logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: how to restrict access via IP Address for specific webpages?
Author
timc



Joined: 08 Apr 2014
Posts: 3

PostPosted: Thu 17 Apr '14 3:34    Post subject: how to restrict access via IP Address for specific webpages? Reply with quote

I'm using Concrete5 CMS to create a website. This CMS creates/manages all its webpages in a mySQL database. Thus, there is no physical folder associated with each webpage, so I can't simply create an .htaccess file and place it in the directory tree in the right sub-folder to restrict access for that sub-folder and all folders it contains.

I have one .htaccess file located at the root level (e.g top-level folder for the website).

QUESTION 1: Can someone help me with the few lines of code I need place in this top-level .htaccess file to (1) restrict access to only two specific IP addresses that I can specify (blocking access to all other IP addresses), and (2) specify the URL addresses that I wish to apply this rule to?

For example, let's say my website is

https://www.mydomain.com

and I want to restrict access to the URL of

www.mydomain.com/abc/123/mywebpage/

and my .htaccess file is located at

/home/myname/public_html/conc/.htaccess

What code can do that?

Method 1 I made a guess as follows, but it's not working:

<Location /home/myname/public_html/abc/123/mywebpage/>
order Deny,Allow
Deny from all
Allow from 123.456.789.012
Allow from 987.654.321.098
</Location>

Method 2 Alternatively, perhaps mod_rewrite can be used?

Method 3 My linux server has apache web server with cpanel and I see that httpd.conf has an include for the following file:

/usr/local/apache/conf/includes/pre_virtualhost_global.conf

which is currently empty. I've been told I can insert the following code to restrict access to files based on IP address:

<Files wplogin.php>
order deny,allow
deny from all
allow from 10.10.4.0/23
allow from 10.20.4.0/22
</Files>

However, I have URL paths, not file paths. Can this be retrofit to account for URLs? (e.g. <Location> instead of <Files>?)

Method 4 Another approach I can think of, which is a total guess, is to create a directory structure simply to place an .htaccess file in it. For example, I could create the directory:

/home/myname/public_html/abc/123/mywebpage

and then place an .htaccess file inside it (containing everything but the <Location> tags above. Would that work? If so, would I also need to create all the various subdirectories inside folder "mywebpage" or is this sufficient?

QUESTION 2: I'm aware that restricting access based on domain name is very easy to forge/spoof. For example, someone might use the following to restrict domain names instead of IP addresses:

SetEnvIf Referer www.mydomain.com internal
<Files *>
order Deny,Allow
Deny from all
Allow from env=internal
</Files>

However, not only do some browsers not provide a referring domain name, but it's easy to fake the name to get around any such restriction.

Does restricting based on IP address suffer the same problem, or is it much more secure? That is, people may be able to hide their IP address, but if I only allow my IP address access to the URL, then even if they are able to sent out a request using my IP address, it won't get returned to them. Seems more secure, but I'm not experienced in this area.

Any help much appreciated.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Sun 20 Apr '14 19:17    Post subject: Reply with quote

You mixed the stuff a bit. The location container can be used. The parameter is the url after the domainname. And to block an ip range just do it like 192.168 to have all 192.168.*.*
Back to top


Reply to topic   Topic: how to restrict access via IP Address for specific webpages? View previous topic :: View next topic
Post new topic   Forum Index -> Apache