I need to block access from a certain IP address to one page of a website only, not the entire website.
Here's what I have, but doesn't seem to be working (I switch out offending IP to mine and am still abel to access after refresh/cache dump etc)
<Files specificpage.php>
order deny,allow
deny from XX.XXX.XXX.XX
</Files>
Is there a better way of doing this or does anything jump out here?
thx
You can actually mod_rewrite rules for finer control here. Place this in your root .htaccess:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} =XX.XXX.XXX.XX
RewriteRule ^specificpage\.php$ - [F,NC]
Related
I have a simple PHP website with a login page url like
http://sample.com/login
I need to restrict access to the login page from any IP addresses other than mine. But, I dont want to restrict access to any of the other pages on the site. I added the following code to the top of my .htaccess file, but it doesn't seem to be working correctly. Any help anyone can give me with the correct code to add to my .htaccess to only block access to /login/ from other IP's would be much appreciated!
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xxx.xxx
RewriteRule ^/login/$ http://sample.com/$1 [L,R=301,NC]
You could use <Files ...>, which would block that specific file from access from everywhere but a given IP, using deny and allow. This is a relative path, and this .htaccess should be placed in the same folder as your login-file.
<Files login.php>
Order deny,allow
Deny from all
Allow from xxx.xxx.xxx.xxx
</Files>
Replace xxx.xxx.xxx.xxx with your IP. Remember that if you change IP-address (if its not static for example), this will not be a viable solution.
I am looking to deny access to my /wp-admin/ folder to everyone but specific IP addresses. For everyone else, the page should serve a 404 error. Here's what I'm working with thus far:
# ALLOW USER BY IP
<Limit GET POST>
order deny,allow
deny from all
allow from 168.162.1.3
RedirectMatch 404 ".*"
</Limit>
I believe I'm close, but the problem is that a 404 error is not served, instead it creates a redirect loop. This would obviously be taxing on my server for no reason. So how then, can a simply serve a 404 error to everyone but these specific IP addresses and also deny them access to the repository?
Interesting idea. I'm curious as to why you're so keen on a 404 error as opposed to a 403! I guess you could be trying to mask WordPress but then you'll have to mask all the references to wp-content on the frontend too.
Anyway, let's get on with this. In order to do this, do this:
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !=8.8.8.8 [OR]
RewriteCond %{REMOTE_ADDR} !=127.0.0.1
RewriteRule ^wp-admin($|/) - [L,R=404]
Set 8.8.8.8 to your real IP Address. You can add additional OR conditions to whitelist other IPs the same way I did with localhost (127.0.0.1).
You will need to be using Apache 2.1.1 or above because we are using the R=404 flag.
I currently have my local .htaccess on a MAMP server set up to block all incoming traffic from outside my local system;
<FilesMatch ".*">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
This works fine but I then use API's like PayPal that require access to your site for IPN's. Is it possible to keep the restriction on the rest of the site and allow outside access only to specific urls like https://example.com/paypal_ipn?
I understand I can just switch the restriction off when using IPN's but that's not what I'm looking for. Many thanks.
You can use mod_rewrite based rules instead in your root .htaccess:
RewriteEngine On
RewriteCond %{THE_REQUEST} !/paypal_ipn [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1
RewriteRule ^ - [F]
This will block all requests that are not:
originating from localhost (127.0.0.1)
for /paypal_ipn
Is it possible to block users from IP adresses with a dynamic file-based blocklist?
So, suppose the .htaccess looks like:
order Deny,Allow
Deny from 123.156.0.1
Deny from 10.0.0.10
Allow from all
Can this list be made dynamic, for example:
order Deny,Allow
[include Deny list here]
Allow from all
Another option would of course be to fix it with PHP, but it is preferable to let Apache handle this.
According to the Apache docs, it doesn't seem to be possible to read values from a text file.
However, you could include a configuration file containing the IP addresses. They would have to be in Apache's conf file format, though.
This should work:
order Deny,Allow
include conf/IPList.conf
Allow from all
It's even possible to include whole directories, even though it's not recommended.
I use the RewriteMap feature from Apache's RewriteModule, as a whitelist like this:
## WHITELIST IPS ##
RewriteMap ipslist txt:/path/to/whitelist.txt
RewriteCond %{REMOTE_ADDR} ^(.*)$
RewriteCond ${ipslist:%1|black} ^black$ [NC]
RewriteRule (.*) - [F]
With some tweaking, you could make this a blacklist.
I am learning htaccess. Is the following possible by using htaccess:
1) Block every visitor/IP to site.
2) Block all the bots except google bot.
RewriteEngine On
order deny,allow
deny from all
RewriteCond %{HTTP_USER_AGENT} (bingbot|Baiduspider) [NC]
RewriteRule .* - [R=403,L]
Is the above htaccess right? Any help would be appreciated.
Is the above htaccess right?
No, of course it isn’t right – because you are blocking all requests with
order deny,allow
deny from all
– so the Google bot won’t get access either.
You can do this by using a combination of SetEnvIf and Allow – see http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow, that has an example for exactly this.
(You’ll need to remove the Directory directive used in there, because that can’t be used in .htaccess files. But only those two lines, what is inside the directive you have to keep of course.)