[polska03]

Hello I have a url (https://website.com?q=admin) that I only want to be able to be accessed if the user is from a certain ip address and it would be helpful too if they had to type in a username and password. I am a rookie when it comes to apache, I know I could use a passwd and htaccess file to block a directory or file, but have no idea how to block a specific url. The main idea is I don't want anyone to pass the admin variable ( I have a php script that asks for a password when it is passed) but I also want to add security on the web server layer. Any help would be greatly appreciated.

Cheers

[Atli]

In that situation, you'd probably be best of using mod_rewrite. For example, consider this:

RewriteEngine On
RewriteCond %{QUERY_STRING} q=admin
RewriteCond %{REMOTE_ADDR} !=67.228.133.106
RewriteRule ^(index\.(php|html?))?$ - [F]

This consists of two conditions that if pass trigger a URL rewrite rule that forbids access to the page.

The two conditions are: 1) That the query string includes a "q=admin" part, and 2) that the IP address of the client doesn't match the specified address. - If both conditions are true, then the RewriteRule is triggered, which looks for either an empty path, or an index file. If it finds it it will prevent the page from loading and it will pass a 403 HTTP status code back to the browser.

Essentially, anybody who isn't coming from that IP address and requests http://example.com/?q=admin will just receive a "Forbidden" message from their browser.

[ToshNeox]

Alternatively, if you're making some sort of administration panel, you could just use whatever language to check the user's IP.

I don't know what language you're using, but in PHP you could do:

if($_SERVER['REMOTE_ADDR'] == "123.123.123.123")  // Check their IP
{
    // Allow access
}
else
{
    // Tell them to bog off
}

This post has been edited by ToshNeox: 22 August 2012 - 09:22 AM