you out.
Another possibility is - If you just need to give access to localhost lighttpd from Apache, configure iptables to drop all access.
how to block multi IPs use mod_access in lighttpd?
eg:
From 202.133.122.0 To 202.133.122.255
From 202.222.222.0—-202.222.222.255
xmlspy,
Noop, it is not possible to specify range using –. However, you can specify network such as 10.0.0.0/8 network or 70.6.2..5/29. For example:
$HTTP["remoteip"] != "10.0.0.0/8" { url.access-deny = ( "" ) } }reply nixcraft
thanks
follow
———————-
$HTTP["remoteip"] !~ “222.33.0.0/16|61.236.0.0/16|61.236.32.0/20|61.237.11.0/24|61.232.162.0/24|61.235.240.0/24|221.200.0.0/16|211.98.81.0/24|220.201.62.93″ {
url.access-deny = (”")
}
———————-
why 222.33.36.58 can’t access wesite ?
When using a regular expression match, I seem to have had success by simply leaving out the octet I wanted to use as a wild card.
instead of “/24″: $HTTP["remoteip"] =~ “127.0.0.1|10.0.0″
instead of “/16″: $HTTP["remoteip"] =~ “127.0.0.1|10.0″
It’s been more than a year since the last reply, but hey, a search led me here.