Apache and bloquing IP address

Its always good and required to keep a close eye in the logs too see what's going on, who has accessed the website, what did they saw, etc. The metrics we can retrieve from the logs allow us to measure a lot of things and apply changes where required. It also allows us to identify potential IP address that are abusing the website.

Making usage of Apache mod_access we can block IP addresses from accessing the website.

To block a single IP address we can place this in our virtual host under Directory or Files sections or in .htacess file:
deny from 10.10.10.1

To deny access to everyone, you can use

deny from all

To deny access to a range of IP address:
deny from 10.10.10.1 10.10.10.255

Remember that every time a user connects to the Internet the ISP (internet service providers) we give him a IP on the range of IPS assigned to them.

Apache and cache improvements

Apache allows us to improve the caching of our resources. We need mod_expires and mod_headers. They must be loaded in (where?)

Example:
LoadModule expires_module libexec/mod_expires.so
LoadModule hearders_module libexec/mod_headers.so

AddModule mod_expires.c
AddModule mod_headers.c

AddModule mod_gzip.c

Note that mod_gzip must be loaded last.

To turn on mod_expires set:
ExpiresActive On

Then on the root directory:
Options FollowSymLinks MultiViews
AllowOverride none
Order allow, deny
Allow from all
ExpiresDefault A300

The ExpiresDefault directive tells us that it expires 300 seconds after the access. One day would be 86400 and 30 days A2592000

If we don't want to take advantage of caching we set:
Header Set Cache-Control "max-age=0, no-store"


# Not rely on file extensions
#
#
ExpireActive On
ExpiresDefault "access plus 300 seconds"


Options FollowSymLunks Multiviews
AllowOverride All
Order allow, deny
Allow from all
ExpiresByType text/html "access plus 1 day"
ExpiresByType text/css "access plus 1 day"
ExpiresByType text/javascript "access plus 1 day"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 day"



# We can minimize the response sent by setting
ServerTokens Min

Our images are now cachable for 30 days. However the HTML file does not have a Last-Modified header. This is because we use conditional server-side includes to merge in different CSS for different browsers to save a HTTP request. We'll address the cachability of SSI pages in a future tweak.

# The HTML file does not have a Last-Modified header. This is because we use
# conditional server-side includes to merge in different CSS for different
# browsers to save a HTTP request. We'll address the cachability of SSI pages in a future tweak.

Apache password protection

# Password protecting
# the .htpasswd has: username:passowrd
# the password is encripted, to create a password use htpasswd utility that comes
# with apache (bin directory), Usage:
# htpasswd -c /usr/local/apache/passwd/passwords username
# For this to work, AllowOverride directive needs AuthConfig (AllowOverride AuthConfig)

# Not to ask the for the password in diferent directories, keep the realm the same
AuthName "Section Name - Password dialogo box text - and realm"

# Basic is supplied by mod_auth, and the password is sent unencrypted between browser
# and server, AuthType Digest is implement by mod_auth_digest and is more secure
# Only most recent versions of clients and know to support Digest authentication

AuthType Basic

# This file should be place somewhere not accessible from the web (cant be download)
# If large number of users exists, this can become quite slow, Apache has the ability
# to store user information in fast databases, check mod_auth_dbm
AuthUserFile /full/path/to/.htpasswd

# Require username if specific, and use groupds if required or, Require valid-user
# for multiple users and less specific info

Require valid-user


# Groups
GroupName: username1 username2 username3 etc
# Requires
AuthGroupFile /usr/local/apache/passwd/groupds



#Authentication notes:
# Username and password must be verified every time a request is done, even if loading
# the same page, and for every image on the page (if they come from a password protected
# folder. This slows down things and the slow down is proportional to the size of the
# password file, (open file, read file until this user / password). Once more than a few
# hundreds another authentication method should be consider (in manual also)