public static function get_server_config_ban_hosts_rules($server_type)
{
$host_list = ITSEC_Modules::get_setting('ban-users', 'host_list', array());
if (!is_array($host_list) || empty($host_list)) {
return '';
}
if (!class_exists('ITSEC_Lib_IP_Tools')) {
require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
}
$host_rules = '';
$set_env_rules = '';
$deny_rules = '';
$require_rules = '';
// process hosts list
foreach ($host_list as $host) {
$host = ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr(trim($host));
if (empty($host)) {
continue;
}
if (ITSEC_Lib::is_ip_whitelisted($host)) {
/**
* @todo warn the user the ip to be banned is whitelisted
*/
continue;
}
if (in_array($server_type, array('apache', 'litespeed'))) {
$converted_host = ITSEC_Lib_IP_Tools::ip_cidr_to_ip_regex($host);
if (empty($converted_host)) {
continue;
}
$set_env_rules .= "\tSetEnvIF REMOTE_ADDR \"^{$converted_host}\$\" DenyAccess\n";
// Ban IP
$set_env_rules .= "\tSetEnvIF X-FORWARDED-FOR \"^{$converted_host}\$\" DenyAccess\n";
// Ban IP from a proxy
$set_env_rules .= "\tSetEnvIF X-CLUSTER-CLIENT-IP \"^{$converted_host}\$\" DenyAccess\n";
// Ban IP from a load balancer
$set_env_rules .= "\n";
$require_rules .= "\t\t\tRequire not ip {$host}\n";
$deny_rules .= "\t\tDeny from {$host}\n";
} else {
if ('nginx' === $server_type) {
$host_rules .= "\tdeny {$host};\n";
}
}
}
$rules = '';
if ('apache' === $server_type) {
if (!empty($set_env_rules)) {
$rules .= "\n";
$rules .= "\t# " . __('Ban Hosts - Security > Settings > Banned Users', 'better-wp-security') . "\n";
$rules .= $set_env_rules;
$rules .= "\t<IfModule mod_authz_core.c>\n";
$rules .= "\t\t<RequireAll>\n";
$rules .= "\t\t\tRequire all granted\n";
$rules .= "\t\t\tRequire not env DenyAccess\n";
$rules .= $require_rules;
$rules .= "\t\t</RequireAll>\n";
$rules .= "\t</IfModule>\n";
$rules .= "\t<IfModule !mod_authz_core.c>\n";
$rules .= "\t\tOrder allow,deny\n";
$rules .= "\t\tAllow from all\n";
$rules .= "\t\tDeny from env=DenyAccess\n";
$rules .= $deny_rules;
$rules .= "\t</IfModule>\n";
}
} else {
if ('litespeed' === $server_type) {
if (!empty($set_env_rules)) {
$rules .= "\n";
$rules .= "\t# " . __('Ban Hosts - Security > Settings > Banned Users', 'better-wp-security') . "\n";
$rules .= $set_env_rules;
$rules .= "\t<IfModule mod_litespeed.c>\n";
$rules .= "\t\tOrder allow,deny\n";
$rules .= "\t\tAllow from all\n";
$rules .= "\t\tDeny from env=DenyAccess\n";
$rules .= $deny_rules;
$rules .= "\t</IfModule>\n";
}
} else {
if ('nginx' === $server_type) {
if (!empty($host_rules)) {
$rules .= "\n";
$rules .= "\t# " . __('Ban Hosts - Security > Settings > Banned Users', 'better-wp-security') . "\n";
$rules .= $host_rules;
}
}
}
}
return $rules;
}
