0

I am facing a strange situation where i couldn't find a proper answer to.

I am using some kind of an API where i can send responses to certain requests from the same root domain.

My api is in a subdomain (https://api.mysite.com) And there are some client frameworks in PHP, such as

  • mysite.com
  • mobile.mysite.com
  • admin.mysite.com

I only want this API be accessible from the same root domain. Therefore i added AccessControlAllowOrigin headers which are working quite good.

But the problem is, i also want to make sure that nobody can access to this API, because CORS is browser based, and i can easily access this API from other tools such as POSTMAN.

That is why i added some code to my .htaccess so that only from the same IP can access my system.

Here is my .htaccess file.

php_flag display_errors on
php_value error_reporting 9999


SetEnvIf Origin "http(s)?://(www\.)?(mysite.com|mobile.mysite.com|admin.mysite.com)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header merge Vary Origin

RewriteEngine On
RewriteBase /

order allow,deny
deny from all
allow from // MY IP HERE

<RequireAny>
Require ip allow from // MY IP HERE
</RequireAny>

RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]


# DirectoryIndex none.none
# Options -Indexes

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-l

RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]

But the problem is the system blocks itself, i mean when i try to access my API with an AJAX Request, i get en error like this:

Failed to load resource: the server responded with a status of 403 ()

What am i missing.

Thanks.

PS Require ip allow from // MY IP HERE flag is not blocking anything at all.

Rüzgar
  • 101
  • 3

2 Answers2

0

Try something like this to allow only connections from local IP (your server's IP):

Require local

And to authorize external IPs:

Require ip your_authorized_ip

These are the new Apache2.4 notations. See the Apache2.4 Access Control docs for more detailed info/configuration.

Amaury
  • 23
  • 1
  • 4
  • Have you tried `Require all denied` first and on the next line `Require local`? Are you doing this on your apache.conf file and not on your htaccess file? – Amaury Dec 20 '18 at 21:04
  • Thank you for your answer. I tried in case, but require directive is not blocking requests from other clients. I am trying my ajax requests on a program called POSTMAN where i can see the response. It is showing the response while it shouldn't. – Rüzgar Dec 20 '18 at 17:39
  • Are you allowing your `.htaccess` files to override your `apache2.conf`? ie: `AllowOverride All ` – Amaury Dec 20 '18 at 17:54
  • Do you mean something like this: ` AllowOverride All order allow,deny deny from all allow from IP` in htaccess – Rüzgar Dec 20 '18 at 18:32
  • Yep, try to delete all inside `` and replace with `Require all denied`. You shouldn't be able to access it anymore, and that would prove that something is wrong in your configuration or htaccess file – Amaury Dec 20 '18 at 19:19
  • By using only `Require all denied` I couldn't access to anythig inside my subdomain. What does this tell you? – Rüzgar Dec 20 '18 at 20:36
  • That's it, if you use `Require all denied`, you couldn't access anything on that subdomain. So, you just have to set `Require local` to authorize only local connections to access your api subdomain. Try both versions (in your `apache.conf` file) and tell me what's happening – Amaury Dec 20 '18 at 20:48
  • `Require local` or `Require MyIP` does not block connections from outside. `Require all denied` blocks everything including local. Using both also blocks everything. My mind's all messed up. Thanks again by the way. – Rüzgar Dec 20 '18 at 20:55
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/185617/discussion-between-amaury-and-ruzgar). – Amaury Dec 21 '18 at 14:55
  • Yes i am doing this on htaccess file. And yes i tried `Require all denied` first and on the next line `Require local` And vice versa – Rüzgar Dec 20 '18 at 21:22
  • Ok, maybe I misexplained, I wanted you to do it on your apache.conf file, but **NOT** in your htaccess file :) – Amaury Dec 20 '18 at 21:23
  • At the moment, i do not have enough resources to edit httpd.conf. But i don't think that is the case. Because when i add my laptop's IP address to htaccess, iti is working well. But i do not want to access the API directly, i just want my client frameworks access it and gets the response. I think i am missing something else here. – Rüzgar Dec 20 '18 at 22:26
  • And if, instead of `Require local` you do `Require ip your_server_ip`? – Amaury Dec 21 '18 at 14:16
  • :( I've tried every possible combination. With `require`, `order allow deny`, inside ` tags`. Nope. – Rüzgar Dec 21 '18 at 14:46
0

In case any body facing the same issue, thanks to @Panama Jack for the answer in SO, here is how i did.

SetEnvIf Referer "example\.com" canpass
SetEnvIf Referer "^mobile\.example\.com" canpass2

Require env canpass
Require env canpass2

Here is the original answer.

Rüzgar
  • 101
  • 3