15

I am trying to restrict a specific URL to be available outside the network only to specific IP addresses. When a user outside tries to access that URL and not from the list of IPs he should be redirected to the homepage.

This is what I've tried so far without any luck. The last part it redirects everyone to the homepage regardless of IP.

<Location "/secret">
#    <If "%{REMOTE_ADDR} != -ipmatch '123.123.123.123/255.255.255.255'">
#    Redirect 303 "/secret" /
#    </If>

RewriteCond "%{REMOTE_ADDR}" "!123\.123\.123\.123"
RewriteRule .* / [R,L]

LogLevel debug rewrite:trace6
</Location>

PS: the /secret URL is in fact a virtual URL and does not exist physically on the drive.

Denis Rendler
  • 153
  • 1
  • 1
  • 7
  • the If statements are commented out ? Enable rewriting - `RewriteEngine On` ? – user9517 Sep 28 '15 at 08:30
  • The statement is one version that I tried. The RewriteEngine On directive is declared earlier. That's the reason it redirects everyone – Denis Rendler Sep 28 '15 at 08:43
  • 1
    I think you should un-mark the selected answer, because it is not valid for Apache 2.4 as you requested (it gives wrong information to people passing by) – Erenor Paz Nov 10 '16 at 08:35

3 Answers3

26

The Order, Deny, and Allow options have been replaced in Apache 2.4 with

<Directory /var/www/mysite.com/htdocs/public>
    Require all granted
</Directory>

You can explicitly restrict addresses through the use of the following:

<Directory /var/www/mysite.com/htdocs/public>
    Require all granted
    Require not ip 192.168.0.1
</Directory>

The exact opposite is true as well, to restrict all and only allow a sub-set use the following:

<Directory /var/www/mysite.com/htdocs/public>
    Require host example.com
    Require ip 192.168.0.1
</Directory>

More information is available on the Apache 2.4 access control documentation.

In regards to your question (edited my own due to a lack of points to add a comment,) you should be able to simply set an ErrorDocument with the index set as the URL-path:

<Directory /var/www/mysite.com/htdocs/public>
    Require host example.com
    Require ip 192.168.0.1
    ErrorDocument 401 /index.html
</Directory>

Hope this helps!

Linztm
  • 381
  • 2
  • 7
  • Thanks, @Linztm! But this solves only partially my problem. I don't want to only block the user but also redirect him to the homepage. – Denis Rendler Sep 28 '15 at 17:52
  • It seems to be working with the ErrorDocument directive only if I provide the full URL including domain and protocol. I will research further. Thanks. – Denis Rendler Sep 29 '15 at 11:14
  • I found at least one case when you need to use `allow` though deprecated, `Require 127.0.0.1` still allow access by external address from local machine, where as allow syntax allow only from 127 address. – Alexei Martianov Mar 24 '18 at 04:53
5

Use Require [ip|host|env] to specify who has access to your vhost or location.

    <Directory "/docroot">
        Require ip 10.10.11.12
    </Directory>   

When it comes to redirecting, think about a custom error page. This is much more general, because every unauthorized access should provoke a 403 error and thus can be evaluated easily.

I never did this with apache, but use this strategie with nginx. For apache something like this should do:

ErrorDocument 403 http://homepage.example.com

Custom error documents are configured using the ErrorDocument directive, which may be used in global, virtualhost, or directory context. It may be used in .htaccess files if AllowOverride is set to FileInfo. (from the apache docs)

moestly
  • 1,138
  • 8
  • 10
  • 4
    This looks like a set of Apache httpd 2.2 configuration. Will it still work with 2.4 ? – user9517 Sep 28 '15 at 09:25
  • At least the `ErrorDocument` part is from the 2.4 docs. I don't use apache, since nginx is around, but assumed that `Order`,`Deny` and `Allow` are still around in apache 2.4 – moestly Sep 28 '15 at 09:50
  • Thanks, but I doesn't help. I forgot to mention, but I updated the question, the /secret URL is in fact a virtual URL and does not exist physically on the drive. The URL it self is a rewrite from index.php that's why I used the directive. – Denis Rendler Sep 28 '15 at 10:03
  • It seems to be working with the ErrorDocument directive only if I provide the full URL including domain and protocol. I will research further. Thanks. – Denis Rendler Sep 29 '15 at 11:14
  • 6
    This syntax is deprecated in apache 2.4 – Luca Reghellin Jan 10 '17 at 10:38
  • 5
    Why is this the accepted answer? This is for Apache 2.2 not 2.4 as the question implies... This will not work. – Jeremy Oct 29 '18 at 18:31
3

For Apache 2.4, you can use <RequireAny>. You can do it in a vhost or an .htaccess file....

SetEnvIF IP xxx.xxx.xxx.xxx AllowThisIP  # Or X-Real-IP
SetEnvIF IP yyy.yyy.yyy.yyy AllowThisIP
<RequireAny>
  Require env AllowThisIP
  Require host example.com
</RequireAny>

Apache docs https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireany