homepage Welcome to WebmasterWorld Guest from 50.19.169.37
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

This 35 message thread spans 2 pages: 35 ( [1] 2 > >     
Allow access to example.com but disallow access via its dedicated IP
Angonasec




msg:4652386
 2:21 am on Mar 9, 2014 (gmt 0)

FreeBSD on Apache 2 Shared hosting:

I recently moved our main site to a new host with a fresh dedicated IP.

I own eight other related (.tld variations) but parked domains, which are now sharing this same IP.

I am developing those for subsequent use, not to redirect to the main site.

How do I safely stop all attempts to access the main domain by numeric IP?

ie. Allow access by www.example.com but disallow by nnn.nn.nn.nn

 

Angonasec




msg:4652387
 2:35 am on Mar 9, 2014 (gmt 0)

I should add that I currently have in place this to redirect all calls to homepage to the root domain name, and also direct to the www cannonical version. Which does not prevent access by numerical IP's.

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /homepage\.htm\ HTTP/
RewriteRule ^homepage\.htm$ http://www.example.com/ [R=301,L]
RewriteCond %{HTTP_HOST} ^example\.com
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

phranque




msg:4652418
 6:40 am on Mar 9, 2014 (gmt 0)

change this:
RewriteCond %{HTTP_HOST} ^example\.com


to this:
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
lucy24




msg:4652422
 7:10 am on Mar 9, 2014 (gmt 0)

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]


And then, if you have multiple domains living on the same server, you add rulesets:

RewriteCond %{HTTP_HOST} fizzgig
RewriteCond %{HTTP_HOST} !^(www\.fizzgig\.com)?$ [NC]
RewriteRule blahblah

RewriteCond %{HTTP_HOST} tweedledee
RewriteCond %{HTTP_HOST} !^(www\.tweedledee\.com)?$ [NC]
RewriteRule blahblah

RewriteCond %{HTTP_HOST} hooptie
RewriteCond %{HTTP_HOST} !^(www\.hooptie\.com)?$ [NC]
RewriteRule blahblah

for each of the non-primary domains. If there's a boss domain, it goes at the end of this list and it only requires one condition: "If, after all this, the request is for anything other than example.com, redirect."

Yes, OK, I could have expressed it as example.org, example.net, example.ca and so on. But let's be reasonable.

g1smd




msg:4652429
 8:47 am on Mar 9, 2014 (gmt 0)

I prefer to omit the [NC] flag from these rules.

lucy24




msg:4652520
 8:07 pm on Mar 9, 2014 (gmt 0)

Follow-up: I realized after posting that I omitted the crucial [NC] tags. In each ruleset, the first condition has to say

RewriteCond %{HTTP_HOST} fuzzball [NC]

It is up to you whether the second condition says
RewriteCond %{HTTP_HOST} !^(www\.fuzzball\.com)?$ [NC]
or
RewriteCond %{HTTP_HOST} !^(www\.fuzzball\.com)?$
(with or without [NC]). But the first [NC] must be present, or else requests for capitalized FUZZBALL.COM will end up at "example.com" (your last, default site).

Samizdata




msg:4652526
 8:43 pm on Mar 9, 2014 (gmt 0)

I prefer to omit the [NC] flag from these rules.

Indeed, my understanding is that on Apache the URL is only case-sensitive after the domain name.

On Windows servers the domain name is case-sensitive though.

...

Angonasec




msg:4652605
 5:37 am on Mar 10, 2014 (gmt 0)

Superb Team :)
Ta!

Angonasec




msg:4652618
 8:22 am on Mar 10, 2014 (gmt 0)

Actually; the domain name is identical, primary and shared, all on the same IP, only the .tld changes, so should this be;

RewriteCond %{HTTP_HOST} example\.ca
RewriteCond %{HTTP_HOST} !^(www\.example\.ca)?$
RewriteRule ^(.*)$ - [F]

RewriteCond %{HTTP_HOST} example\.org
RewriteCond %{HTTP_HOST} !^(www\.example\.org)?$
RewriteRule ^(.*)$ - [F]

RewriteCond %{HTTP_HOST} example\.net
RewriteCond %{HTTP_HOST} !^(www\.example\.net)?$
RewriteRule ^(.*)$ - [F]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /homepage\.htm\ HTTP/
RewriteRule ^homepage\.htm$ http://www.example.com/ [R=301,L]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

Angonasec




msg:4652625
 8:55 am on Mar 10, 2014 (gmt 0)

I suspect the parked .tld code above can be condensed, but I've already tried it live. :)

When I try to view the main domain using its dedicated IP in the browser, it promptly redirects to the www.example.com url and shows the correct homepage :)

When I try to view the parked domains by their domain names, I receive my password protected pop-up, which I installed previously.

So, perhaps in my case, the extra parked domain redirect conditions and rules are redundant, and so I have deleted them from the live sites, and it all seems to function as required.

But please speak up if I'm allowing a loop-hole for bots and hackers.

