SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Zealot headsnet's Avatar
    Join Date
    Feb 2001
    Location
    London, UK
    Posts
    123
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Facilitating a banned IP list

    I'm going to implement a 'banned IP' list on a system I'm creating. However, I'm undecided as to which of 2 solutions I should take:

    Solution 1) Use PHP to check the IP, and display a 'This site is unavailable' page if the visitors IP is on the banned list.

    Solution 2) Simply stick all the banned IP's in a .htaccess 'Deny from' statement, and leave the user with an Apache 'Not Authorised' page.

    I know the .htaccess solution is more 'low level', and that it would save bandwidth and server resources etc, but it isn't very user friendly. Also, the admin interface that allows the administrator to set the banned IP list would have to read/write to the .htaccess file, which could be a bit of a security problem.

    Anyone got any other methods of implementing this? No others strike me so far, but maybe I'm missing another more obvious solution.

    Thanks

  2. #2
    SitePoint Enthusiast
    Join Date
    May 2003
    Location
    Bay Area, California
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd say it depends on the needs of the specific website you're implementing this on. If there isn't much traffic, the amount of resources/etc saved by a .htaccess file would be negligable (in my experiences).

    But I dont really see where reading/writing to the .htaccess file is an issue, given correct permissions. What is the security threat? If you code the admin interface to only allow IP numbers to be added/removed, and nothing else, then the worst that could happen if an unwanted user gained access to the admin area would be to change those numbers. not a huge deal, and no different than what they'd be able to do if the banned IP's were stored elsewhere.

    Personally I'd go with the .htaccess file. As for it not being user friendly -- if you're referring to the end-user, they dont need to be sent to a default Apache page. You could put something like this in the .htaccess file:

    ErrorDocument 403 /sorry.html

    And then make sorry.html display whatever custom access denied message you want, etc.

    Anyway, that's make take on it. If I wasnt clear about anything or I misunderstood you, let me know and I'll try to clarify

  3. #3
    SitePoint Zealot headsnet's Avatar
    Join Date
    Feb 2001
    Location
    London, UK
    Posts
    123
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, I agree. It's not going to be a high traffic site, but as always, I'm thinking ahead and trying to make the system as efficient and scalable as possible.

    Good point about the error document line in the .htaccess - I'd forgotten about that option. However, if I'm banning a users IP, I'm not sure they even deserve a nice friendly error page !!

    I'm also tempted to go with the .htaccess option. However, I'm still a little reserved about reading/writing to the .htaccess file itself. If something were to interrupt the write process midway, it could corrupt the .htaccess file and leave the system unsecured. I suppose I could code some routine that would write to a temporary file, and only when the write process returns success, copy the temp file over the top of the .htaccess.

    Normally I wouldn't be so concerned about this, except with this project, there's quite a few things in the htaccess that I don't want messed with - to start with there's an override for the PHP include path, which points it at all my custom libs...

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2003
    Location
    Bay Area, California
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, that's an understandable concern. I like the idea of writing to a temporary file first. Maybe dont even make it temporary, but keep it right where it is so you'll have a backup of the .htaccess file in case something goes wrong while copying...

    I dont know what your directory structure is like and where you need to ban the users from, but would it be possible to use more than one .htaccess file? For example, have the file with the PHP overrides etc, in the root directory and never modify it. Then, have a separate .htaccess file with the banned IPs in the specific directory you want them banned from... but that depends on whether or not there's a sepcific directory you want them banned from... as far as I know, there's no way to have more than one .htaccess file in a single directory

  5. #5
    SitePoint Zealot headsnet's Avatar
    Join Date
    Feb 2001
    Location
    London, UK
    Posts
    123
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, my directory structure won't really permit that. I need to ban users from the whole site, which is from the document root.

    I was hoping the 'Include' statement would work inside an .htaccess file, but it's only valid in the main server config. That way I would have been able to simple include a file containing the banned IP's into the .htaccess file, and never have to modify the .htaccess itself.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •