How to limit access to website based on specific header?
Solution 1
RewriteEngine on
RewriteCond %{HTTP:X-Developer} ^myname$
RewriteRule .? - [E=headerok]
Order deny,allow
Deny from all
Allow from env=headerok
See the mod_rewrite documentation for information about the %{HTTP}
match in RewriteCond, and E option in RewriteRule.
I assume you know that this is a weak form of security, easily spoofed by anyone who can sniff your network traffic.
Solution 2
Make your Apache listen only on localhost.
Related videos on Youtube
Dmitri
Updated on September 18, 2022Comments
-
Dmitri over 1 year
I am developing on my local PC but it's setup so that it is listening on external IP, so anyone can hit my apache is they know the port number.
I want to implement a quick solution to prevent other developers from accessing my development PC.
This is want to do: I want to require that a http request contains specific custom header and if it's not present then reject the request and ideally will also log this as error.
For example, I want to require http header x-developer with value of 'myname' it header x-developer is not present or value is not 'myname' then reject the request On the front-end I will use chrome extension that sets custom request header, called "Extra Headers"
How can I do this in Apache 2?
Are there any extra modules that required for this?
-
ArgumentBargument about 10 yearsIs there a reason you can't set up a firewall rule restricting access to your PC on port 80 to localhost?
-
Dmitri about 10 yearsI think firewall is even more complicated. I want to be able to hit my PC from other IPs inside our network but still must sent this extra header. Some requests will be routed by the corporate router to apache running on my pc.
-
Dmitri about 10 yearsTo clarify the apache on my pc is listening to external IPs only inside our corporate network, not really accissible to the outside world, but our corporate network is huge
-
-
Dmitri about 10 yearsAre how would others be able to access my server then?
-
Dmitri about 10 yearsI know this is not really security, something very simple. I can't password-protect my site because an internal corporate route will route certain requests to my PC.
-
ETL about 10 years@Dmitri - you stated you did not want others to access it... check your post, you don't define this clearly. You say you don't want the other developers to access it.
-
ETL about 10 years@Dmitri what Andrew Schulman listed there should work to do it the way you wanted. Not sure how that will allow others but not the developers to access it though... I guess "others" will set the "x-developer" header?
-
Dmitri about 10 yearsYour order is wrong, should be deny,allow
-
Dmitri about 10 yearsI want to be able to access it myself by from other ips. Basically this is a measure to reduce the annoyances of having other people hitting my development server and polluting my dev log