Deny all but localhost from one PHP file

Question

I need to deny access to all users except 127.0.0.1 to one of my PHP files. I've tried using the following snippet in my .htaccess file:

<Files /file.php>
    Order deny,allow
    Allow from 127.0.0.1
    Deny from all
</Files>

…but that isn't working, so I'm looking for a solution without .htaccess. Preferably I want a snippet that I can insert at the top of the page to determine whether the user is localhost or not. If they are not, it will send a 403 error and stop the page from continuing. How could I write such a thing?

Have you tried anything? You already know exactly what you want, just write the code. — Jonathon Reinhart, May 03 '14 at 07:29
I tried the htaccess method. htaccess never seems to work for me: ` Order deny,allow Allow from 127.0.0.1 Deny from all ` — user3462992, May 03 '14 at 07:30
[`$_SERVER['REMOTE_ADDR']`](http://ru2.php.net/reserved.variables.server.php)? — Ale, May 03 '14 at 07:31

Jay Bhatt · Accepted Answer · 2014-05-03T07:40:11.380

Try this.

Place this on top of the PHP file which you want to protect.

if($_SERVER['REMOTE_ADDR'] !== '127.0.0.1'){
     header('HTTP/1.0 403 Forbidden');
     echo 'You are not authorized to view this page';
     exit();
}

You can also do this by using .htaccess.

<Files "file.php">
    ErrorDocument 403 /html_file_that_displays_403_message.html
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
</Files>

score 0 · Answer 2 · edited May 23 '17 at 11:50

You can use $_SERVER['REMOTE_ADDR'] like this:

<?php
if ($_SERVER['REMOTE_ADDR'] != '127.0.0.1')
{
    http_response_code(403);
    echo 'Access denied';
    exit;
}

According to this answer, it's safe to trust this variable. Some sites suggest also checking HTTP_X_FORWARDED_FOR. This might, however, be uncalled for in your case - this header is used by proxies to determine original IP and can be easily counterfeited. REMOTE_ADDR is, on the other hand, added by Apache (nginx) and its value holds the exact IP address that connection was made from.

You should, probably, rethink your approach. Instead of firewalling access to that file, you might want to add some kind of authorization, using, for example, HTTP Digest. This allows you to limit the access to people rather than hosts.

score 0 · Answer 3 · answered May 03 '14 at 07:36

0

Try this at the top of your file :

if (!$_SERVER['SERVER_ADDR'] == $_SERVER['REMOTE_ADDR']){
   header('No Remote Access Allowed', true, 400);
   exit;
}

answered May 03 '14 at 07:36

Tanatos

1,857
1
13
12

score 0 · Answer 4 · answered May 03 '14 at 07:39

<?php
if ($_SERVER['REMOTE_ADDR'] != '127.0.0.1'){
header('HTTP/1.0 403 Forbidden');?>
<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>403 Forbidden</title>
</head>
<body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access this page on this server.</p>
</body>
</html>
<?php }?>

Deny all but localhost from one PHP file

4 Answers4