1

I'm wondering if anyone knows how to approach this predicament I am facing using .htaccess.

I have a website that is accessible using 2 different domains. For one of the domains, I only want the website to be accessible to a subset of IPs only (about 30 of them). The second domain, can be open to anyone.

So for example:

restricted.domainexample.com can only be accessible from IPs 1.1.1.1, 2.2.2.2, 3.3.3.3
www.domainexample.com can be accessible from everyone.

I have the following, but not sure if this will work. Is it along the right path?

RewriteEngine on
RewriteCond %{HTTP_HOST} ^restricted\.domainexample\.com$ [NC]
order deny,allow
deny from all
allow from 123.12.12.12
allow from 123.123.43.43
RewriteRule ^(.*)$ - [F]

Of course www.domainexample.com is untouched here, so that should still have full access by all. Any input and help is greatly appreciated.

Jim Smith
  • 11
  • 1
  • why .htaccess and not just virtualhost? Are you in a shared hosting? Because if the answer is no and you are the admin you are just complicating things. You could just define each virtualhost and specify "Require ip xxx.xxx.xxx.xxx" where necessary. – Daniel Ferradal Mar 25 '23 at 18:05

1 Answers1

0

You can't mix mod_rewrite and mod_access_compat (Order, Deny, Allow on Apache 2.4) like this. But you shouldn't be using mod_access_compat anyway on Apache 2.4 - since these directives have been deprecated (hence why they have been moved to mod_access_compat from mod_authz_host).

You don't need mod_rewrite either. You can instead use an Apache <If> expression (requires Apache 2.4) to check the Host header and mod_authz_core. For example:

<If "%{HTTP_HOST} =~ /(?i)^restricted\.domainexample\.com/">
    Require ip 1.1.1.1
    Require ip 2.2.2.2
    Require ip 3.3.3.3
    : etc.
</If>

The block of Require directives are implicitly included in a <RequireAny> container (the default behaviour).

Alternatively, to do this using mod_rewrite only (Apache 2.2+) then you would do it like this instead:

RewriteEngine On

RewriteCond %{HTTP_HOST} ^restricted\.domainexample\.com [NC]
RewriteCond %{REMOTE_ADDR} !=1.1.1.1
RewriteCond %{REMOTE_ADDR} !=2.2.2.2
RewriteCond %{REMOTE_ADDR} !=3.3.3.3
: etc.
RewriteRule ^ - [F]

The logic of the mod_rewrite rule is essentially the opposite of the Require directives in the first example. With the mod_rewrite rule we are blocking access when all the conditions are successful (ie. when none of the IP addresses match). Whereas in the first example, access is granted when any of the IP addresses match.

MrWhite
  • 12,647
  • 4
  • 29
  • 41