Please can you tell me in Apache2 how I can restrict a url to my IP address when the url is generated as a script. For example:
example.com/?admin
I have tried Location Match but no joy:
<LocationMatch /?admin>
Order Deny,Allow
Allow from [MY IP]
Deny from all
</LocationMatch>
You could use mod_rewrite to match the %{QUERY_STRING} and disallow anything that's not empty, unless it's from your IP. Check the wiki for examples.
Related
I would like to block a path from my site using the .htaccess configuration. The idea is that only a specific set of IP's can access that specific path from the URL.
Note: It's a path, not a page or directory. We are trying to shield off a web-service so there will be only post calls to the URL's.
I would like the url example.com/rest to be blocked and everything behind that url based on IP. So example.com/rest/test_service and example.com/rest/test_service/read should be blocked.
All other paths from the application should remain functional.
What I've tried the following but it doesn't seem to work. Not a single page is accessible like this.
SetEnvIf Request_URI "/rest$" rest_uri
<RequireAll>
Require env rest_uri
<RequireAny>
Require ip XXX.XXX.XXX.XXX
</RequireAny>
</RequireAll>
I've tried different things but none of them seem to work. Any help is appreciated.
You can use mod rewrite to allow a spacific ip address
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !YourIP$
RewriteRule ^/?rest - [F]
This will return 403 forbidden error for all other ip addresses if /rest or /rest/foobar is accessed.
You can use directives like this to allow an IP range for certain URL:
# set env variable if URL is /rest or /rest/
SetEnvIf Request_URI "/rest(/.*)?$" rest_uri
Order deny,allow
# first deny all
Deny from all
# then allow if env var is not set
Allow from env=!rest_uri
# also allow your IP range
Allow from 10.1.0.0/16
I have made a page that I want to protect with a IP address block.
Everybody that visits example.com should be redirected to example.com/block.php, unless there IP address is known to me. I want to be able to add a lot of IP addresses in a list somewhere. After I added the IP address of someone to the list, when they visit example.com again, they now should be redirected to example.com/index.php.
Is this possible? I have seen a lot of questions that look the same, but nothing that really answers my question.
There's several ways to do this, since you have the htaccess tag in your question, I assume you're looking for an htaccess file solution.
If you're not using apache 2.4 (or higher), you can use mod_authz to handle all of the blocking. Something like this:
# this makes it so blocked IPs get shown the block.php page
ErrorDocument 403 /block.php
Order Allow,Deny
Deny from all
Allow from 1.2.3.4
Allow from 1.2.3.5
Allow from 5.6.7.8
etc...
Here, you block everything and keep a list of "Allow from" lines. You can shorten them if you want to allow an entire subnet, e.g.
Allow from 1.2.3
will allow an IP starting with 1.2.3.
You can also use mod_rewrite for this:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^1\.2\.3\.4$
RewriteCond %{REMOTE_ADDR} !^1\.2\.3\.5$
RewriteCond %{REMOTE_ADDR} !^5\.6\.7\.8$
RewriteRule ^ /block.php [L,F]
Here, you have a bit more flexibility since you can use a regular expression to match the IP. So you can do stuff like:
RewriteCond %{REMOTE_ADDR} !^1\.2\.[3-6]\.
So this allows all IPs starting with: 1.2.3, 1.2.4, 1.2.5, and 1.2.6.
You can also put these directives into the server/vhost config file, it'll work a bit faster there instead of the htaccess file.
How about this?
<?php
$allowed = array(
'123.45.67.890',
'456.45.67.890',
'789.45.67.890',
);
if(!in_array($_SERVER['REMOTE_ADDR'], $allowed)) {
header("Location: /block.php");
exit();
}
// continue with code ...
?>
Hope it works!
I was wondering if there is an “easy” way to protect a file from begin access from all domains…
Let say that I want only a few domains to use my script so they put in their HTML
From domain yourdomain.com you write
If your domain is in our “allow” access then you can use it, if not, then show an error or just nothing…
Is that possible with PHP?
Or do I have to use .htaccess ?
Probably the most straight forward way is to use a .htaccess file. These files typically take IP address and not domains. The code below would only allow from 1.1.1.1 and 2.2.2.2 and anything else would be denied.
<Limit GET POST>
order deny,allow
deny from all
allow from 1.1.1.1
allow from 2.2.2.2
</Limit>
Here's my .htaccess
<Files *>
Order Deny,Allow
Deny from all
</Files>
<Files index.php>
Order Deny,Allow
Allow from all
</Files>
This is not working, cause if I type the hostname in my browser, it serves the index.php but apache doesn't seem to apply the Files instructions and instead returns a non-allowed file access page, I need typing the fullname document (e.g. 'index.php') to make it work. which is not really convenient...
how to proceed if I want users only access index files of each folder in my website ?
all the other files are just script inclusions so i believe i'm doing right trying to make them inaccessible from the web (or maybe not, if only you have one reason to prove the other case).
Regardless the question above, is it the right way to do the job ? (I think the two directives here are not neat but it's the only way, well almost the only way that I know to avoid accesses to files).
Not exactly sure why you need to do this, but you can use mod_setenvif (no need to wrap this inside a <Files>)
SetEnvIf Request_URI ^/index.php$ index
Order Allow,Deny
Allow from env=index
This will cause access to hostname.com/ to 403 but allow hostname.com/index.php. If you want to allow / as well, just add
SetEnvIf Request_URI ^/$ index
to the top. Of course, all this will make it so anything that index.php links to will also return a 403.
<Files *?>
Order deny,allow
Deny from all
</Files>
You just need to add a question mark to match at least one character.
How to allow access to file only to users with ip which are in a range of ip addresses?
For example file admin.php. and range from 0.0.0.0 to 1.2.3.4.
I need configure access to only ONE file not to directory.
Just add a FilesMatch or Files directive to limit it to a specific script.
The following would block acces to all scripts ending in "admin.php" :
<FilesMatch "admin\.php$">
Order deny,allow
Deny from all
Allow from 10.0.0.0/24
</FilesMatch>
The following would ONLY block admin.php :
<Files "admin.php">
Order deny,allow
Deny from all
Allow from 10.0.0.0/24
</Files>
For more information refer to the apache docs on Configuration Sections.
check the man page of the Allow Directive
Order Deny,Allow
Deny from all
Allow from 10.1.0.0/255.255.0.0
A partial IP address
Example:
Allow from 10.1
Allow from 10 172.20 192.168.2
The first 1 to 3 bytes of an IP address, for subnet restriction.
A network/netmask pair
Example:
Allow from 10.1.0.0/255.255.0.0
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.
A network/nnn CIDR specification
Example:
Allow from 10.1.0.0/16
Similar to the previous case, except the netmask consists of nnn high-order 1 bits.
You cannot match an IP range with allow, but you can emulate it with a CIDR notation:
Order allow,deny
# 0.0.0.0 - 0.255.255.255.255
Allow from 0.0.0.0/8
# 1.0.0.0 - 1.1.255.255
Allow from 1.0.0.0/15
# 1.2.0.0 - 1.2.1.255
Allow from 1.2.0.0/23
# 1.2.2.0 - 1.2.2.255
Allow from 1.2.2.0/24
# 1.2.3.0 - 1.2.3.3
Allow from 1.2.3.0/30
# 1.2.3.4
Allow from 1.2.3.4
Just do this for a single IP:
<Limit GET POST>
order deny,allow
deny from all
allow from 1.2.3.4
</Limit>
If you want to do it for a range like 10.x.x.x, then do this:
<Limit GET POST>
order allow,deny
allow from 10
deny from all
</LIMIT>
If you are using WordPress, then the Best and Simplest method is to install the plugin - LionScripts : WordPress IP Blocker from their website http://www.lionscripts.com/ip-address-blocker
Their Professional version has much more features like country blocking and IP range blocking, bulk csv uploading etc.
if you to provide a wildcard 0.0.255.255
Order allow,deny
# 1.2.0.0 - 1.2.255.255
Allow from 1.2.0.0/16
This will give a range from 1.2.0.1 - 1.2.255.254
you can also check here
I wanted to redirect all but cetain Ip's to a maintenance page - our IPs all on same network - The following worked based on shamitomar's answer above :
# TEMP MAINTENANCE PAGE
# MAINTENANCE-PAGE REDIRECT
<IfModule mod_rewrite.c>
RewriteEngine on
# One address that is on a diffrent network
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx
#allow all addresses from our network
RewriteCond %{REMOTE_ADDR} !^xx\.xxx
#Stuff to allow so that we can show our maintenance page while we work
RewriteCond %{REQUEST_FILENAME} !(styles|images).+$
RewriteCond %{REQUEST_URI} !maintenance.html$ [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif|js|css|ttf|woff) [NC]
RewriteRule .* /maintenance.html [R=302,L]
</IfModule>
Order Deny,Allow
Deny from all
Allow from 311.311.311 322.322.322.322
See answer here