Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

HTAccess Privacy for Specific IPs

Running a private site is all about preventing unwanted visitors. Here is a quick and easy way to allow access to multiple IP addresses while redirecting everyone else to a custom message page.

To do this, all you need is an HTAccess file and a list of IPs for which you would like to allow access.

Edit the following code according to the proceeding instructions and place into the root HTAccess file of your domain:

# ALLOW ONLY MULTIPLE IPs
<Limit GET POST PUT>
 Order Deny,Allow
 Deny from all
 Allow from 123.456.789
 Allow from 456.789.123
 Allow from 789.123.456
</Limit>
ErrorDocument 403 path/custom-message.html
<Files path/custom-message.html>
 Order Allow,Deny
 Allow from all
</Files>

To prepare this code for use on your site, do these three things:

  1. Edit the three IP addresses to suit your needs. Feel free to add more IPs or remove any that aren’t needed.
  2. Edit both instances of “path/custom-message.html” to match the path and file name of the file that will contain your custom message. This may be anything, anywhere, with any functionality you desire.
  3. That’s it. Copy/paste into your site’s root htaccess file, upload, test, and get out!

The Obligatory Break-Down

How does the magic happen? HTAccess is esoteric voodoo for sure, but that’s not going to stop us from understanding how it works. Here is the basic logic behind the operation:

  1. Deny access to everyone, then allow access only to specified IPs.
  2. Serve everyone who doesn’t have access a custom 403 message.
  3. Ensure that everyone has access to the custom 403 message.

And here is a more in-depth, non-technical explanation of the various directives:

<Limit GET POST PUT>
In the first line of our temporary redirect code, we open a <Limit> container targeting all requests to get, post, or put files to and from the server.
Order Deny,Allow
The second line then specifies the order in which the server should execute the proceeding directives. It basically says, “first obey the deny rule and then obey the allow rule.”
Deny from all
The next line is the deny rule. It simply says, “deny everybody” (i get like this sometimes). At this point in the game, everyone is denied access.
allow from 123.456.789...
The next three lines tell Apache to allow access to the specified addresses. As many or as few of these “allow” directives may be used to achieve your specific goals. Note that the directives used to this point serve as the first step of our logical sequence.
</Limit>
The fifth line simply closes the <Limit> container block.
ErrorDocument 403 path/custom.html
In the sixth line, we are specifying our own customized error page. By default, a user that is denied access will see a simple error page that says something to the effect of “403 Forbidden — You do not have authorization to access the requested resource.” Not exactly encouraging. To improve this response, we specify our own customized error page and serve a much friendlier message, perhaps something like, “This is a private site, but you can contact me for more information..” Or something to that effect.
<Files path/custom-message.html>
After all that drama, the next line opens a <Files> container and exclusively targets our custom page. Note that you could omit the file path and just specify the file name, but doing so will apply the subsequent directives to any file named “custom-message.html” that exists within the directory structure. Either way, it is good practice to name your custom page something unique.
Order Allow,Deny
Again, we are specifying the order in which Apache should process the allow/deny directives.
Allow from all
This line then allows everyone access to the previously specified file. You know, the one with the inspiring, user-friendly message.
</Files>
Finally, we conclude our HTAccess redirect by closing the <Files> container. Taken together, the last four lines are basically telling the server to ignore the previous “deny everybody” directive only for the customized error page. All other pages remain strictly off-limits to anyone not on the guest list.

The Wrap-Up

There you have it. To use this code, prepare your customized 403 document and upload to the desired location on your server. Edit the variables mentioned in the first part of this article, copy and paste to your root htaccess file, and upload to the root directory of your domain. Remember to check that everything has been done properly by using a proxy to test the redirect.

Once everything is up and running, your site will be accessible only by select visitors, while everyone else will enjoy whatever custom message you may have prepared for them.

About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
.htaccess made easy: Improve site performance and security.

11 responses to “HTAccess Privacy for Specific IPs”

  1. Jeff Starr 2009/10/14 8:28 am

    Interesting, Greg. Do you mean that you use the <LimitExcept> directive instead of the <Files> directive?

  2. I use <LimitExcept> instead of <Limit> ,because like this, this is real restriction only to GET POSTand PUT
    So like this <LimitExcept GET POST PUT>

  3. Excellent, thank you! I assume this can be used just for a specific directory rather than a whole site, by placing the .htaccess file in that directory, correct?

  4. @Greg: I think you may want to use <Limit> instead? <LimitExcept GET POST PUT> will restrict all methods except for GET, POST, and PUT (unless I am missing something here).

  5. @lavonne: Absolutely. This technique is very flexible and can be combined with other techniques as well, including htaccess password protection.

  6. Michal Kopanski 2009/12/05 6:48 pm

    I would really like to apply this method, but when I paste the code in, I get a blank page, with whatever I place after the “ErrorDocument 403”. So for example if I left it as is [in the example], the page would be blank except for the words “path/custom-message.html”. Any thoughts on that? Anyone else get the same thing?

    I’d really appreciate some help. Thanks ahead!

  7. Hey Michal, shoot me an email to jeff at this domain with the code you are using and I will take a look..

  8. how do you allow images to be shown when using this method?No images are displayed

  9. Hey jaffa, adding an “Allow” line for your server’s IP address usually does the trick..

  10. Hi Jeff

    Thanks for the quick reply. I tried that but it didn’t work :s

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.