htaccess: limit to only certain sub-domains

Question

I have a wildcard ssl setup on Apache for a domain so that I can create any type of sub-domain on the fly.

<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName www.domain.com
ServerAlias domain.com *.domain.com
....
</VirtualHost>

This works great as I add sub-domains often and I don't need any other special handling.

Of course the issue is that now anyone can go to a default page with any random sub-domain. i.e. random.domain.com

What are my options here for limiting access to only the sub-domains that are currently setup? Would a rule in htaccess be viable? Something like if it's not one of these current sub-domains:

RewriteCond %{HTTP_HOST} !^sub\.domain\.com [NC]
RewriteCond %{HTTP_HOST} !^sub2\.domain\.com [NC]

I'm curious... How do you setup new subdomains on the fly? Do you add entries in your DNS zone? Do all your subdomains use the same `DocumentRoot`? — Anderson Medeiros Gomes, Feb 24 '16 at 02:32
@AndersonM.Gomes There is just one DNS entry for `*.domain.com` and yes all use the same DocumentRoot. — Tom, Feb 24 '16 at 03:20
@Tom, why do you need a default page and what does it contain? — Diamond, Feb 29 '16 at 14:44

Anderson Medeiros Gomes · Answer 1 · 2016-02-24T02:50:23.500

0

I suggest you to use:

<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName www.domain.com
ServerAlias domain.com
ServerAlias sub.domain.com
ServerAlias sub2.domain.com
....
</VirtualHost>

<VirtualHost *:443>
DocumentRoot "/"
ServerName www.domain.com
ServerAlias *.domain.com
<Directory "/">
    Deny from all
</Directory>
</VirtualHost>

edited Feb 24 '16 at 02:50

answered Feb 24 '16 at 02:34

Anderson Medeiros Gomes

2,477
9
20

That works but that's a solution where you will need to reboot your Apache server each time. I can't do that. – Tom Feb 24 '16 at 03:19
Then, I have no clue. Can't you issue a [graceful restart](http://httpd.apache.org/docs/2.2/en/stopping.html#graceful) neither? If your server is heavily loaded and you have many subdomain names, using of .htaccess files creates a performance problem. In this scenario, each client request will force Apache to search, read an parse .htaccess files along each path component. All the `RewriteCond` directives will be recompiled at each client request, for example. – Anderson Medeiros Gomes Feb 24 '16 at 13:24

score 0 · Accepted Answer · answered Feb 29 '16 at 15:55

Why not use the code you already wrote and then add a line that rewrites all requests for other subdomains to a directory that does not exist (or redirect them to a page that says the website that they tried to go to does not exist)?

RewriteCond %{HTTP_HOST} !^sub\.domain\.com [NC]
RewriteCond %{HTTP_HOST} !^sub2\.domain\.com [NC]
RewriteRule (.*) http://dev.domain.com/$1 [R=301,L]

You could then setup a subdomain dev.domain.com and have it return a page that says the requested subdomain does not exist or it is not available or some other text you want to send back to the requester.

http://coolestguidesontheplanet.com/redirecting-a-web-folder-directory-to-another-in-htaccess/

htaccess: limit to only certain sub-domains

2 Answers2