Score:1

Apache .htaccess require ip not strict enough with IPv6

tr flag

Let's suppose my IPv6 is 1111:2222:3333:4444:5555:6666:7777:8888

I can write any of these lines in the Apache .htaccess:

Require ip 1111:2222:3333:4444:0000:0000:0000:0000
Require ip 1111:2222:3333:0000::/64
Require ip 1111:2222:0000:0000::/64
Require ip 1111:2222:0000:0000:

I still can access the site. Apache seems to test only the 2 first blocks of IPv6. Did I miss something? How can I really limit to MY IP?

Score:1
cn flag

None of your example IPs are in the same /64 subnet, they can't all match your IP. Compare the 3rd and 4th digit group.


Starting with an IP address, chop off digits at the least-significant end. Use the number of bits remaining in CIDR slash notation. Write out the recommended form with :: compressing as many zeros as possible.

For example, take IP address 2001:db8:1622:c7bb:5919:8f34:f78e:aadd Cutting it half leaves 64 significant bits, so:

Require ip 2001:db8:1622:c7bb::/64

This /64 should be yours, familiar as one of your many subnets. An allow list with only one IP address is not making full use of the address space. Rather, put hosts in a /64 consistent with their purpose or security zone.

mod_authz_host is capable of single IP allow lists, of course. If you really wanted one IP address, it can do that.

Daxorp avatar
tr flag
Hello, Thank you. "They can't all match", they should not, but they do! I try again now, Require ip 2001:db8:1111:1111::/64 allows me (and this is not 1111:1111!). But if I modify the 2d block (db8 -> db9) it finally blocks me. I don't understand.
John Mahowald avatar
cn flag
Read httpd's access logs to get the address actually used. Manually compare them to find all matches on prefixes in any of your "Require ip" statements (grep the exact value). Test with an IP very different from yours, such as a different ISP, or setting up a ULA network.
Daxorp avatar
tr flag
There's only one rules "Require ip". With very different IPs, I can't access, but as long as there's 2001:db8: at start, I can.... Maybe there's a setting from the hosting service causing this, but I doubt of it.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.