1

I set up my .htaccess file so that only certain IP ranges can access the /admin portion of my site, as asked in this question: Deny access to URI

That works... in testing. When I tried this on my live, https enabled, site something strange happened:

When I GET the /admin page, I receive a 403 Forbidden status code but I also get the body as if nothing happened.

How is that possible, and how do I fix it?

Here's the eventual .htaccess:

SetEnvIf Request_URI ^(?!/admin) not_admin_uri

Order deny,allow
Deny from all
Allow from 127.0.0.1
allow from 366.241.93.
allow from env=not_admin_uri

Also: if I remove the last allow rule it actually does block the request (though it then, of course, blocks all reguest)

Community
  • 1
  • 1
Jelle De Loecker
  • 20,999
  • 27
  • 100
  • 142

1 Answers1

0

The document for the 403 status code (which was 403.shtml) did not exist, in which case Apache apparently just executes the request.

Jelle De Loecker
  • 20,999
  • 27
  • 100
  • 142