HTAccess Privacy for Specific IPs

.htaccess made easy

Running a private site is all about preventing unwanted visitors. Here is a quick and easy way to allow access to multiple IP addresses while redirecting everyone else to a custom message page.

To do this, all you need is an HTAccess file and a list of IPs for which you would like to allow access.

Edit the following code according to the proceeding instructions and place into the root HTAccess file of your domain:

# ALLOW ONLY MULTIPLE IPs
<Limit GET POST PUT>
 Order Deny,Allow
 Deny from all
 Allow from 123.456.789
 Allow from 456.789.123
 Allow from 789.123.456
</Limit>
ErrorDocument 403 path/custom-message.html
<Files path/custom-message.html>
 Order Allow,Deny
 Allow from all
</Files>

To prepare this code for use on your site, do these three things:

  1. Edit the three IP addresses to suit your needs. Feel free to add more IPs or remove any that aren’t needed.
  2. Edit both instances of “path/custom-message.html” to match the path and file name of the file that will contain your custom message. This may be anything, anywhere, with any functionality you desire.
  3. That’s it. Copy/paste into your site’s root htaccess file, upload, test, and get out!

The Obligatory Break-Down

How does the magic happen? HTAccess is esoteric voodoo for sure, but that’s not going to stop us from understanding how it works. Here is the basic logic behind the operation:

  • First deny access to everyone, then allow access only to the specified addresses.
  • Serve everyone who doesn’t have access a customized 403 (Forbidden) message.
  • Ensure that everyone has access to the customized 403 (Forbidden) message.

And here is a more in-depth, non-technical explanation of the various directives:

<Limit GET POST PUT>
In the first line of our temporary redirect code, we open a <Limit> container targeting all requests to get, post, or put files to and from the server.
Order Deny,Allow
The second line then specifies the order in which the server should execute the proceeding directives. It basically says, “first obey the deny rule and then obey the allow rule.”
Deny from all
The next line is the deny rule. It simply says, “deny everybody” (i get like this sometimes). At this point in the game, everyone is denied access.
allow from 123.456.789...
The next three lines tell Apache to allow access to the specified addresses. As many or as few of these “allow” directives may be used to achieve your specific goals. Note that the directives used to this point serve as the first step of our logical sequence.
</Limit>
The fifth line simply closes the <Limit> container block.
ErrorDocument 403 path/custom.html
In the sixth line, we are specifying our own customized error page. By default, a user that is denied access will see a simple error page that says something to the effect of “403 Forbidden — You do not have authorization to access the requested resource.” Not exactly encouraging. To improve this response, we specify our own customized error page and serve a much friendlier message, perhaps something like, “This is a private site, but you can contact me for more information..” Or something to that effect.
<Files path/custom-message.html>
After all that drama, the next line opens a <Files> container and exclusively targets our custom page. Note that you could omit the file path and just specify the file name, but doing so will apply the subsequent directives to any file named “custom-message.html” that exists within the directory structure. Either way, it is good practice to name your custom page something unique.
Order Allow,Deny
Again, we are specifying the order in which Apache should process the allow/deny directives.
Allow from all
This line then allows everyone access to the previously specified file. You know, the one with the inspiring, user-friendly message.
</Files>
Finally, we conclude our HTAccess redirect by closing the <Files> container. Taken together, the last four lines are basically telling the server to ignore the previous “deny everybody” directive only for the customized error page. All other pages remain strictly off-limits to anyone not on the guest list.

The Wrap-Up

There you have it. To use this code, prepare your customized 403 document and upload to the desired location on your server. Edit the variables mentioned in the first part of this article, copy and paste to your root htaccess file, and upload to the root directory of your domain. Remember to check that everything has been done properly by using a proxy to test the redirect. Once everything is up and running, your site will be accessible only by select visitors, while everyone else will enjoy whatever custom message you may have prepared for them.