I have this configuration:
<RequireAny>
Require ip 123.123.123.123
Require valid-user
</RequireAny>
What I want is to allow every IP like this: 123.123.123.*
Unfortunately, this doesn't work. (Response code 500)
How can I do that?
Apparently, the answer is to use
123.123.123
as stated in the documentation.
Related
For security reasons I want to restrict in .htaccess all traffic that is not coming via Cloudflare. I have already script that blocks all non Cloudflare IPs but on some hostings it just doesn't work. I want to check if request header contains header CF-RAY, regardless of value, and if not, return 403 error.
Thank you for any suggestions!
Try with:
RewriteCond %{HTTP:CF-RAY} ^$
RewriteRule ^ - [F,L]
If it is for security reasons using a header is dangerous. It is effortless to send you this header from another source.
It is better to restrict by IP to requests from CloudFlare
https://www.cloudflare.com/ips/
If it is Apache you can add something like this in .htaccess
deny from all
allow from ... (one row for every range in above url)
Yeah this is super easy to do by placing this in the top of your .htaccess file
#apache_2.4_cloudflare_bypass_protection_htaccess
#Place in top of .htaccess in document root that needs protected
#
## References
#https://docs.sucuri.net/website-firewall/configuration/prevent-sucuri-firewall-bypass/
#https://docs.sucuri.net/website-firewall/troubleshooting/bypassing-firewall-for-testing/
#https://community.cloudflare.com/t/prevent-users-bypassing-cloudflare-to-access-my-site/4606
#https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/
#https://www.cloudflare.com/ips/
#https://support.cloudflare.com/hc/en-us/articles/204899617
# BEGIN Cloudflare Firewall Bypass Prevention
#Apache 2.4 Server
<FilesMatch ".*">
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32
# Allow from INSERT YOUR IP HERE
</FilesMatch>
# END Cloudflare Firewall Bypass Prevention
Full disclaimer: I have a git repo full of premade ones for Sucuri/Cloudflare for Openlitespeed/Litespeed/Apache.
https://gitlab.com/mikeramsey/apache-htaccess-rules/-/tree/master/
Good morning,
I have configured my .htaccess file as:
Order Allow,Deny
Allow from 65.43.173.125
Do you know if there is any way to allow a single internal IP address of that external IP address?
Something like
Order Allow,Deny
Allow from 65.43.173.125 But Only -> 192.168.0.53
I know both the external IP and internal IP that I want to allow.
Thanks in advance!
[IP address provided in the examples is random]
This should work:
Order Deny,Allow
Deny from all
Allow from 192.168.0.53
This will deny access to everyone from within the IP 65.43.173.125 except for 192.168.0.53
i want an exclusive access in my administration folder and i tried this code (in an .htaccess file inside admin folder):
order allow,deny
allow from m.y.i.p
deny from all
tried also this:
order deny,allow
deny from all
allow from m.y.i.p
and this:
order deny,allow
allow from m.y.i.p
deny from all
but anytime server gives me this response:
403 Forbidden
Forbidden
You don't have permission to access /provo/prova/ on this server.
how can i solve this issue? i have a switch connected to the router/modem and i take my ip address from this site http://whatismyipaddress.com/
thanks.
This worked for me:
Order deny,allow
deny from all
allow from m.y.i.p
However, since you've already tried it, you need to make sure that's the IP the webserver is seeing. Look at the access logs right after you load a page to see what IP got logged.
Other than that, make sure that you've put these in the right place. Either the htaccess file in the directory you want to protect, or in a <Directory> block in your server/vhost config.
Prob not the answer you're looking for but:
If you're using cPanel .. it's really easy to do it from there.
It involves making a passwords file. I never remember the exact way cause I always get cPanel to do it for me.
I would only do it by IP if you have been given a static IP from your ISP... otherwise this could change.
Use .htpasswd. It's a bit more resilient than just using an IP address.
So I want to restrict access to a url. Now if they are coming from a given IP address then they shouldn't be prompted for a password. If they are not coming from a givin IP address then they should be prompted for a password.
so a either or of:
AuthUserFile /some/path/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
and:
order deny,allow
deny from all
allow from x.x.x.x
You can use the Apache "Satisfy" directive.
Here is an example of using it :
AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any
Access without password is only allowed from 127.0.0.1.
Hope this helps.
With Apache 2.4 Satisfy is still available, but deprecated
Note
The directives provided by mod_access_compat have been deprecated by mod_authz_host. Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. This module was created to support configurations containing only old directives to facilitate the 2.4 upgrade. Please check the upgrading guide for more information.
In your case Allow from 1.2.3.4 is replaced by Require ip 1.2.3.4
Combining several Requires (like Require valid-user and Require ip) can be done by Authorization Containers. So saying the client must either provide a password or come from a specific IP address, would be done by surrounding the directives with RequireAny, e.g.
<RequireAny>
Require valid-user
Require ip 1.2.3.4
</RequireAny>
Although, this is a special case as described at the end of Require
When multiple Require directives are used in a single configuration section and are not contained in another authorization directive like <RequireAll>, they are implicitly contained within a <RequireAny> directive. Thus the first one to authorize a user authorizes the entire request, and subsequent Require directives are ignored.
In other words, RequireAny is optional here, and you can just list
Require valid-user
Require ip 1.2.3.4
This workes perfect for me:
AuthType Basic
AuthName "myserver publicname"
AuthUserFile "/myserverpath/.htpasswds/public/passwd"
require ip 100.12.255.233
require valid-user
Note:
Just placed 'require ip' with 'my example ip' before 'require valid-user' and it does the trick. I can log in from my ip without password requested, but if I access from other locations or my mobile devices I need the password.
To set 'Satisfy any' was NOT GOOD FOR ME (!), because it disabled other .htaccess settings in lower hierarchy of my app and made my site insecure.
found answer, see end of the post
How do you restrict access to a file by IP, when you are hosted in a cluster/cloud environment (Rackspace Cloud, to be more specific). Yesterday, I asked a similar question here, and received the following answer, which worked great (thank you) in my local test environment.
<Files test.html>
Order allow,deny
Deny from all
Allow from 123.123.123.123
</Files>
However, what I've came to find out w/ Rackspace Cloud is that by the time a visitor hits a page (or as far as .htaccess is concerned w/), the IP would have already changed.
I discovered this as I was testing the .htaccess directive, where my true IP would not give me access, but the site's own hosting IP works.
With some other tests, I also finds out that in their cloud environment, a visitor's IP is reported through "HTTP_X_FORWARDED_FOR" instead of "REMOTE_ADDR."
Does anyone have a good workaround w/ this? Is there a directive in .htaccess that I can change the IP .htaccess looks for?
(yes, I'm going to post this same question to Rackspace.)
answer added
so after few hours of head scratching w/ their online support, the directive to use, at least with Rackspace Cloud is this:
<Files filename.htm>
SetEnvIf X-Cluster-Client-Ip 000.000.000.000 allowclient
SetEnvIf X-FORWARDED-FOR 000.000.000.000 allowclient
order deny,allow
deny from all
allow from env=allowclient
</Files>
depending on if you have are behind a SSL-cluster or not, you'll use either "X-Cluster-Client-Ip"(non-SSL) or "X-FORWARDED-FOR" (SSL) directive to match up your ip.