I have a problem, I want to secure the admin panel of my website using .htaccess but its a CGI script.
from WebBrowser it looks like: http://mysite.com/?op=adminpanel
of course its /cgi-bin/index.cgi?op=adminpanel
I've tried with:
<files index.cgi?op=adminpanel>
order deny,allow
deny from all
allow from my.ip.address
</files>
but not working, works when I use <files index.cgi></files> but the whole site got 403 error for everyone except for my ip
now i'm testing with:
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !( my.IP)
RewriteCond %{QUERY_STRING} !(?op=adminpanel)
RewriteRule index.cgi - [F]
any help will be greatly appreciated
Per this article you can do it like this:
Let's say you want to block IP address 123.255.123.255 from accessing the page www.mydomain.com/index.php?option=com_my_special_component. Here is how you could write the rule:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^123\.255\.123\.255
RewriteCond %{QUERY_STRING} option=com_my_special_component [NC]
RewriteRule ^(.*)$ index.php [F,L]
The first line just turns on URL rewriting. The second line matches the IP address (use backslashes before each dot), the third line matches the querystring (ie. anything that comes after the ? in the URL) - in this case it would match if option=com_my_special_component comes anywhere in the URL after the ? (eg. index.php?id=1&option=com_my_special_component&action=dostuff would still match with this rule). The [NC] at the end of that line tells it to apply the rule regardless of whether any of the characters in the URL are uppercase or lowercase. The final line redirects the user to index.php with a 'forbidden' header - so they will get an error message in their browser, and tells mod_rewrite to stop interpreting any further rewrite rules.
If you want to ban multiple IP addresses, you can add new lines for them, but you need to add an [OR] flag to the end of each line except the last one - for example:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^123\.255\.123\.255 [OR]
RewriteCond %{REMOTE_ADDR} ^124\.255\.124\.255 [OR]
RewriteCond %{REMOTE_ADDR} ^125\.255\.125\.255
RewriteCond %{QUERY_STRING} option=com_my_special_component [NC]
RewriteRule ^(.*)$ index.php [F,L]
Since you are block access to an admin page, you probably want to only allow your IP. In that case you would just put an exclamation mark in front of the IP address to say if it's any IP other than this one, then rewrite.
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.255\.123\.255
RewriteCond %{REMOTE_ADDR} !^124\.255\.124\.255
RewriteCond %{REMOTE_ADDR} !^125\.255\.125\.255
RewriteCond %{QUERY_STRING} option=com_my_special_component [NC]
RewriteRule ^(.*)$ index.php [F,L]
Hope that helps.
Try this in the .htaccess file :
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/admin
RewriteCond %{REMOTE_ADDR} !=10.0.0.1
RewriteCond %{REMOTE_ADDR} !=10.0.0.2
RewriteCond %{REMOTE_ADDR} !=10.0.0.3
RewriteRule ^(.*)$ - [R=403,L]
if the url begins with /admin and the remote address is not one of the three listed, send the browser on its merry way.
reference : https://www.concrete5.org/community/forums/chat/restrict-urls-starting-with-abc-to-specific-ips-.htaccess-guru
you can change this line (RewriteCond %{REQUEST_URI} ^/admin) to this :
RewriteCond %{REQUEST_URI} .*/admin
for very url contain "/admin".
Related
I can allow users to access the admin section of my site based on IP address, and redirect the others to "Page not Found" page with this code:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/admin(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.890$
RewriteRule (.*) - [R=404,L]
I wonder if it is possible to add a new rule to allow also users trying to access "/admin/index.php?mikey=mouse" no matter which IP address they are coming from, and redirect the others.
I tried this:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/admin/index.php?mikey=mouse$ [OR]
RewriteCond %{REQUEST_URI} ^/admin(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.890$
RewriteRule (.*) - [R=404,L]
It doesn't seem to work. What am I doing wrong?
My main pages are at "main.mysite.com".
Customer access site by "customer.mysite.com" which contains only a subset of the main pages.
When customer request page "customer.mysite.com/data.php", I want to check first if the file is in "customer.mysite.com" subdomain, if yes, then serve that page, if not, then serve the page at "main.mysite.com/data.php" subdomain.
I also want to keep the url at "customer.mysite.com/data.php" for the two cases.
My complete htaccess file is currently :
# This will enable the Rewrite capabilities
RewriteEngine On
RewriteBase /
# This rule will convert request urls like /category/page?id=1 to /?c=category&p=page&id=1
# Redirect to main page, which is Single Page Application and then manage to open the new tab
RewriteRule ^([A-Za-z]*)\/([A-Za-z]*)([?]?[A-Za-z0-9=&]*)$ /?c=$1&p=$2 [NC,R,QSA]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
# First, this checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [NC]
# This rule will serve pages from main.mysite.com when browsed with customer.mysite.com
# By removing the [R=301], it makes an internal redirect, keeping the original url in the browser
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ https://main.mysite.com/$1 [L,NC,QSA]
# Disable Directory Listing
Options -Indexes
<Files .htaccess>
order allow,deny
deny from all
</Files>
However, when I browse "customer.mysite.com/page.php", I am redirected to "main.mysite.com/page.php", which is not what I want.
First , to redirect /category/page?id=1 to /?c=category&p=page&id=1 :
RewriteCond %{QUERY_STRING} ^id=(.*)$
RewriteRule ^([A-Za-z]+)\/([A-Za-z]+)$ /?c=$1&p=$2 [NC,R=301,QSA]
change this : RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [NC]
to this RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R=301]
Because %{HTTP_HOST} it is request header including your target host
Moreover :
I f you handled error file like that , when there is no file in that target looping will happen so it is better to handle that like this :
replace this :
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ https://main.mysite.com/$1 [L,NC,QSA]
With this :
RewriteCond %{HTTP_HOST} !^(www\.)?main.mysite.com$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ https://main.mysite.com/$1 [L,NC,QSA]
#then you could handle the error that not found in main by this
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /path/to/error/page [L]
By adding the proxy flag [P] to the rule, the server makes an internal redirect, keeping the browser url unchanged. Normally, this would work by not specifying the R=301 flag, but it'S not enough when the rule is changing domain/subdomain.
What worked:
RewriteRule ^(.*)$ https://main.mysite.com/$1 [P,L,NC,QSA]
Note that the L flag is not required with P as it is added implicitely, as no other rules can be executed after that.
OK, I have boonex script installed and the original .htaccess is on http://codeshare.io/zSQvq.
I want to redirect everyone to another directory on the server (whilst I build the site)
The only allowed will be my 2 IPs. And for that I added:
RewriteCond %{REMOTE_ADDR} !^(18\.13\.112\.222|18\.4\.144\.106)
RewriteCond %{REQUEST_URI} !^/inamoment/ [NC]
RewriteRule ^(.*)$ http:// mysite .com/inamoment/$1 [R=302,L]
after RewriteEngine on
and when I do that I receive a 500 Internal Server Error.
Is there maybe something contradictory?
Do you mind to have a look on http://codeshare.io/zSQvq
Many thanks
(http:// mysite .com/ was separated on purpose)
And everything works with:
RewriteCond %{REMOTE_ADDR} !^(192\.249\.19\.122|81\.13\.18\.56)
RewriteCond %{REQUEST_URI} !^/inamoment/ [NC]
RewriteRule ^(.*)$ http://site(dot)com/inamoment/$1 [R=302,L]
Where on the first line: I tell that if the visit is not from any of those IPs;
2nd and 3rd line: says to redirect to site.com/inamoment
All the best
Is it possible to accept traffic from only one domain, ideally using a .htaccess file?
I want my site to only be accessible via a link on another site I have.
I know how to block one referring domain, but not all domains
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomain\.com [NC]
RewriteRule .* - [F]
this is my full rewrite code:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !domain\.co.uk [NC]
RewriteRule .? - [F]
# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
I think it is working, but none of the assets are getting loaded and I get a 500 error when I click on another link.
Make that something like:
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !yourdomain\.com [NC]
RewriteCond %{HTTP_REFERER} !alloweddomain\.com [NC]
RewriteRule .? - [F]
The first RewriteCond checks that the referrer is not empty. The second checks that it doesn't contain the string yourdomain.com, and the third that it doesn't contain the string alloweddomain.com. If all of these checks pass, the RewriteRule triggers and denies the request.
(Allowing empty referrers is generally a good idea, since browsers can generate them for various reasons, such as when:
the user has bookmarked the link,
the user entered the link manually into the address bar,
the user reloaded the page,
the browser is configured not to send cross-site referrer infromation, or
a proxy between your site and the browser strips away the referrer information.)
At some point through my error my localhost started getting redirected. After reading around I added RewriteCond !localhost [NC] to my .htaccess file and it now appears to work but I've pretty much no idea what I'm doing.
I don't know htaccess rules well, I've read several answers and googled but the scripts I've found seem to take a different approach usually based around...
Require valid-user
Allow from 127.0.0.1
Satisfy Any
...which I have trouble integrating.
Is my amend below OK or a bad idea?
# MAINTENANCE-PAGE REDIRECT
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^00\.00\.000\.000 # my remote IP address
RewriteCond !localhost [NC] # I added this line
RewriteCond %{REQUEST_URI} !/maintenance.html$ [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif|css|zip) [NC]
RewriteRule .* /maintenance.html [R=302,L]
</IfModule>
I would suggest you to remove these lines
RewriteCond %{REMOTE_ADDR} !^00\.00\.000\.000 # my remote IP address
RewriteCond !localhost [NC] # I added this line
and add just this:
RewriteCond %{REMOTE_ADDR} !^(?:(?:00\.00\.000\.000)|(?:127\.0\.0\.1))$
But the
Require valid-user
Allow from 127.0.0.1
Satisfy Any
Solution is much better.