We have a server with a lot of domains. Each domain will have one or more of the following admin areas that we wish to secure by IP:
- domain.tld/admin (admin area)
- domain.tld/blog/wp-admin (wordpress admin area in blog sub-dir)
- domain.tld/wp-admin (wordpress admin area)
This is a snippet from the Apache config we use to secure all of these on all sites:
<Directory ~ "^/home/user/apache/[^/]+/public/((blog/)?wp\-)?admin">
AllowOverride All
Order Deny,Allow
Deny from all
Allow from 123.45.67.89 23.45.67.89 34.56.78.90
</Directory>
This restricts any of the above folders to be viewable to those IP addresses only. For most of the sites and blogs this works perfectly. However, on one small site this isn't working.
The difference I think it might be is that the admin
folder on this site doesn't actually exist, but instead a RewriteRule
is matched to serve that page from the index page. What's weird though is that it does block /admin
and gives a 403
error, but it doesn't allow the IPs listed in the Allow from
rule.
Why does the directory match and deny, but not allow? Is this expected behaviour? How can I fix this?
For locations that aren't directories, use
<Location>
instead of<Directory>
.