1

I have a main domain and a website setup on my cPanel hosting as well as an add-on domain with its own separate website: domain.com and addon.com

Due to the way cPanel configures add-on domains, the add-on domain's website can be accessed via the main domain:

  • addon.domain.com/

  • domain.com/addon/

What I'd like to do is block all access to the add-on domain's website from the main domain, including any and all files or folders contained within, so:

  • Accessing addon.com/anyfolder/anyfile.php works, but;
  • Accessing addon.domain.com/anyfolder/anyfile.php or
  • Accessing domain.com/addon/anyfolder/anyfile.php fails with a 404 error.

I have had some success with modifying the add-on domain's htaccess file to achieve this, for example using this in the add-on domain's htaccess:

RewriteEngine on
RedirectMatch 404 ^/addon/(.*)$

Blocks domain.com/addon/anyfolder/anyfile.php perfectly, displaying a 404 error.

However I have tried various methods to do the same for addon.domain.com and although I can usually get it to display a 404 when accessing only the domain, for any folders or files (addon.domain.com/anyfolder/anyfile.php) it will still work with no error and I can't figure out how to go about correcting this with htaccess.

For example:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^https?://(www\.)addon\.com
RewriteRule ^(.*)$ - [L,R=404]

This makes addon.domain.com display the desired 404 error, but addon.domain.com/anyfolder/anyfile.php still works without issue.

This is just one example of course, I've actually searched for a while and tried several different rewrite conditions among other things to get the desired result without success. Another example that works only for the domain:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www.)?addon.domain.co.uk$ [NC]
RewriteRule ^(.*)$ - [L,R=404]

Once again, this causes addon.domain.com to display the desired 404 error, but addon.domain.com/anyfolder/anyfile.php still works.

The only other thing I can think of doing is editing the main domain's DNS zone and remove (or break somehow) the A record for the subdomain. This would of course result in a "server not found" error which would have the desired affect, but I can't imagine it's an advisable option to take.

danronmoon
  • 3,814
  • 5
  • 34
  • 56
Rentums
  • 11
  • 1

1 Answers1

1

You should do something like the following using mod_rewrite near the top of the .htaccess file in the root of the subdomain.

I'm assuming addon.com and www.addon.com should both be accessible.

For example:

RewriteEngine On

RewriteCond %{HTTP_HOST} !^(www\.)?addon\.com$
RewriteRule ^ - [R=404]

The above will block (serve a 404 Not Found) for any request that is not for addon.com (or www.addon.com). The ! prefix on the CondPattern negates the expression. Any URL-path.

You do not need the L flag when using a return code in the range 4xx.

Alternative Method

An alternative approach that does not use mod_rewrite, so won't necessarily be overridden by .htaccess files in subdirectories:

<If "%{HTTP_HOST} !~ /^(www\.)?addon\.com$/">
    Require all denied
</If>

This uses an Apache Expression with mod_authz_core.

The above will serve a 403 Forbidden for any requests that are not for the addon domain.

A look at your rules...

RewriteEngine on
RedirectMatch 404 ^/addon/(.*)$

RedirectMatch is a mod_alias directive. This is unrelated to the RewriteEngine directive that initialises mod_rewrite.

RewriteCond %{HTTP_REFERER} !^https?://(www\.)addon\.com
RewriteRule ^(.*)$ - [L,R=404]

This makes addon.domain.com display the desired 404 error, but addon.domain.com/anyfolder/anyfile.php still works without issue.

This is checking the Referer header (the site you are coming from), so this will not have the desired result. However, a request for addon.domain.com/anyfolder/anyfile.php should still be blocked by this rule.

Note that the order of directives in the .htaccess file can be important. Any blocking directives should be near the top of the config file.

Another example that works only for the domain:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www.)?addon.domain.com$ [NC]
RewriteRule ^(.*)$ - [L,R=404]

Once again, this causes addon.domain.com to display the desired 404 error, but addon.domain.com/anyfolder/anyfile.php still works.

This should block addon.domain.com/anyfolder/anyfile.php (with or without the www subdomain) - unless the rule is put in the wrong place and it is conflicting with other rules, as mentioned above.

Note that you don't necessarily need to have just one rule. Two or more rules can perform the job just as efficiently as one sometimes.

MrWhite
  • 43,179
  • 8
  • 60
  • 84
  • Thanks for the input. Your solution does block the domain (addon.domain.com) but again, if I surf to addon.domain.com/blahblah it loads it. I'm at a loss as to why this is if it is supposed to be doing what I want, currently that website only hosts a phpbb forum so perhaps it has something to do with that? Also the htaccess file doesn't have anything else in it, other than a cpanel generated comment about inheriting the php handler and some custom error pages so I don't think the problem is related to the order of the rules either. – Rentums Apr 13 '22 at 18:44
  • 1
    Ignore my previous comment. It IS the phpbb installation! I just went and created a new folder with an empty index.html file and it throws a 404. I assume phpbb has it's own htaccess file, or something like it. I had no idea. But when you mentioned about conflicts I realised that if an htaccess existed further into the directory structure it'd probably be the conflict. – Rentums Apr 13 '22 at 18:51
  • @Rentums If there are any `.htaccess` files in subdirectories that also use mod_rewrite, then these will (by default) completely override the mod_rewrite directives in the parent config. I've updated my answer with an alternative solution that does not use mod_rewrite. – MrWhite Apr 13 '22 at 23:27