i'm having a question related to ipv6 address that reach a website.
The apache logs, shows clients x-forward ips under ipv4 and ipv6
This website is protected under .htaccess via a ipv4 whitelist for each allowed subnet.
Example :
RewriteCond %{HTTP:X-FORWARDED-FOR} !^123\.45\.67
RewriteCond %{HTTP:X-FORWARDED-FOR} !^123\.45\.68
RewriteCond %{HTTP:X-FORWARDED-FOR} !^123\.45\.69
How can i do the same for a ipv6 prefix , since the following does not seems to work
RewriteCond %{HTTP:X-FORWARDED-FOR} !^\[1234:123:123::/48\]
If i specify the ipv6 client ip in the rewritecond it works. But only for a period of time until his ipv6 address gets renewed.
Could you try:
RewriteCond expr "! %{HTTP:X-FORWARDED-FOR} -ipmatch '1234:123:123::/48'"
It implies Apache >= 2.4, native (meaning without the use of an expression) RewriteCond does not handle IP range/CIDR notation.
It didn't work.
Couldn't i achieve it by using the following regex by applying the same principle as the ipv4 conditions listed above where a substring of the value of the X-Forwarded-for is represented ?
RewriteCond %{HTTP:X-FORWARDED-FOR} !^1234:123:123
Related
I want to restrict access to my dev site to just my IP address. (eg 123.123.123.123)
I have the following in my .htaccess file. However I still get redirected to /dev_site_notice.html.
Am I specifying this correctly?
SetEnvIf X-Forwarded-Proto https HTTPS=on
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteCond %{REQUEST_URI} !/dev_site_notice.html$ [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif) [NC]
RewriteRule .* /dev_site_notice.html [R=302,L]
SetEnvIf X-Forwarded-Proto https HTTPS=on
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
If you are checking for the X-Forwarded-Proto header in the SetEnvIf directive then it implies you are behind a proxy server (otherwise this directive should be removed). If this is the case then the REMOTE_ADDR server variable is the IP address of the proxy, not the client IP address.
If (and only if) you are behind a proxy then you should be checking the X-Forwarded-For HTTP request header instead. For example:
RewriteCond %{HTTP:X-Forwarded-For} !^123\.123\.123\.123($|\D)
Note that the X-Forwarded-For header can contain multiple (comma-separated) IP addresses, depending on whether the request has gone through several proxies. The client-IP is usually first (left-most), but you may need to confirm this with the proxy. For this reason, the regex should not end with $ (not that your original regex did anyway), but rather ($|\D) (end-of-string OR not a digit).
The X-Forwarded-For header is the defacto standard, but it can vary from proxy to proxy. It is the proxy server that sets this header, when the request passes through.
I'm trying to find a mod_rewrite code for forcing users that go to FQDN to be re-written to the hostname without the domain and don't want them to be stuck in a loop. I can only find re-write examples for the other way round. Anyone have a suggestion on how I can do this?
So example if I was to go to http://appname.example.com/test.php
The rewritten URL should be http://appname/test.php
Any suggestions would be great.
To "redirect" http://<appname>.example.com/<url-path> to http://<appname>/<url-path> (where <appname> and <url-path> are entirely variable and <appname> is also a resolvable hostname on the local network) then you would do something like the following using mod_rewrite at the top of the root .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(?!www\.)([a-z-]+)\.example\.com [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=302,L]
This excludes the www subdomain using a negative lookahead.
%1 in the substitution string is a backreference to the <appname> as captured from the requested hostname.
%{REQUEST_URI} contains the full root-relative URL-path (starting with a slash).
This also handles FQDN (that end in a dot).
few days ago I have asked my host to install an SSL certificate, to be able to load my website through https protocol. The website is now running via https properly, but I noticed that Google started indexing my website by using the IP Address instead of the domain name and this is caused some pages not being indexed properly.
After the certificate was installed, I created an .htaccess with the following code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^11\.11\.11\.111$ [NC,OR]
RewriteCond %{HTTP_HOST} ^([a-z.]+)?example\.com$ [NC]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]
</IfModule>
(IP and DOMAIN are masked, if you need actual IP and domain, I can provide them)
I was expecting all requests via IP address and via "www.example.com" to be redirected properly to "https://example.com" with https protocol and without www.
Unfortunately, if I try to type "http://11.11.11.111/" I'm being redirected properly to "https://example.com/" but if I try "https://11.11.11.111/" I am not and I get a warning (of course the certificate is not for IP address, but for domain name).
How can I force redirecting also for https + IP Address by using an htaccess declaration?
Can you please tell me what I'm doing wrong?
Thank you very much in advance for any help.
I am looking for a generalized IP canonicalization solution that would not hard code IP address in my htaccess file. I generally run my applications on amazon EC2 instances and IP addresses frequently change. I'd hate to have to manually update htaccess every time it does so. So specifically, I am looking for htaccess rules that would match pages accessed via ip address and perform a 301 redirect to the actual domain.
Had you considered using some variety of Dynamic DNS instead? That would let the IP addresses change frequently while maintaining the same DNS names.
I’m going to assume you don’t have any subdomains. The following should do the trick:
Options +FollowSymLinks
RewriteEngine on
# 1
RewriteCond %{HTTP_HOST} .
# 2
RewriteCond %{HTTP_HOST} !^www\.domain\.com$
# 3
RewriteRule (.*) http://www.domain.com/$1 [R=301,L]
This will redirect requests for anything1 other than the actual domain2 for all resources3.
EDIT: For subdomains, then the following should work:
# If it's one of the domains of the IP address …
RewriteCond %{HTTP_HOST} ^domain\.com [OR]
RewriteCond %{HTTP_HOST} ^111\.222\.222\.111
# … then redirect request for all resources.
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
In .htaccess on Apache2, how do you redirect all capitalization variations of a hostname to a canonical lowercase version, via 301 redirect, and keeping the rest of the path unharmed. Subdomains (or not) should do the same as well.
Additionally, accessing via an IP should not redirect.
examples:
http://Example.com/foo => http://example.com/foo
http://A.example.com/foo => http://a.example.com/foo
http://A.EXample.com/foo?bar => http://a.example.com/foo?bar
http://208.67.222.222/foo => http://208.67.222.222/foo
# Make sure hostname is lowercase only (or an IP address)
RewriteCond %{HTTP_HOST} !^(.+\.)?example\.com$
RewriteCond %{HTTP_HOST} !^[\d\.]{7,15}$
RewriteRule ^(.*)$ ${lowercase:%{HTTP_HOST}}/$1 [R=301,L]
I've searched and been unable to find a solution online that encompasses any number of domains. The use-case for me is that I work on localhost, and so the first line (with example.com) will not work on both localhost and my domain, and any other name someone uses instead of localhost.
To add to #philfreo 's answer, therefore: (copying the lines but modifying only the first one)
# Make sure hostname is lowercase only (or an IP address)
RewriteCond %{HTTP_HOST} !^(.+\.)?(.+)?$
RewriteCond %{HTTP_HOST} !^[\d\.]{7,15}$
RewriteRule ^(.*)$ ${lowercase:%{HTTP_HOST}}/$1 [R=301,L]
Props to philfreo! Much time saved with his response.
Paragon