Stopping all SSL access except 1 IP

Forum Moderators: phranque

Message Too Old, No Replies

Stopping all SSL access except 1 IP

jehoshua

1:45 am on Apr 6, 2018 (gmt 0)

At present this mod rewrite stops all access to certain files, except for my IP address


RewriteEngine on
# 
RewriteCond %{REMOTE_ADDR} !^my\.ip\.add\.res$
RewriteRule ^(wp-login|wp-register|upgrade)\.php?$ - [F]

Can this be extended so that it also stops all SSL access except my IP address ?

phranque

2:27 am on Apr 6, 2018 (gmt 0)

the SSL/TLS access is configured in the virtual host context.

Can this be extended so that it also stops all SSL access except my IP address ?

you could block all other IPs in that VirtualHost container.

lucy24

3:24 am on Apr 6, 2018 (gmt 0)

so that it also stops all SSL access

Did you mean
-- all access to selected files, whether http or https
or did you mean
-- everyone except you is redirected to http all the time
?

Is this your own server or is it happening in htaccess? The exact wording of the quoted RewriteRule (without leading / slash) suggests it's either in htaccess or in a <Directory> section

jehoshua

5:47 am on Apr 6, 2018 (gmt 0)

the SSL/TLS access is configured in the virtual host context.

It seems I would need access to httpd.conf file, which I don't have access to.

Did you mean
-- all access to selected files, whether http or https
or did you mean
-- everyone except you is redirected to http all the time
?

I wanted to leave the current rules in .htaccess , and then add a rule to disallow everyone HTTPS access, except my IP. Basically ...

My IP - SSL/HTTP/HTTPS plus access to all files - no restrictions
Not my IP - NO access to those 3 files and no HTTPS access at all.

Is this your own server or is it happening in htaccess? The exact wording of the quoted RewriteRule (without leading / slash) suggests it's either in htaccess or in a <Directory> section

It's happening in .htaccess , not my own server

phranque

8:35 am on Apr 6, 2018 (gmt 0)

It seems I would need access to httpd.conf file, which I don't have access to.

actually you could still do this in the .htaccess file.

create a mod_rewrite ruleset and add it before the typical .htaccess redirects:
- if the request is on the secure port (typically port 443)
- and the requesting IP is not yours
- use the [F] flag to return a 403 Forbidden response.

lucy24

6:48 pm on Apr 6, 2018 (gmt 0)

Unusual, certainly. Your server listens on port # 443, and you have a security certificate, but nobody except you is allowed to use it? You could incorporate it into your existing domain-name-canonicalization redirect:

RewriteCond %{REMOTE_ADDR} !your-ip-here
RewriteCond %{HTTPS} on [OR]
RewriteCond %{HTTP_HOST} !^www\.example\.com$
RewriteRule (.+) http://www.example.com/$1 [R=301,L]

(Check before cutting-and-pasting, because that was off the top of my head and phranque will probably spot a typo.) This version generates a redirect from HTTPS to HTTP--the opposite of the usual pattern. If, instead, you wanted to flat-out deny anyone making an HTTPS request (why?!) you'd need two separate rules.

Depending on what else is happening on your site--it won't work in all situations--you could also have a preliminary rule saying

RewriteCond %{REMOTE_ADDR} your-ip-here
RewriteRule . - [L]

and then any & all subsequent rules will apply only to !you visitors. But, again, this isn't a viable approach for all sites.