We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Restrict Manager by IP Addresses, without breaking CAPTCHA

    • 29635
    • 361 Posts
    The Man Can! Reply #1, 14 years, 9 months ago
    Hi all.
    Figured this might be helpful to others. In attempting to lock down all our systems as much as possible, and in seeing many old exploits being attempted in our log files, I decided to only allow MODx /manager/ access to approved IPs. A simple "deny from all" worked, but it broke CAPTCHA on our eforms, since the veriword.php is in the /manager/includes/ path.

    So... mod rewrite to the rescue. If anybody sees any issues with this code or the approach in general I’d love to know. We plan on extending/reworking this to tie into our system-wide port knocking, but that’ll be down the road.
    # =====================================================
# Allow manager access to specific IPs only
Options +FollowSymlinks
RewriteEngine On

# Deny by IP
RewriteCond %{REMOTE_ADDR} !^(123\.123\.123\.123)$
RewriteCond %{REQUEST_FILENAME} !/includes/veriword\.php$
RewriteRule ^(.*)$ ../index.php?q=$1 [L,QSA]
# =====================================================


    Just replace the RewriteEnging Off line with this bit. It seems to work well in my testing so far, but if I’ve missed anything please let me know.
      Need MODx Ecommerce? Try FoxyCart!
      • 20413
      • 2,877 Posts
      mrhaw Reply #2, 14 years, 9 months ago
      Thank you! cool
        @hawproductions | http://mrhaw.com/

        Infograph: MODX Advanced Install in 7 steps:
        http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

        Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
        http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
      • sottwell Reply #3, 14 years, 9 months ago
        I’ve had servers that returned 500 errors if RewriteEngine On was duplicated in inner .htaccess files; the one in the outermost directory turns it on for all of its descendants.
          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
          • 43406
          • 15 Posts
          orionweb Reply #4, 11 years ago
          How do you allow from more than one IP?
            • 43406
            • 15 Posts
            orionweb Reply #5, 11 years ago
            I worked it out. Just repeat the below line as many time as you need one for each different IP address. Make sure to put those line one after another.

            Example:

            # =====================================================
# Allow manager access to specific IPs only
Options +FollowSymlinks
RewriteEngine On
 
# Deny by IP
RewriteCond %{REMOTE_ADDR} !^(123\.123\.123\.123)$
RewriteCond %{REMOTE_ADDR} !^(124\.124\.124\.124)$
RewriteCond %{REMOTE_ADDR} !^(125\.125\.125\.125)$
RewriteCond %{REQUEST_FILENAME} !/includes/veriword\.php$
RewriteRule ^(.*)$ ../index.php?q=$1 [L,QSA]
# =====================================================


            Got the info from http://www.netshinesoftware.com/blog/restricting-access-to-a-url-by-ip-address-using-mod-rewrite/