0

I am facing a strange situation where i couldn't find a proper answer to.

I am using some kind of an API where i can send responses to certain requests from the same root domain.

My api is in a subdomain (https://api.mysite.com) And there are some client frameworks in PHP, such as

  • mysite.com
  • mobile.mysite.com
  • admin.mysite.com

I only want this API be accessible from the same root domain. Therefore i added AccessControlAllowOrigin headers which are working quite good.

But the problem is, i also want to make sure that nobody can access to this API, because CORS is browser based, and i can easily access this API from other tools such as POSTMAN.

That is why i added some code to my .htaccess so that only from the same IP can access my system.

Here is my .htaccess file.

php_flag display_errors on php_value error_reporting 9999 SetEnvIf Origin "http(s)?://(www\.)?(mysite.com|mobile.mysite.com|admin.mysite.com)$" AccessControlAllowOrigin=$0 Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin Header merge Vary Origin RewriteEngine On RewriteBase / order allow,deny deny from all allow from // MY IP HERE <RequireAny> Require ip allow from // MY IP HERE </RequireAny> RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] # DirectoryIndex none.none # Options -Indexes RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-l RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]

But the problem is the system blocks itself, i mean when i try to access my API with an AJAX Request, i get en error like this:

Failed to load resource: the server responded with a status of 403 ()

What am i missing.

Thanks.

PS Require ip allow from // MY IP HERE flag is not blocking anything at all.

Improve this question

2 Answers 2

Reset to default
0

Try something like this to allow only connections from local IP (your server's IP):

Require local

And to authorize external IPs:

Require ip your_authorized_ip

These are the new Apache2.4 notations. See the Apache2.4 Access Control docs for more detailed info/configuration.

Improve this answer
14
  • Thank you for your answer. I tried in case, but require directive is not blocking requests from other clients. I am trying my ajax requests on a program called POSTMAN where i can see the response. It is showing the response while it shouldn't. Commented Dec 20, 2018 at 17:39
  • Are you allowing your .htaccess files to override your apache2.conf? ie: <Directory /var/www/path/to/api/subdomain>AllowOverride All </Directory> Commented Dec 20, 2018 at 17:54
  • Do you mean something like this: <Directory /home/mysite/api> AllowOverride All </Directory> order allow,deny deny from all allow from IP in htaccess Commented Dec 20, 2018 at 18:32
  • Yep, try to delete all inside <Directory></Directory> and replace with Require all denied. You shouldn't be able to access it anymore, and that would prove that something is wrong in your configuration or htaccess file Commented Dec 20, 2018 at 19:19
  • By using only <Directory>Require all denied</Directory> I couldn't access to anythig inside my subdomain. What does this tell you? Commented Dec 20, 2018 at 20:36
0

In case any body facing the same issue, thanks to @Panama Jack for the answer in SO, here is how i did.

SetEnvIf Referer "example\.com" canpass SetEnvIf Referer "^mobile\.example\.com" canpass2 Require env canpass Require env canpass2

Here is the original answer.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.