4

We have https://example1.com/login and example2.com/login being hosted from the same apache server (2.2.22). I want to restrict /login on example1.com.

  • example1.com/login --> 404 (preferably) or 403

  • example2.com/login --> login page

I tried

<Location /login>
Order Deny,Allow
Deny from example1.com
Allow from example2.com
</Location>

It disables /login from both example1.com and example2.com. Can I restrict just example1.com?

MrWhite
  • 11,643
  • 4
  • 25
  • 40
akay
  • 53
  • 1
  • 5

1 Answers1

1

You can do this using mod_rewrite which allows you to check the host through which the site is being accessed. Try the following, in your server config (or <Directory> section or .htaccess file):

RewriteEngine On
RewriteCond %{HTTP_HOST} =example1.com [NC]
RewriteRule ^/?login$ - [R=404,L]

The above serves a 404 Not Found if you request example1.com/login, but will not do anything if you request example2.com/login (the request will simply be allowed through).

The = prefix on the RewriteCond CondPattern makes it an exact lexicographical comparison, not a regex, so no need to escape the dot or use anchors.

In order to serve a 403 Forbidden instead you can change the flags on the RewriteRule, for example:

RewriteRule ^/?login$ - [F]

<Location /login>
Order Deny,Allow
Deny from example1.com
Allow from example2.com
</Location>

It disables /login from both example1.com and example2.com.

I'm rather curious... this would seemingly allow all access, not deny it? The Deny from ... directive denies access to the user from example1.com (via reverse DNS lookup on the remote IP address), not the user who is accessing the example1.com host. Neither the Deny or Allow directives should match so it should default Allow. (?)

...how do i add multiple rewrite conditions for the same RewriteCond?

UPDATE: Note that RewriteCond directives (ie. conditions) apply to the single RewriteRule directive that follows. Continuing the above example, if you wish to block several URLS (eg. /login, /demo and /test) for example1.com only then you can either combine all these in the RewriteRule pattern. For example:

RewriteCond %{HTTP_HOST} =example1.com [NC]
RewriteRule ^/?(login|demo|test)$ - [R=404,L]

This is OK in this instance since the URLs are limited and all very short. Alternatively, you can create a condition for each URL and use the OR flag. For example:

RewriteCond %{HTTP_HOST} =example1.com [NC]
RewriteCond %{REQUEST_URI} ^/login$ [OR]
RewriteCond %{REQUEST_URI} ^/demo$ [OR]
RewriteCond %{REQUEST_URI} ^/test$
RewriteRule ^ - [R=404,L]

This states... for all URLs where the HTTP_HOST is example1.com and the URL is either /login or /demo or /test then serve the 404 error document. However, the first example (using the RewriteRule pattern) would be more efficient, since this is what's processed first.

MrWhite
  • 11,643
  • 4
  • 25
  • 40
  • Thanks.. i'm able to work with the RewriteCond and RewriteRule combination.. one followup question.. how do i add multiple rewrite conditions for the same RewriteCond? RewriteEngine On RewriteCond %{HTTP_HOST} =example1.com [NC] RewriteRule ^/?login$ - [R=404,L] RewriteRule ^/?demo$ - [R=404,L] RewriteRule ^/?test$ - [R=404,L] the second and third RewriteRule is applied for for example2.com too(along with example1). You were right about the 'Deny from example1.com Allow from example2.com ' my configuration ALLOWED from both example1 and example2. – akay Nov 29 '16 at 19:59
  • `RewriteCond` directives only apply to the _single_ `RewriteRule` directive that follows - however, you can still do what you require. I've updated my answer. – MrWhite Nov 29 '16 at 20:37
  • **Perfect** works like a charm. Thanks for your help – akay Nov 30 '16 at 00:42