0

I want to allow access to /admin and /login only from certain IP addresses (two 192.168.0.1, 10.10.10.1). I already learned here that I have to use something like RewriteCond %{REMOTE_ADDR} !^192\.168\..*$, but how to do this more precise in my example?

I use Symfony2 and have a quite basic htaccess file in my /www folder.

<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{HTTP_HOST} calculator.ipsum.de$
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !index
    RewriteCond %{REQUEST_URI} !\.
    RewriteRule (.*) index.php [L]
</IfModule>
Community
  • 1
  • 1
lony
  • 6,733
  • 11
  • 60
  • 92

2 Answers2

1

You can try:

RewriteCond %{REMOTE_ADDR} !^192\.168\.0\.1$ [OR]
RewriteCond %{REMOTE_ADDR} !^10\.10\.10\.1$
RewriteRule (admin|login)/?$ - [F]

This should give a 403 - Forbidden for attempts to access that page from IPs other than the ones in the conditions.

arco444
  • 22,002
  • 12
  • 63
  • 67
  • Can I also have a 404 - I want to hide the login? – lony Dec 01 '15 at 12:27
  • Changing the flag from `[F]` to `[R=404,L]` should work – arco444 Dec 01 '15 at 12:31
  • Where in my file do I have to put the snipped. I tried it as the first rule beyond "On" but it seem not to work. Can SSL or virtual hosts be a problem? – lony Dec 01 '15 at 12:45
  • That's where I'd recommend to put it. Are you sure you're coming in on those addresses? Does the rule work on its own without the conditions? – arco444 Dec 01 '15 at 13:20
  • Hm, I think it is not. How can I "test" routing in Apache and debug mod_rewrite? – lony Dec 01 '15 at 17:27
0

You could use Symfony's access control instead. So in your app/config/security.yml, add:

security:
    access_control:
        - { path: ^/admin, roles: ROLE_USER_IP, ips: [192.168.0.1, 10.10.10.1] }
        - { path: ^/login, roles: ROLE_USER_IP, ips: [192.168.0.1, 10.10.10.1] }

That should allow 192.168.0.1 and 10.10.10.1 access to the pages, while blocking anything else.

Alternatively, if you want to do this on the server instead of in your application, you could use Apache's mod_access module instead of rewriting:

<Location "/admin">
    Order deny,allow
    Allow from 192.168.0.1 10.10.10.1
    Deny from All
</Location>

<Location "/login">
    Order deny,allow
    Allow from 192.168.0.1 10.10.10.1
    Deny from All
</Location>
Oldskool
  • 34,211
  • 7
  • 53
  • 66
  • [I tried the symfony approach, but couldn't get it to work. If I use access control it interfierce with my firewall, resulting in a loop!](http://stackoverflow.com/questions/33690284/symfony-2-allow-login-only-from-whitelisted-ips) – lony Dec 01 '15 at 12:18