Welcome to WebmasterWorld Guest from 54.163.84.199

Forum Moderators: Ocean10000 & incrediBILL & phranque

Allow access to example.com but disallow access via its dedicated IP

   
2:21 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



FreeBSD on Apache 2 Shared hosting:

I recently moved our main site to a new host with a fresh dedicated IP.

I own eight other related (.tld variations) but parked domains, which are now sharing this same IP.

I am developing those for subsequent use, not to redirect to the main site.

How do I safely stop all attempts to access the main domain by numeric IP?

ie. Allow access by www.example.com but disallow by nnn.nn.nn.nn
2:35 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I should add that I currently have in place this to redirect all calls to homepage to the root domain name, and also direct to the www cannonical version. Which does not prevent access by numerical IP's.

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /homepage\.htm\ HTTP/
RewriteRule ^homepage\.htm$ http://www.example.com/ [R=301,L]
RewriteCond %{HTTP_HOST} ^example\.com
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
6:40 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



change this:
RewriteCond %{HTTP_HOST} ^example\.com


to this:
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
7:10 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]


And then, if you have multiple domains living on the same server, you add rulesets:

RewriteCond %{HTTP_HOST} fizzgig
RewriteCond %{HTTP_HOST} !^(www\.fizzgig\.com)?$ [NC]
RewriteRule blahblah

RewriteCond %{HTTP_HOST} tweedledee
RewriteCond %{HTTP_HOST} !^(www\.tweedledee\.com)?$ [NC]
RewriteRule blahblah

RewriteCond %{HTTP_HOST} hooptie
RewriteCond %{HTTP_HOST} !^(www\.hooptie\.com)?$ [NC]
RewriteRule blahblah

for each of the non-primary domains. If there's a boss domain, it goes at the end of this list and it only requires one condition: "If, after all this, the request is for anything other than example.com, redirect."

Yes, OK, I could have expressed it as example.org, example.net, example.ca and so on. But let's be reasonable.
8:47 am on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I prefer to omit the [NC] flag from these rules.
8:07 pm on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Follow-up: I realized after posting that I omitted the crucial [NC] tags. In each ruleset, the first condition has to say

RewriteCond %{HTTP_HOST} fuzzball [NC]


It is up to you whether the second condition says
RewriteCond %{HTTP_HOST} !^(www\.fuzzball\.com)?$ [NC]

or
RewriteCond %{HTTP_HOST} !^(www\.fuzzball\.com)?$

(with or without [NC]). But the first [NC] must be present, or else requests for capitalized FUZZBALL.COM will end up at "example.com" (your last, default site).
8:43 pm on Mar 9, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I prefer to omit the [NC] flag from these rules.

Indeed, my understanding is that on Apache the URL is only case-sensitive after the domain name.

On Windows servers the domain name is case-sensitive though.

...
5:37 am on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Superb Team :)
Ta!
8:22 am on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Actually; the domain name is identical, primary and shared, all on the same IP, only the .tld changes, so should this be;

RewriteCond %{HTTP_HOST} example\.ca
RewriteCond %{HTTP_HOST} !^(www\.example\.ca)?$
RewriteRule ^(.*)$ - [F]

RewriteCond %{HTTP_HOST} example\.org
RewriteCond %{HTTP_HOST} !^(www\.example\.org)?$
RewriteRule ^(.*)$ - [F]

RewriteCond %{HTTP_HOST} example\.net
RewriteCond %{HTTP_HOST} !^(www\.example\.net)?$
RewriteRule ^(.*)$ - [F]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /homepage\.htm\ HTTP/
RewriteRule ^homepage\.htm$ http://www.example.com/ [R=301,L]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
8:55 am on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I suspect the parked .tld code above can be condensed, but I've already tried it live. :)

When I try to view the main domain using its dedicated IP in the browser, it promptly redirects to the www.example.com url and shows the correct homepage :)

When I try to view the parked domains by their domain names, I receive my password protected pop-up, which I installed previously.

So, perhaps in my case, the extra parked domain redirect conditions and rules are redundant, and so I have deleted them from the live sites, and it all seems to function as required.

But please speak up if I'm allowing a loop-hole for bots and hackers.

If I may ask a further question about syntax for lines such as these:

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

My real domain is hyphenated, so do the hyphens require escaping thus:

RewriteCond %{HTTP_HOST} !^(www\.example\-example\.com)?$ [NC]
RewriteRule ^(.*)$ [example\-example\com...] [R=301,L]

I suspect they do, but I'm not getting a server error without them.
10:24 am on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Actually; the domain name is identical, primary and shared, all on the same IP, only the .tld changes, so should this be;

RewriteCond %{HTTP_HOST} example\.ca
< et cetera >

Yup. Assuming you really did mean to say [F] there!

My real domain is hyphenated, so do the hyphens require escaping

No. In Regular Expressions, literal hyphens only need to be escaped inside grouping brackets-- and even then, only in certain positions, depending on your RegEx engine. afaik, hyphens never have syntactic meaning in Apache (as blank spaces do, and literal slashes in certain mods but not mod_rewrite).

Things in Regular Expressions only require escaping if the non-escaped form has a special meaning. It's got nothing to do with ASCII or non-alphanumeric or non-web-safe or anything like that.
11:57 am on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thank you again Lucy :)

Looking good, thanks to everyone's help.

One final query;

I didn't mention previously, so's not to complicate matters, but my primary (live) site on the dedicated IP has two live sub-domains, which are arranged as two other "hosts" on the same dedicated IP. With their own htaccess files.

Do I need to employ any measures to safe-guard the sub-domains from being accessed by the numeric IP, rather than by their sub-dom url?

I can't think of any way they could be accessed with a browser via the numeric IP, but I'm wondering about bots and hackers accessing them in other ways I need to block?
2:58 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



In the rules with [F] flag the ^(.*)$ pattern can be simplified to .? with no anchors or capturing.
3:39 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thank you Sir, that will assist people reading this thread in future;

So the final form of generic code would be this:

RewriteCond %{HTTP_HOST} example\.ca
RewriteCond %{HTTP_HOST} !^(www\.example\.ca)?$
RewriteRule .? - [F]

RewriteCond %{HTTP_HOST} example\.org
RewriteCond %{HTTP_HOST} !^(www\.example\.org)?$
RewriteRule .? - [F]

RewriteCond %{HTTP_HOST} example\.net
RewriteCond %{HTTP_HOST} !^(www\.example\.net)?$
RewriteRule .? - [F]

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

A reminder what it does:

The first three rulesets are for parked .tld variants of the live domain, and they forbid (403)access to those parked domains by domain name url, and by numeric IP.

The final ruleset redirects all non-www requests to the www url version, as well as redirecting attempts to access that domain by its numeric IP to the root homepage.

PS. I'm still wondering if you Regex wizos would be able to "compress" those first three rulesets into something more economical and condensed. But I've actually not used them because I have those domain variants htaccess password protected.
4:23 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Add [NC] tags to the first condition of each group. Your choice whether to use it on the second, definitive condition.

A reminder what it does:

... and that's what
# explanatory-comment-here

lines are for.

The three preliminary rules could theoretically be compressed into a single one, but it would become such an ugly and unpalatable rule that why bother? You'd have to capture something in the condition, and this can only be done by putting the first condition last. (You can only capture from the most recently met condition.) Using %{HTTP_HOST} in the target won't work, because the whole point was to get rid of non-standard requests.

It can be done so long as the rule ends in [F], but that's just temporary isn't it?

RewriteCond %{HTTP_HOST} example\.(ca|org|net)
RewriteCond %{HTTP_HOST} !^www\.example\.(ca|org|net)$
RewriteRule .? - [F]

I just realized you don't need the (blahblah)? element, since the whole point is that there is a named host. So no "or exactly nothing" option.

I wondered if the second condition could say
!^www\.example\.%1$

taking advantage of the parentheses in the previous condition, but for some reason this leads to an infinite loop. Can't figure out why; I just tried it on the test site. Actually I expected a 500-class error. Someone else will explain it.
5:38 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



In Conditions you cannnot have backreferences "on the right".
8:15 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



In Conditions you cannnot have backreferences "on the right".

That's what I thought, which is why I expected a 500-class error. Did it simply interpret %1 in the condition as a literal "%1"? That would explain the infinite redirect, since the condition would then always succeed.
10:19 pm on Mar 10, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thank you Lucy, I appreciate your Regex format/explanation, and experimenting too.

Colleagues here seem to have thought the no-case tags unnecessary in this case.

Yes, "temporary" but a 403 [F] is a good option for now :)
7:11 am on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Bearing in mind the opinions expressed in this anti-bot thread:
[webmasterworld.com...]

And that the code above redirects visits by the dedicated IP to the primary domain's homepage, (which some experts regard as risky) what would be an alternative mod_rewrite code to block (rather than redirect to the homepage) all visits from bots and humans trying to access the site through its dedicated IP?

By providing both code-sets, future readers of this thread can make their own choice which to use.
10:47 am on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



:: thinking ::

RewriteCond %{HTTP_HOST} ^\d+\.\d+\.\d+\.\d+$
RewriteCond %{REMOTE_ADDR} 12\.34\.56\.78
RewriteRule .? - [F]

You can replace the \d etcetera with your site's actual IP, but doing it this way keeps you covered if you change servers. The second condition is because presumably you want to exempt yourself. Replace 12.34 et cetera with your own IP.

This rule goes with your other [F] rules, which puts it long before any domain-name-related redirects you might have.

Apache doesn't recognize \h does it? It would be useful in IPv6 addresses.

:: detour to test site ::

Nope. At least not in 2.2. It reads "\h" as simply h with gratuitous escaping.
12:29 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



That was quick :)

Thank you.

Personally, I'm not looking forward to IPv6 catching on.
It's going to make my already bloated htaccess file truly replete with denied bot verbiage.
1:04 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I tested it Lucy, but it didn't block the numeric IP:

So I removed the first slash, and it does now work:

# Ban access to site via its dedicated IP
RewriteCond %{HTTP_HOST} ^nn\.nnn\.nn\.nnn$
RewriteRule .? - [F]
1:14 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



So I removed the first slash, and it does now work:

What first slash?
4:20 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The first one here:

RewriteCond %{HTTP_HOST} ^\d+\.\d+\.\d+\.\d+$

Thus becoming...

RewriteCond %{HTTP_HOST} ^nn\.nnn\.nn\.nnn$

Correct?
9:04 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Uhm, if you replaced \d with your actual numeric IP, there is no first slash! \d means [0-9]; afaik all RegEx engines recognize the form. (Also \w which for htaccess purposes means [A-Za-z0-9_].)

\n means newline, but those don't occur in ordinary Apache directives, since a request is by definition a single line.
2:33 am on Mar 14, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Whoops, apologies, I misunderstood, and took your comment;

"You can replace the \d etcetera with your site's actual IP..."

...To imply the \d etcetera was Lucy-speak instead of RegEx-speak.


However, whilst the site has a fixed dedicated IP will this line, as posted, suffice? It seemed to work ok when tested.

The nn's are replaced with my actual dedicated IP of course.

RewriteCond %{HTTP_HOST} ^nn\.nnn\.nn\.nnn$
5:35 am on Mar 14, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Yes, it's perfectly fine to use your actual numeric IP. The \d\d\d etcetera option is appropriate if you're on one of those shared-hosting setups where they move you to another server every other week* and you don't want to keep updating.


* This is a wild exaggeration. I think I've been moved twice in seven years.
7:03 am on Mar 14, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Smashing :)

Apologies for the confusion.

So, to clarify for future bods reading this; to implement Regex mod_rewrite code to BLOCK access by a site's dedicated IP of, for example; 22.22.22.22
And to allow the site-owner to access the site by their ISP's numeric IP of, for example; 12.34.56.78

The generic code;

RewriteCond %{HTTP_HOST} ^\d+\.\d+\.\d+\.\d+$
RewriteCond %{REMOTE_ADDR} 12\.34\.56\.78
RewriteRule .? - [F]


Becomes?
9:05 am on Mar 14, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Becomes?

RewriteCond %{HTTP_HOST} ^22\.22\.22\.22$

:: detour to look up ::

Oh. Defense Department. That's why I've never set eyes on them.

At this point, some form of jamais vu is liable to set in, and you need to remind yourself that
HTTP_HOST
is the site, while
REMOTE_ADDR
is the visitor.
9:22 am on Mar 14, 2014 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



This is a rule to block access.

To allow access by this IP, the pattern for %{REMOTE_ADDR} should be start and end anchored and the whole thing preceded by ! for NOT.
This 35 message thread spans 2 pages: 35
 

Featured Threads

Hot Threads This Week

Hot Threads This Month