If I may ask a further question about syntax for lines such as these:

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

My real domain is hyphenated, so do the hyphens require escaping thus:

RewriteCond %{HTTP_HOST} !^(www\.example\-example\.com)?$ [NC]
RewriteRule ^(.*)$ [example\-example\com...] [R=301,L]

I suspect they do, but I'm not getting a server error without them.

lucy24




msg:4652647
 10:24 am on Mar 10, 2014 (gmt 0)

Actually; the domain name is identical, primary and shared, all on the same IP, only the .tld changes, so should this be;

RewriteCond %{HTTP_HOST} example\.ca
< et cetera >

Yup. Assuming you really did mean to say [F] there!

My real domain is hyphenated, so do the hyphens require escaping

No. In Regular Expressions, literal hyphens only need to be escaped inside grouping brackets-- and even then, only in certain positions, depending on your RegEx engine. afaik, hyphens never have syntactic meaning in Apache (as blank spaces do, and literal slashes in certain mods but not mod_rewrite).

Things in Regular Expressions only require escaping if the non-escaped form has a special meaning. It's got nothing to do with ASCII or non-alphanumeric or non-web-safe or anything like that.

Angonasec




msg:4652674
 11:57 am on Mar 10, 2014 (gmt 0)

Thank you again Lucy :)

Looking good, thanks to everyone's help.

One final query;

I didn't mention previously, so's not to complicate matters, but my primary (live) site on the dedicated IP has two live sub-domains, which are arranged as two other "hosts" on the same dedicated IP. With their own htaccess files.

Do I need to employ any measures to safe-guard the sub-domains from being accessed by the numeric IP, rather than by their sub-dom url?

I can't think of any way they could be accessed with a browser via the numeric IP, but I'm wondering about bots and hackers accessing them in other ways I need to block?

g1smd




msg:4652740
 2:58 pm on Mar 10, 2014 (gmt 0)

In the rules with [F] flag the ^(.*)$ pattern can be simplified to .? with no anchors or capturing.

Angonasec




msg:4652752
 3:39 pm on Mar 10, 2014 (gmt 0)

Thank you Sir, that will assist people reading this thread in future;

So the final form of generic code would be this:

RewriteCond %{HTTP_HOST} example\.ca
RewriteCond %{HTTP_HOST} !^(www\.example\.ca)?$
RewriteRule .? - [F]

RewriteCond %{HTTP_HOST} example\.org
RewriteCond %{HTTP_HOST} !^(www\.example\.org)?$
RewriteRule .? - [F]

RewriteCond %{HTTP_HOST} example\.net
RewriteCond %{HTTP_HOST} !^(www\.example\.net)?$
RewriteRule .? - [F]

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

A reminder what it does:

The first three rulesets are for parked .tld variants of the live domain, and they forbid (403)access to those parked domains by domain name url, and by numeric IP.

The final ruleset redirects all non-www requests to the www url version, as well as redirecting attempts to access that domain by its numeric IP to the root homepage.

PS. I'm still wondering if you Regex wizos would be able to "compress" those first three rulesets into something more economical and condensed. But I've actually not used them because I have those domain variants htaccess password protected.

lucy24




msg:4652760
 4:23 pm on Mar 10, 2014 (gmt 0)

Add [NC] tags to the first condition of each group. Your choice whether to use it on the second, definitive condition.

A reminder what it does:

... and that's what
# explanatory-comment-here
lines are for.

The three preliminary rules could theoretically be compressed into a single one, but it would become such an ugly and unpalatable rule that why bother? You'd have to capture something in the condition, and this can only be done by putting the first condition last. (You can only capture from the most recently met condition.) Using %{HTTP_HOST} in the target won't work, because the whole point was to get rid of non-standard requests.

It can be done so long as the rule ends in [F], but that's just temporary isn't it?

RewriteCond %{HTTP_HOST} example\.(ca|org|net)
RewriteCond %{HTTP_HOST} !^www\.example\.(ca|org|net)$
RewriteRule .? - [F]

I just realized you don't need the (blahblah)? element, since the whole point is that there is a named host. So no "or exactly nothing" option.

I wondered if the second condition could say
!^www\.example\.%1$
taking advantage of the parentheses in the previous condition, but for some reason this leads to an infinite loop. Can't figure out why; I just tried it on the test site. Actually I expected a 500-class error. Someone else will explain it.

g1smd




msg:4652772
 5:38 pm on Mar 10, 2014 (gmt 0)

In Conditions you cannnot have backreferences "on the right".

lucy24




msg:4652811
 8:15 pm on Mar 10, 2014 (gmt 0)

In Conditions you cannnot have backreferences "on the right".

That's what I thought, which is why I expected a 500-class error. Did it simply interpret %1 in the condition as a literal "%1"? That would explain the infinite redirect, since the condition would then always succeed.

Angonasec




msg:4652848
 10:19 pm on Mar 10, 2014 (gmt 0)

Thank you Lucy, I appreciate your Regex format/explanation, and experimenting too.

Colleagues here seem to have thought the no-case tags unnecessary in this case.

