Stop IPv6 Blocking

This is what was coming up and breaking my site:

SetEnvIF REMOTE_ADDR “^2404:f080:1101:0?322:0?150:0?0?95:0?113:0?209$” DenyAccess
SetEnvIF X-FORWARDED-FOR “^2404:f080:1101:0?322:0?150:0?0?95:0?113:0?209$” DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP “^2404:f080:1101:0?322:0?150:0?0?95:0?113:0?209$” DenyAccess

When something in the .htaccess file breaks your site there is usually an error in the web server error_log. That error should point you in the right direction for solving the issue.

Is it just a blocked ipv6 address that breaks the site ?
In other words are there also ipv4 addresses being blocked (likewise in the .htaccess file) that don’t break the site ?

It’s just the ip6 where it seems to be storing question marks in the htaccess (see latest update).

There’s not any ip4 issues, and there are plenty being blocked.

Ok, so it looks like there is an issue with the ipv6 regex (regular expression) pattern being used.
I’m pretty sure that if you remove all the question marks (or all the 0? combinations) from the ipv6 regex it will work fine.

(Edit: this doesn’t mean the ipv6 regex pattern is incorrect, it just means for some reason your Apache web server can’t handle it)

What Apache web server version is being used ?
And is there any error logged in the Apache error_log ?

To prevent any confusion I’m not iThemes.

• This reply was modified 5 years, 10 months ago by nlpro.

Got this:

[Sat Apr 27 05:36:51.760463 2019] [core:alert] [pid 12305] [client 141.101.77.21:14854] /var/www/html/drivebywebsites.co.uk/.htaccess: ip address ‘2604:880:a:2:0:0:0:4009’ appears to be invalid: The specified IP address is invalid.
[Sat Apr 27 05:36:51.824392 2019] [core:alert] [pid 12317] [client 141.101.105.229:17748] /var/www/html/drivebywebsites.co.uk/.htaccess: ip address ‘2604:880:a:2:0:0:0:4009’ appears to be invalid: The specified IP address is invalid.

apache24-2.4.39

Also, this on a host which is only ipv4

Ok, I see.

This seems to be moving towards a server config issue. Not an issue with the iTSEc plugin. Perhaps you should contact your hosting provider.

Anyway one way to prevent any ipv6 addresses from being banned by the iTSec plugin is by disabling the Ban Lists option in the Banned Users module. Note this will also disable banning of ipv4 addresses. Unfortunately the iTSEc plugin does not provide a setting that allows you to enable/disable banning ipv6 or ipv4 addresses specifically.

Edit1:
I tried pinging to both ipv6 addresses but they don’t seem to reply at all … I wonder whether that’s relevant.

Edit2:
Make sure the iTSec plugin is configured properly, so that it’s detecting real (client) IP addresses.
To do this goto the Global Settings module and scroll down to the Proxy Detection setting.
If your site is not behind a proxy server change the setting (from Automatic) to Disabled. This will ensure the real (client) IP is detected (and not possibly a spoofed IP). Then click on the Save Settings button.

• This reply was modified 5 years, 10 months ago by nlpro.
• This reply was modified 5 years, 10 months ago by nlpro.

Ignore Edit1 from my previous post.

Seems the site is using CloudFlare. If so, the site is behind a proxy. In that case make sure the Proxy Detection setting is set to Manual. And then select Cf-Connecting-IP as Proxy Header (If not already).

Fantastic. Many thanks for your help. I hadn’t considered the Cloudflare connection. I’m sure this will fix it.