Access restriction to a particular folder by IP

Hello,

I have spent the last few days trying to find a solution for this, but to no avail.

I have directories that contain IP addresses.

/171.35.110.12_some_characters
/172.30.97.4_some_other_random_characters

Now I would like to only allow access to a folder in .htaccess when the referer IP address matches the first part of the directory name.

Basically:


Order Deny,Allow
Deny from All
Allow from 171.35.110.12


I reckon it'd be a bit of an overkill if I created an entry for every possible IP address. ;)

Is it somehow possible to automate this restriction by using some sort of variables?

Something like this, to catch all existing folders:


Order Deny,Allow
Deny from All
Allow from ($REFERER_IP)


If it's possible to do it, what would the exact syntax look like?

Thanks.





------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Access restriction to a particular folder by IP

On Sun, Sep 6, 2009 at 4:54 PM, Markus Wolf wrote:
> I have directories that contain IP addresses.
>
> /171.35.110.12_some_characters
> /172.30.97.4_some_other_random_characters
>
> Now I would like to only allow access to a folder in .htaccess when the referer IP address matches the first part of the directory name.

What do you actually mean with the "referer IP address". The referrer
is normally the URL of the page the URL of the current request was
found on. It will normally be hostname based, not IP. Furthermore the
reffere url is based on a header set by the browser, so it is not a
good idea to base security on it, as it is easily manipulated.

Or maybe you want to restrict access based on client IP? That is
something different, however.



> Basically:
>
>
> Order Deny,Allow
> Deny from All
> Allow from 171.35.110.12
>
>
> I reckon it'd be a bit of an overkill if I created an entry for every possible IP address. ;)
>
> Is it somehow possible to automate this restriction by using some sort of variables?
>
> Something like this, to catch all existing folders:
>
>
> Order Deny,Allow
> Deny from All
> Allow from ($REFERER_IP)
>
>
> If it's possible to do it, what would the exact syntax look like?

Well, for startesr, there is no "REFERER_IP" environment variable, and
you can't use environment variables in this way anyway.

If you want complex authentication you could do something with
RewriteRules. But could you first be more clear about what it is you
want to achieve'

Krist

--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Access restriction to a particular folder by IP

--- On Mon, 9/7/09, Krist van Besien wrote:
> What do you actually mean with the "referer IP address".

Sorry, yes, it should have said REMOTE_IP.


> Or maybe you want to restrict access based on client IP?
> That is
> something different, however.

That's what I would like to do.





------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Access restriction to a particular folder by IP

> > What do you actually mean with the "referer IP
> address".
>
> Sorry, yes, it should have said REMOTE_IP.

Uhm, REMOTE_ADDR. ;)






------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Access restriction to a particular folder by IP

On Mon, Sep 7, 2009 at 1:15 PM, Markus Wolf wrote:
>
>
> --- On Mon, 9/7/09, Krist van Besien wrote:
>> What do you actually mean with the "referer IP address".
>
> Sorry, yes, it should have said REMOTE_IP.
>
>
>> Or maybe you want to restrict access based on client IP?
>> That is
>> something different, however.
>
> That's what I would like to do.





--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Access restriction to a particular folder by IP

On Mon, Sep 7, 2009 at 1:15 PM, Markus Wolf wrote:
>
>
> --- On Mon, 9/7/09, Krist van Besien wrote:
>> What do you actually mean with the "referer IP address".
>
> Sorry, yes, it should have said REMOTE_IP.

You can do something like that with rewrite rules. however,
RewriteRules operate on URLs, not on file paths.
IF the IP addresses are also visible in the requeste URL you could do
something like:

RewriteCond %{REMOTE_ADDR} !$1
RewriteRule /(\d+\.\d+\.\d+\.\d+)_.* - [F]

Basically this captures the IP address from the URL in $s using a
regular expression, and then uses it in the RewriteCond (remember that
RewriteRules get evaluated first, and when the URL matches the
RewriteCond's get tested. In this case the rule does not do any
rewriting.

Krist

--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Access restriction to a particular folder by IP

--- On Mon, 9/7/09, Krist van Besien wrot=
e: > RewriteCond=A0 =A0 %{REMOTE_ADDR}=A0 =A0   > =A0 =A0   =
=A0!$1=0A> RewriteRule  >   =A0/(\d+\.\d+\.\d+\.\d+)_.*=A0   > =
=A0 -=A0 =A0 =A0 [F]=0A> Thank you very much. That seems to do the tr=
ick. I'll give that a go.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org