Are you talking about blocking https requests (for some reason, there are at least three different ways to express this in mod_rewrite) from everything except selected IPs?

It's also possible you are going about this backward. If you've got areas of your site that you don't want anyone but yourself and select friends & relatives to visit, why not deny it to everyone and then poke holes for the visitors you do want? Exact mechanism will depend partly on Apache version.

Incidentally, what is

\.php?$

intended to mean? What it actually does mean is "requests for these specific named URLs, each one ending optionally in either 'php' or 'ph'" -- but I don't think that's what you intended. If the intent was to say something about the query string, you don't need to mention it; mod_rewrite ignores it by default. A query string isn't considered part of the URL path given in the body of a rule.

Are you talking about blocking https requests (for some reason, there are at least three different ways to express this in mod_rewrite) from everything except selected IPs?

Yes, that is correct. Only one IP can access https, and that is my IP address.

Incidentally, what is \.php?$ intended to mean?

What the following rule does ..

RewriteRule ^(login|or-here|or-here-either)\.php?$ - [F]

is deny access to the following files ..

login.php
or-here.php
or-here-either.php

and that currently works just fine. All I need to do now, is in addition to denying access to those 3 files, I want to deny https access to everyone, EXCEPT my IP addess.

you could use an additional ruleset:

RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REMOTE_ADDR} !^my\.ip\.add\.ress$
RewriteRule .* - [F]

(assuming your secure server is listening to port 443)

Edit: Dang, phranque, are you detecting every open tab I've got? ;)

What the following rule does ..

I was referring specifically to the quoted part, with particular reference to the seemingly gratuitous question mark. If it sneaked in by mistake, just get rid of it and save yourself a byte and save the server some work ("Oh, I see, that 'p' I just met was optional. Well, too late to do anything about it now.")

Since there are several ways to express HTTPS in mod_rewrite, there are several possible rulesets. They all come down to

RewriteCond %{something-defining-https-here} some-value-here
RewriteCond %{REMOTE_ADDR} !^12\.34\.12\.34$

(that is, your own IP)

RewriteRule (^|/|\.html)$ - [F]

For "html" substitute whatever extension your site actually uses. The purpose of this part is to save the server from having to evaluate conditions on every single request; presumably you don't care about requests for images, stylesheets and so on. List the two conditions in order of most-likely-to-fail based on your own knowledge of the site. (This ordering has no effect on rule execution. It's just to let the server get out of there a nanosecond sooner.)

For the defining-https part you can say

%{HTTPS} on

or

%{SERVER_PORT} 443

(or whatever port number your server uses for secure requests)
or

%{SERVER_PROTOCOL} https

or
... I think there are even a couple more that I can't remember at the moment. You probably don't need

%{SSL:variable-name} some-exact-value

if it's a simple "let me in, block everyone else".

But wait! Whom do you expect to see making those https requests? If you're expecting only malign robots, then [F] is the right way to go. But if you think legitimate humans or search engines might make the request, then you should instead capture the requested URL and redirect to the identical URL using

http://

you could use an additional ruleset:
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REMOTE_ADDR} !^my\.ip\.add\.ress$
RewriteRule .* - [F]

Thanks, I will use that condition for the https. I may not have explained it that well ..

1. My IP - okay, can do anything
2. NOT my IP
- try to access 3 files - fail/error
- OR use https - fail/error
- ELSE access the website

Incidentally, what is
\.php?$

I was following this post [webmasterworld.com]. But I can see now the format should be different. Okay thanks for your help. Will this work properly ..

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^my\.ip\.add\.ress$
RewriteCond %{REQUEST_FILENAME} ^(login|or-here|or-here-either)\.php$ [OR]
RewriteCond %{SERVER_PORT} ^443$
RewriteRule .* - [F]

Kinda messay though. I didn't know how to specify an "OR" condition after one rule. Am reading up on the [S] flag.

I didn't know how to specify an "OR" condition after one rule.

An [OR] flag behaves essentially the same as a pipe in a single-line Regular Expression. More than two OR conditions can be chained. So for example

RewriteCond %{SOMETHING} one [OR]
RewriteCond %{OTHERTHING} two [OR]
RewriteCond %{THIRDTHING} three
RewriteCond %{LASTTHING} four
RewriteRule blahblah

Means, structurally,
IF ((one OR two OR three) AND four)
The default, implied connector is AND. It is overridden by explicit OR. Be sure never to append [OR] to the final condition in a ruleset, or your server will explode. When you're using [OR], list the rules in order of most-likely-to-succeed. (The opposite of a default AND.)

OR is inclusive, not exclusive: "At least one item in this set."

Kinda messy though.

Honestly I think it would be simpler to maintain two separate rules. One is the rule you started out with: "block access to these three named files from everyone but me". The other, subsequent rule says: "block access to ALL https/ssl requests from everyone but me".

I was following this post

phranque! Hay-ulp! Can you figure out what went wrong? I get the Report A Problem screen instead (my added line breaks):

http://www.webmasterworld.com/r.cgi?f=92&d=4720632
&url=http://www.webmasterworld.com/postv5.cgi
?action=report&forum=92&discussion=4330904&id=4330939

:: manual copy-and-paste leading to [webmasterworld.com...] ::

Oh, I see. The referenced post (which I didn't immediately realize was also yours) started out saying

\.html?$

because it wasn't clear whether the extensions were ".html" or ".htm", so the ell had to be optional. There's nothing optional about ".php"

---

Edit: Don't bother with the [S] flag unless your name is J.D. Morgan. It's just another thing to keep track of. It may be worth the bother if you have a whole wad of rules to bypass-- but at that point you might as well say at the beginning, before all other rules,

RewriteCond %{REMOTE_ADDR} ^12\.23\.34\.45$
RewriteRule .? - [L]

which basically means "The rules don't apply to me".

Which reminds me... If you have RewriteRules leading to a 403 lockout, and you have a custom 403 page, make sure you have a rule at the very beginning of all your RewriteRules that says simply

RewriteRule ^forbidden\.html - [L]

substituting the actual URL of your 403 page. Otherwise you get an infinite loop.

:: irritably thinking that this post would have required a lot less editing if only the cat could sleep somewhere else ::