Allow users to access admin section with htaccess - .htaccess

I can allow users to access the admin section of my site based on IP address, and redirect the others to "Page not Found" page with this code:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/admin(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.890$
RewriteRule (.*) - [R=404,L]
I wonder if it is possible to add a new rule to allow also users trying to access "/admin/index.php?mikey=mouse" no matter which IP address they are coming from, and redirect the others.
I tried this:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/admin/index.php?mikey=mouse$ [OR]
RewriteCond %{REQUEST_URI} ^/admin(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.890$
RewriteRule (.*) - [R=404,L]
It doesn't seem to work. What am I doing wrong?

Related

How can I exclude one URL from redirection in OpenLiteSpeed

My application webroot is like : /home/username/appname/public_html
I have created a subfolder under public_html and installed the wordpress there.
Like: /home/username/appname/public_html/subfolder
we used the below redirection code because we want to access the application like https://example.com/subfolder
RewriteEngine on
RewriteCond %{HTTP_HOST} example\.com [NC]
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ http://example.com/br/$1 [L,R=301,NC]
RewriteRule ^/?(.*)$ http://example.com/br/$1 [L,R=301]
so when user will access main domain example.com so req will be redirected to example.com/subfolder/
but now we want to access example.com/file.txt
but the problem is due to redirection it also redirecting
so how can I exclude this url example.com/file.txt from redirection to example.com/subfolder/file.txt
Please help us.
I tried to add these config but did not work for me
RewriteCond %{REQUEST_URI} !^/file\.txt$
OR
RewriteCond %{REQUEST_URI} !^example\.com\/file\.txt$

Rewrite rule to show maintenance page for IPs not in the list

I need to allow site access to only development team accessing from IPs 111.111.111.111 and 222.222.222.222 and for the rest of the visitors would like to show temporary maintenance page brb.html
I tried this with the following condition and rewrite rule and it got into a redirect loop. Any insights on how to make this work?
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^222\.222\.222\.222
RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111
RewriteCond %{SCRIPT_FILENAME} !^brb.html
RewriteRule ^.*$ /brb.html [R=307,L]
Note: IPs used above are not the real ones.
You can use:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^(222\.222\.222\.222|111\.111\.111\.111)
RewriteRule !^brb\.html$ /brb.html [R=307,L]
And test in a new browser.
!^brb\.html$ in rewrite rule pattern will stop looping for you.
SOLUTION:
Because of CloudFlare I had to use RewriteCond %{HTTP:X-FORWARDED-FOR} instead of RewriteCond %{REMOTE_ADDR}

block specific url in .htaccess and allow access by IP

I have a problem, I want to secure the admin panel of my website using .htaccess but its a CGI script.
from WebBrowser it looks like: http://mysite.com/?op=adminpanel
of course its /cgi-bin/index.cgi?op=adminpanel
I've tried with:
<files index.cgi?op=adminpanel>
order deny,allow
deny from all
allow from my.ip.address
</files>
but not working, works when I use <files index.cgi></files> but the whole site got 403 error for everyone except for my ip
now i'm testing with:
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !( my.IP)
RewriteCond %{QUERY_STRING} !(?op=adminpanel)
RewriteRule index.cgi - [F]
any help will be greatly appreciated
Per this article you can do it like this:
Let's say you want to block IP address 123.255.123.255 from accessing the page www.mydomain.com/index.php?option=com_my_special_component. Here is how you could write the rule:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^123\.255\.123\.255
RewriteCond %{QUERY_STRING} option=com_my_special_component [NC]
RewriteRule ^(.*)$ index.php [F,L]
The first line just turns on URL rewriting. The second line matches the IP address (use backslashes before each dot), the third line matches the querystring (ie. anything that comes after the ? in the URL) - in this case it would match if option=com_my_special_component comes anywhere in the URL after the ? (eg. index.php?id=1&option=com_my_special_component&action=dostuff would still match with this rule). The [NC] at the end of that line tells it to apply the rule regardless of whether any of the characters in the URL are uppercase or lowercase. The final line redirects the user to index.php with a 'forbidden' header - so they will get an error message in their browser, and tells mod_rewrite to stop interpreting any further rewrite rules.
If you want to ban multiple IP addresses, you can add new lines for them, but you need to add an [OR] flag to the end of each line except the last one - for example:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^123\.255\.123\.255 [OR]
RewriteCond %{REMOTE_ADDR} ^124\.255\.124\.255 [OR]
RewriteCond %{REMOTE_ADDR} ^125\.255\.125\.255
RewriteCond %{QUERY_STRING} option=com_my_special_component [NC]
RewriteRule ^(.*)$ index.php [F,L]
Since you are block access to an admin page, you probably want to only allow your IP. In that case you would just put an exclamation mark in front of the IP address to say if it's any IP other than this one, then rewrite.
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.255\.123\.255
RewriteCond %{REMOTE_ADDR} !^124\.255\.124\.255
RewriteCond %{REMOTE_ADDR} !^125\.255\.125\.255
RewriteCond %{QUERY_STRING} option=com_my_special_component [NC]
RewriteRule ^(.*)$ index.php [F,L]
Hope that helps.
Try this in the .htaccess file :
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/admin
RewriteCond %{REMOTE_ADDR} !=10.0.0.1
RewriteCond %{REMOTE_ADDR} !=10.0.0.2
RewriteCond %{REMOTE_ADDR} !=10.0.0.3
RewriteRule ^(.*)$ - [R=403,L]
if the url begins with /admin and the remote address is not one of the three listed, send the browser on its merry way.
reference : https://www.concrete5.org/community/forums/chat/restrict-urls-starting-with-abc-to-specific-ips-.htaccess-guru
you can change this line (RewriteCond %{REQUEST_URI} ^/admin) to this :
RewriteCond %{REQUEST_URI} .*/admin
for very url contain "/admin".

Disable access to addon domain via main domain

I have like 10 addon domains on my main website, and atm you can visit any addon (call it test1.com) website with link as test1.mainwebsite.com or www.mainwebsite.com/test1
How can I block this access to addons?
I have tried this, but this block only www.mainwebsite.com/test1 way.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www.)?mainwebsite.com$ [NC]
RewriteCond %{REQUEST_URI} ^/google.com/(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/something.net/(.*)$
RewriteRule ^(.*)$ - [L,R=404]
Disable access to a subdomain
The following is an example '.htaccess' code which provides a thorough means of making the Addon domain folders, and their contents, invisible through the main domain by forcing a "404 Not Found" error. This will work both for web browsers and search engines:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www.)?domain.com$ [NC]
RewriteCond %{REQUEST_URI} ^/addonfolder/(.*)$
RewriteRule ^(.*)$ - [L,R=404]

Deny referrals from all domains except one

Is it possible to accept traffic from only one domain, ideally using a .htaccess file?
I want my site to only be accessible via a link on another site I have.
I know how to block one referring domain, but not all domains
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomain\.com [NC]
RewriteRule .* - [F]
this is my full rewrite code:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !domain\.co.uk [NC]
RewriteRule .? - [F]
# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
I think it is working, but none of the assets are getting loaded and I get a 500 error when I click on another link.
Make that something like:
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !yourdomain\.com [NC]
RewriteCond %{HTTP_REFERER} !alloweddomain\.com [NC]
RewriteRule .? - [F]
The first RewriteCond checks that the referrer is not empty. The second checks that it doesn't contain the string yourdomain.com, and the third that it doesn't contain the string alloweddomain.com. If all of these checks pass, the RewriteRule triggers and denies the request.
(Allowing empty referrers is generally a good idea, since browsers can generate them for various reasons, such as when:
the user has bookmarked the link,
the user entered the link manually into the address bar,
the user reloaded the page,
the browser is configured not to send cross-site referrer infromation, or
a proxy between your site and the browser strips away the referrer information.)

Resources