I want to block a list of IP addresses and bad user agents on my Apache web server.
So I'm adding this to /etc/apache2/conf-available/blocklist.conf:
BrowserMatchNoCase "ChatGPT" bad_bot <Directory /> <RequireAll> Require all denied # Default: don't give access to root directory Require not ip 1.2.3.4 Require not ip 5.6.7.8 Require not env bad_bot </RequireAll> </Directory> Each vhost is like this:
<VirtualHost *:443> ServerName example.org DocumentRoot /var/www/example.org <Directory /var/www/example.org> Require all granted # Allow access to document root only </Directory> </VirtualHost> Now because of the Require all granted in the vhost, the first blocklist of Require not don't apply anymore: the bots are no longer blocked.
So I thought I would use <Location /> instead:
BrowserMatchNoCase "ChatGPT" bad_bot <Location /> <RequireAll> Require all denied # Default: don't give access to root directory Require not ip 1.2.3.4 Require not ip 5.6.7.8 Require not env bad_bot </RequireAll> </Location> But now the Location section takes over the vhost config, and no-one can access the vhost.
So: what is the solution to be able to keep my global blocklist BUT still be able to use "Require all granted" for each vhost to restrict access to document roots?
Long story short: I just want to block some stuff, that will stay blocked even if some later rules include "all granted".
Edit: I could do this for each vhost:
<Directory /var/www/example.org> <RequireAll> Require all granted # Allow access to document root only Include /etc/apache2/conf-available/blocklist.conf </Directory> But then Apache would have to re-parse and re-apply the same thousands of rules for the hundreds of vhosts, so not a good solution.
