2

I'm having a bit of a trouble here. I have this several rewrite rules which I think does not work.

My main purpose is to restrict pages and allow only specific IP or network block.

RewriteEngine On
RewriteLog "/data/wre/var/logs/modrewrite.log"
RewriteLogLevel 5

RewriteCond %{REMOTE_ADDR} !^192\.168\.10\..*
RewriteCond %{REMOTE_ADDR} !^72\.139\.201\..*
RewriteCond %{REMOTE_ADDR} !^129\.233\.4\..*
RewriteCond %{REMOTE_ADDR} !^208\.118\.97\32
RewriteRule ^/solutions https://example.com/account/signin?go=outside [R,NE,NC]

I tested this again and it seems not to work? Did I did something wrong?

Prix
  • 4,881
  • 3
  • 24
  • 25
Louie Miranda
  • 121
  • 1
  • 1
  • 4

5 Answers5

4

Try this:

RewriteEngine On
RewriteLog "/data/wre/var/logs/modrewrite.log"
RewriteLogLevel 5

RewriteCond %{REMOTE_ADDR} ^192\.168\.10\..* [OR]
RewriteCond %{REMOTE_ADDR} ^72\.139\.201\..* [OR]
RewriteCond %{REMOTE_ADDR} ^129\.233\.4\..*  [OR]
RewriteCond %{REMOTE_ADDR} ^208\.118\.97\.32
RewriteRule ^/solutions https://example.com/account/signin?go=outside [NE,NC,R=301]

Note, multiple RewriteCond directives are implicitly AND'd, you need to specify if they should be OR'd instead. If you want the browser to remember the redirection, specifying a permanent redirection might save some future processing.

Depending on your config, it might be easier to specify the Known Good ranges and redirect for everyone else. From the rewrite manual on redirecting foreigners: Apache Manual

RewriteEngine on
RewriteCond   %{REMOTE_HOST}  !^.+\.ourdomain\.com$
RewriteRule   ^/solutions      https://example.com/account/signin?go=outside [NE,NC,R=301]
Grizly
  • 2,063
  • 15
  • 21
  • Under, RewriteCond %{REMOTE_ADDR} ^208\.118\.97\.32 Should I add a dollar sign $ on .32? Making it RewriteCond %{REMOTE_ADDR} ^208\.118\.97\.32$? – Louie Miranda Aug 25 '10 at 02:12
  • Well, I thought about that, and it would be an illegal IP to have the last octet of 32[1-9], so I figured it wouldn't make any difference. Up to you. – Grizly Aug 25 '10 at 02:52
  • Ahh, just read your rationale for using "!".. those are the IP's you wish to allow then.. should probably put them back in. – Grizly Aug 25 '10 at 03:01
1

It looks like you are creating a curtain (a sign-in wall, pay-wall, or maintenance-curtain, etc) that all-but a few IP ranges in the internet can get to.

This is what I have done to create such a configuration:

# This implements a maintenance curtain; only these three IPs
# can look behind the curtain. Note its useful to allow the box
# itself too.
#
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !127.0.0.1
RewriteCond %{REMOTE_ADDR} !123.234.45.6
RewriteCond %{REMOTE_ADDR} !123.234.45.78
RewriteCond %{REQUEST_URI} !^/maintenance-curtain/.*
RewriteRule / / [L,R=503]

ErrorDocument 503 /maintenance-curtain/index.html
ProxyPass /maintenance-curtain !
Alias /maintenance-curtain /var/www/maintenance-curtain

And that does look quite similar to yours. I suggest you simplify and test with just one IP first. If the rest if your configuration is fairly complex, it might be getting in the way, so try proving this in a smaller context, or moving it earlier in the configuration. Are virtualhosts getting in the way; do you need to replicate the configuration (use an Include if you need to do that).

I will say though, that I have (I think) known things like REMOTE_ADDR to not be set in the case where some other module is not enabled.... its been a while since I struck that behaviour... is cgi_module enabled?

Cameron Kerr
  • 4,069
  • 19
  • 25
0

Prix, I'm actually following this.

http://www.the-art-of-web.com/system/rewrite/

Conversely, you may want to allow only certain IP addresses to access the site:

RewriteCond %{REMOTE_ADDR} !^12\.34\.56\.78$
RewriteCond %{REMOTE_ADDR} !^87\.65\.43\.21$
RewriteCond %{REQUEST_URI} !^sorry\.html  
RewriteRule .* /sorry.html 
Translation:

IF their IP address is not 12.34.56.78 
AND their IP address is not 87.65.43.21 
AND the request is not for sorry.html 
THEN display the sorry.html page
Louie Miranda
  • 121
  • 1
  • 1
  • 4
  • What i am confused about is, do you want to ALLOW those ips in the question or do you want to block them ? because this answer here does what it is supose to do, it will block those ip. – Prix Aug 25 '10 at 03:04
0

This 2 should be set either in the VirtualHost or Directory to work out:

RewriteLog "/data/wre/var/logs/modrewrite.log"
RewriteLogLevel 5

You could try what you want like this:

RewriteCond %{REMOTE_ADDR} ^192\.168\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^72\.139\.201\. [OR]
RewriteCond %{REMOTE_ADDR} ^129\.233\.4\.  [OR]
RewriteCond %{REMOTE_ADDR} ^208\.118\.97\.32$

which would translate to:

  • if ip starts with 192.168.10.
  • or ip starts with 72.139.201.
  • or ip starts with 129.233.4.
  • or ip is 208.118.97.32
Prix
  • 4,881
  • 3
  • 24
  • 25
0

Maybe I'm misunderstanding what you are wanting to do, but if I do understand what you are trying to do, it looks like you are doing in an incredibly complex way.

If it is for the whole site or an entire directory why not just use the allow directive in a directory of virtualhost stanza, as appropriate?

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow

And set the 403 error page to be sorry.html http://httpd.apache.org/docs/2.2/mod/core.html#errordocument

So something like:

<directory "/path/to/content/" >

Order Allow,Deny
Allow 192.168.0.0/255.255.0.0  # allow everyone from the 192.168.0.0/255.255.0.0 network
# every one else gets denied (default for stuff that has not matched is to the 
# last clause of the Order directive
# the error document for a 403 (forbidden) is the sorry.html page
ErrorDocument 403  /sorry.html

</directory>
Jason Tan
  • 2,752
  • 2
  • 17
  • 24