Forum Topic: regex in .htaccess does not work

Forum: .htaccess Forum : Basics • Posted by Susan Barretta • Updated:

I am at my wit’s end with my .htaccess file. Sometimes the blocks I have in it work, sometimes they don’t. I do not understand the inconsistency.

My site is hosted at a provider which provides Control Panel. Originally, I used CP to put in IP addresses to deny access. CP falsely claims that if you want to ban from 0 to 255 in the last octet, all you had to put in was the first three octets, as follows:

# This does not consistently work.
deny from 173.199.113.

I have looked at regular expressions. I suspect that there are limitations on the length of the line in .htaccess that Apache can read. Because the IP address ranges I generate through Google analytics do not work either:

# block - does not work
SetEnvIf Remote_Addr ^173\.199\.(1(1[3-9]|2[0-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ ban

I have tried breaking these up into small strings like this.

# This does not consistently work
SetEnvIf Remote_Addr ^173\.199\.113\.[0-9][0-9]*$ ban
SetEnvIf Remote_Addr ^173\.199\.114\.[0-9][0-9]*$ ban
SetEnvIf Remote_Addr ^173\.199\.115\.[0-9][0-9]*$ ban

Order Deny,Allow
Deny from env=bad_bot
Deny from env=ban

Can anybody tell me what is the CORE problem here? Is it the way Apache is installed on my host provider? Are there limitations on .htaccess? Is there are a problem with my regular expressions?!? Why the INCONSISTENCY?!? Will I have to enumerate EVERY IP in Russia, the Ukraine, China etc in order to effectively block these places?

1 Reply to “regex in .htaccess does not work”

Posted by Jeff Starr

Yes, it sounds like an issue with the way cPanel and/or the server is set up. I say this because deny from 173.199.113. should work at blocking all IPs that begin with 173.199.113. and end with any number 0-255, as you mention. At least, it works on every server I’ve ever tried it on, except for one shared server, in which cPanel was installed and kept interfering with my .htaccess rules.

Also, how are you testing the blocked IPs? If it’s thru a 3rd-party website, that may be a factor also.