Bug 65279 - IP blocking rules to access to website are not respected
Summary: IP blocking rules to access to website are not respected
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: All (show other bugs)
Version: 2.4.46
Hardware: PC All
: P2 critical (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-30 06:27 UTC by ncitl
Modified: 2021-05-01 06:07 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ncitl 2021-04-30 06:27:54 UTC
Hello, 

I  have the following problem.

I have a website Wordpress hosted on an Apache server managed with cPanel (Apache version is v2.4 I think but I don't know the exact version 2.4.x used by my host).

To authorize the access to the website only to a single one IP address, I have defined the following rule which I have put in the .htaccess file located on the root folder of the website :
Order Deny,Allow
Deny from All     
Allow from 1.2.3.4

After uploading the .htaccess file on the server, effectively, the other IP addresses than the authorized one are well blocked.
Unfortunately, after going once on the website with the allowed IP address, the website is now accessible to all IP address, event the not authorized ones. The rules in .htaccess is not respected.
If I do not go to the website with the authorized  IP address, the non-authorized IP addresses are well blocked and have no access to the website ... until I come back to the website with the allowed IP adress.

I have tried a lot of other variants of this code finds on forums and helps, but they do not work.

Would you have the solution to this problem ?

Thank you very much
Comment 1 ncitl 2021-04-30 08:21:48 UTC
I get the Apache version used by my host:
2.4.46
Comment 2 ncitl 2021-04-30 08:29:20 UTC
Following the advices of my host, I have : 

>>> Desabled the server cache system but the problem is always the same.

>>> Replaced the code in .htaccess file by the following one but the problem is always the same.

<RequireAll>
   Require ip 0.0.0.0
</RequireAll>
Comment 3 ncitl 2021-04-30 08:52:42 UTC
I have tried to determine the time during which the rules used to block non-authorized IP addresses are not applied since the last page actualization from the allowed IP address.

To make it, I have refreshed every 30 seconds the page from a non-authorized IP address (of course without refresh the page from the authorized IP address). The not-authorized IP adress was blocked when the chronometer indicates 2 minutes and 30 seconds.

The time is between 2 minutes and 2 minutes 35 seconds.
Comment 4 ncitl 2021-05-01 06:07:37 UTC
After some more tests, the problem occurs only when you try to display the website home page (maybe others pages) but not when you try to access to the Wordpress wp-admin.php.