How to Verify Apache Whitelist/Blacklist Rules

Aaron Chamberlain asked:

There are thousands of articles and questions on how to block an IP address in Apache. It’s achieved with something like

Apache 2.4 Syntax:

<Files wp-login.php>
Require all granted
Require not ip 50.62.136.183
</Files>

But once I have that in place, how do I verify that it’s working? Let’s assume it’s some Foreign Actor I’m blocking because it was attempting malicious things in my logs (IP Tables might be better for this).

I attempted to use something like curl --header "X-Forwarded-For: 192.168.0.2" https://example.com/wp-login.php but it seems to return the same result no matter the IP.

curl --header "X-Forwarded-For: 123.456.789.123" https://example.com/wp-login.php output (not in the blacklist, verified to have access to the page in a browser).

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /wp-login.php
on this server.</p>
</body></html>

curl --header "X-Forwarded-For: 50.62.136.183" https://example.com/wp-login.php output:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /wp-login.php
on this server.</p>
</body></html>

So what’s the best way to spoof/temporarily assume that IP address and request a page for testing.

My answer:


Change it to your own IP address.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.