1

For testing on my pre-live site, I'd like to allow only my own IPs and PayPal Sandbox.

For production, I'd like to allow only PayPal to my IPN listener.

I can restrict in .htaccess to my IPs, but including paypal.com causes 403 in the IPN generator on the SandBox.

I understand this may be a security issue for PayPal, but I'd like it anyway if possible.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208

2 Answers2

1

If you are testing with paypal sandbox, your .htaccess allow should look like follow

    Allow from .paypal.com

That should allow incomming connection from all machine with *.paypal.com RDNS.

You maybe missing the "dot" before paypal.

If using LiteSpeed web server try following

    Allow from 173.0.82.126

That is IP for ipn.sandbox.paypal.com. Also check your server log and see what IPs are being reject.

John Siu
  • 3,577
  • 2
  • 15
  • 23
  • Thank-you for you help. I tried and sandbox IPN still gives 403. Is that in LiteSpeed format? –  Nov 08 '12 at 02:12
  • Lightspeed don't seems to support hostname in htaccess allow. I updated my answer. – John Siu Nov 08 '12 at 02:32
  • That worked (but Allow should be allow). That address works for sandbox, but it won't work for production because PayPal is using dynamic IPs. If it's truly true that litespeed won't allow domains, that add to their crappines. Know anything about this? http://serverfault.com/questions/446152/litespeed-enable-access-control-allow-origin-no-response-header-on-cors-request –  Nov 08 '12 at 02:55
  • Paypal is not using dynamic IPs, but they have multiple server for the same hostname. You can get the list at https://ppmts.custhelp.com/app/answers/detail/a_id/92 (That link is from https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_golivechecklist Section 5) – John Siu Nov 08 '12 at 03:08
  • OK, phew. I must've misread. I thought they were applying it to the IPN deliverer. –  Nov 08 '12 at 03:25
0

A little update for Apache 2.4: the new directive should be:

Require host .paypal.com

Or, if you need the ip:

Require ip 173.0.82.126

If you are still using 2.2, IGNORE this and keep using the old syntax, as shown by John Siu's answer.

Erenor Paz
  • 101
  • 2