Yes, "temporary" but a 403 [F] is a good option for now :)

Angonasec




msg:4653565
 7:11 am on Mar 13, 2014 (gmt 0)

Bearing in mind the opinions expressed in this anti-bot thread:
[webmasterworld.com...]

And that the code above redirects visits by the dedicated IP to the primary domain's homepage, (which some experts regard as risky) what would be an alternative mod_rewrite code to block (rather than redirect to the homepage) all visits from bots and humans trying to access the site through its dedicated IP?

By providing both code-sets, future readers of this thread can make their own choice which to use.

lucy24




msg:4653621
 10:47 am on Mar 13, 2014 (gmt 0)

:: thinking ::

RewriteCond %{HTTP_HOST} ^\d+\.\d+\.\d+\.\d+$
RewriteCond %{REMOTE_ADDR} 12\.34\.56\.78
RewriteRule .? - [F]

You can replace the \d etcetera with your site's actual IP, but doing it this way keeps you covered if you change servers. The second condition is because presumably you want to exempt yourself. Replace 12.34 et cetera with your own IP.

This rule goes with your other [F] rules, which puts it long before any domain-name-related redirects you might have.

Apache doesn't recognize \h does it? It would be useful in IPv6 addresses.

:: detour to test site ::

Nope. At least not in 2.2. It reads "\h" as simply h with gratuitous escaping.

Angonasec




msg:4653649
 12:29 pm on Mar 13, 2014 (gmt 0)

That was quick :)

Thank you.

Personally, I'm not looking forward to IPv6 catching on.
It's going to make my already bloated htaccess file truly replete with denied bot verbiage.

Angonasec




msg:4653662
 1:04 pm on Mar 13, 2014 (gmt 0)

I tested it Lucy, but it didn't block the numeric IP:

So I removed the first slash, and it does now work:

# Ban access to site via its dedicated IP
RewriteCond %{HTTP_HOST} ^nn\.nnn\.nn\.nnn$
RewriteRule .? - [F]

g1smd




msg:4653664
 1:14 pm on Mar 13, 2014 (gmt 0)

So I removed the first slash, and it does now work:

What first slash?

Angonasec




msg:4653759
 4:20 pm on Mar 13, 2014 (gmt 0)

The first one here:

RewriteCond %{HTTP_HOST} ^\d+\.\d+\.\d+\.\d+$

Thus becoming...

RewriteCond %{HTTP_HOST} ^nn\.nnn\.nn\.nnn$

Correct?

lucy24




msg:4653822
 9:04 pm on Mar 13, 2014 (gmt 0)

Uhm, if you replaced \d with your actual numeric IP, there is no first slash! \d means [0-9]; afaik all RegEx engines recognize the form. (Also \w which for htaccess purposes means [A-Za-z0-9_].)

\n means newline, but those don't occur in ordinary Apache directives, since a request is by definition a single line.

Angonasec




msg:4653893
 2:33 am on Mar 14, 2014 (gmt 0)

Whoops, apologies, I misunderstood, and took your comment;

"You can replace the \d etcetera with your site's actual IP..."

...To imply the \d etcetera was Lucy-speak instead of RegEx-speak.


However, whilst the site has a fixed dedicated IP will this line, as posted, suffice? It seemed to work ok when tested.

The nn's are replaced with my actual dedicated IP of course.

RewriteCond %{HTTP_HOST} ^nn\.nnn\.nn\.nnn$

lucy24




msg:4653921
 5:35 am on Mar 14, 2014 (gmt 0)

Yes, it's perfectly fine to use your actual numeric IP. The \d\d\d etcetera option is appropriate if you're on one of those shared-hosting setups where they move you to another server every other week* and you don't want to keep updating.


* This is a wild exaggeration. I think I've been moved twice in seven years.

Angonasec




msg:4653931
 7:03 am on Mar 14, 2014 (gmt 0)

Smashing :)

Apologies for the confusion.

So, to clarify for future bods reading this; to implement Regex mod_rewrite code to BLOCK access by a site's dedicated IP of, for example; 22.22.22.22
And to allow the site-owner to access the site by their ISP's numeric IP of, for example; 12.34.56.78

The generic code;

RewriteCond %{HTTP_HOST} ^\d+\.\d+\.\d+\.\d+$
RewriteCond %{REMOTE_ADDR} 12\.34\.56\.78
RewriteRule .? - [F]


Becomes?

lucy24




msg:4653948
 9:05 am on Mar 14, 2014 (gmt 0)

Becomes?

RewriteCond %{HTTP_HOST} ^22\.22\.22\.22$

:: detour to look up ::

Oh. Defense Department. That's why I've never set eyes on them.

At this point, some form of jamais vu is liable to set in, and you need to remind yourself that
HTTP_HOST
is the site, while
REMOTE_ADDR
is the visitor.

g1smd




msg:4653955
 9:22 am on Mar 14, 2014 (gmt 0)

This is a rule to block access.

To allow access by this IP, the pattern for %{REMOTE_ADDR} should be start and end anchored and the whole thing preceded by ! for NOT.

This 35 message thread spans 2 pages: 35 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved