Welcome to WebmasterWorld Guest from 54.166.172.33

Forum Moderators: Ocean10000 & incrediBILL & phranque

Stopping all SSL access except 1 IP

     
1:45 am on Apr 6, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 81
votes: 0


At present this mod rewrite stops all access to certain files, except for my IP address


RewriteEngine on
#
RewriteCond %{REMOTE_ADDR} !^my\.ip\.add\.res$
RewriteRule ^(wp-login|wp-register|upgrade)\.php?$ - [F]


Can this be extended so that it also stops all SSL access except my IP address ?
2:27 am on Apr 6, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11235
votes: 126


the SSL/TLS access is configured in the virtual host context.

Can this be extended so that it also stops all SSL access except my IP address ?

you could block all other IPs in that VirtualHost container.
3:24 am on Apr 6, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14599
votes: 595


so that it also stops all SSL access
Did you mean
-- all access to selected files, whether http or https
or did you mean
-- everyone except you is redirected to http all the time
?

Is this your own server or is it happening in htaccess? The exact wording of the quoted RewriteRule (without leading / slash) suggests it's either in htaccess or in a <Directory> section
5:47 am on Apr 6, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 81
votes: 0


the SSL/TLS access is configured in the virtual host context.


It seems I would need access to httpd.conf file, which I don't have access to.

Did you mean
-- all access to selected files, whether http or https
or did you mean
-- everyone except you is redirected to http all the time
?


I wanted to leave the current rules in .htaccess , and then add a rule to disallow everyone HTTPS access, except my IP. Basically ...

My IP - SSL/HTTP/HTTPS plus access to all files - no restrictions
Not my IP - NO access to those 3 files and no HTTPS access at all.

Is this your own server or is it happening in htaccess? The exact wording of the quoted RewriteRule (without leading / slash) suggests it's either in htaccess or in a <Directory> section


It's happening in .htaccess , not my own server
8:35 am on Apr 6, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11235
votes: 126


It seems I would need access to httpd.conf file, which I don't have access to.

actually you could still do this in the .htaccess file.

create a mod_rewrite ruleset and add it before the typical .htaccess redirects:
- if the request is on the secure port (typically port 443)
- and the requesting IP is not yours
- use the [F] flag to return a 403 Forbidden response.
6:48 pm on Apr 6, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14599
votes: 595


Unusual, certainly. Your server listens on port # 443, and you have a security certificate, but nobody except you is allowed to use it? You could incorporate it into your existing domain-name-canonicalization redirect:
RewriteCond %{REMOTE_ADDR} !your-ip-here
RewriteCond %{HTTPS} on [OR]
RewriteCond %{HTTP_HOST} !^www\.example\.com$
RewriteRule (.+) http://www.example.com/$1 [R=301,L]
(Check before cutting-and-pasting, because that was off the top of my head and phranque will probably spot a typo.) This version generates a redirect from HTTPS to HTTP--the opposite of the usual pattern. If, instead, you wanted to flat-out deny anyone making an HTTPS request (why?!) you'd need two separate rules.

Depending on what else is happening on your site--it won't work in all situations--you could also have a preliminary rule saying
RewriteCond %{REMOTE_ADDR} your-ip-here
RewriteRule . - [L]
and then any & all subsequent rules will apply only to !you visitors. But, again, this isn't a viable approach for all sites.