Restrict Manager by IP Addresses, without breaking CAPTCHA - My Forums

Re: Restrict Manager by IP Addresses, without breaking CAPTCHA

orionweb — Apr 22, 2013, 09:20 AM

I worked it out. Just repeat the below line as many time as you need one for each different IP address. Make sure to put those line one after another.

Example:

# =====================================================
# Allow manager access to specific IPs only
Options +FollowSymlinks
RewriteEngine On
 
# Deny by IP
RewriteCond %{REMOTE_ADDR} !^(123\.123\.123\.123)$
RewriteCond %{REMOTE_ADDR} !^(124\.124\.124\.124)$
RewriteCond %{REMOTE_ADDR} !^(125\.125\.125\.125)$
RewriteCond %{REQUEST_FILENAME} !/includes/veriword\.php$
RewriteRule ^(.*)$ ../index.php?q=$1 [L,QSA]
# =====================================================

Got the info from http://www.netshinesoftware.com/blog/restricting-access-to-a-url-by-ip-address-using-mod-rewrite/

Re: Restrict Manager by IP Addresses, without breaking CAPTCHA

orionweb — Apr 22, 2013, 09:16 AM

How do you allow from more than one IP?

Re: Restrict Manager by IP Addresses, without breaking CAPTCHA

sottwell — Jul 16, 2009, 08:42 PM

I’ve had servers that returned 500 errors if RewriteEngine On was duplicated in inner .htaccess files; the one in the outermost directory turns it on for all of its descendants.

Re: Restrict Manager by IP Addresses, without breaking CAPTCHA

mrhaw — Jul 16, 2009, 05:34 PM

Thank you!

Restrict Manager by IP Addresses, without breaking CAPTCHA

The Man Can! — Jul 16, 2009, 05:24 PM

Hi all.
Figured this might be helpful to others. In attempting to lock down all our systems as much as possible, and in seeing many old exploits being attempted in our log files, I decided to only allow MODx /manager/ access to approved IPs. A simple "deny from all" worked, but it broke CAPTCHA on our eforms, since the veriword.php is in the /manager/includes/ path.

So... mod rewrite to the rescue. If anybody sees any issues with this code or the approach in general I’d love to know. We plan on extending/reworking this to tie into our system-wide port knocking, but that’ll be down the road.

# =====================================================
# Allow manager access to specific IPs only
Options +FollowSymlinks
RewriteEngine On

# Deny by IP
RewriteCond %{REMOTE_ADDR} !^(123\.123\.123\.123)$
RewriteCond %{REQUEST_FILENAME} !/includes/veriword\.php$
RewriteRule ^(.*)$ ../index.php?q=$1 [L,QSA]
# =====================================================

Just replace the RewriteEnging Off line with this bit. It seems to work well in my testing so far, but if I’ve missed anything please let me know.