5

I have an admin directory on my web server (http://test.com/admin) and I don't want unauthorized parties to access this /admin/ directory instead I want to return 404 error code for all unauthorized accesses.

My question is, is there any way to return 404 error code for all access attempts except a few specific IP addresses?

My web server is Apache on Linux (plesk).

Willy
  • 225
  • 1
  • 5
  • 9
  • Presumably you're choosing to deliberately hide the resource rather than return a 403? –  May 27 '09 at 15:20

4 Answers4

15

You can use mod_rewrite to do that.

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !=10.0.0.1 [OR]
RewriteCond %{REMOTE_ADDR} !=10.0.0.1
RewriteRule ^admin($|/) - [L,R=404]

Note that the R=404 flag requires at least Apache 2.1.1.

  • This is brilliant for *properly* hiding `.htaccess`, etc., not to mention `WEB-INF` when fronting for a servlet container and keeping everything in the same source directory. Cheers! – T.J. Crowder Oct 13 '09 at 11:27
5

Well, close:

<Location /admin>
     Order deny,allow
     Allow from 10.0.0.1
     Allow from 192.168.1.1
     Deny from all
</Location>

Though what this actually does is return a 403 Forbidden, not a 404 Not Found, which is, y'know, correct.

If you're putting this in a .htaccess in the admin directory, you don't need the Location container. The example is written for a server or virtual host configuration file.

See also mod_access docs.

For what it's worth, as time has worn on I've increasingly come to find value in putting the site admin on an entirely separate virtual host.

chaos
  • 7,483
  • 4
  • 34
  • 49
0

check the "allow from" attribute in the configuration guide

0

Under litespeed the following small variation with mod_rewrite worked for me:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^1.2.3.4 [OR]
RewriteCond %{REMOTE_ADDR} !^1.2.3.4
RewriteRule (.*) - [R=404,L]
Stuart Cardall
  • 610
  • 5
  • 8