Information for: DEVELOPERS   PARTNERS

Restricting website access

With industry security standards and audit requirements, you may need high-level security tuning for a public Drupal website. There are several methods you can use to do tuning, including adding a module to your website or configuring IP restriction in Drupal itself. You may also want to block particular IP addresses due to attacks or other problems.

Alternate use cases

If you don’t need the flexibility the Drupal IP restriction offers, there are some tasks you can use requiring less code, and if you have a small restriction, may be easier to upkeep.

Redirecting users outside an IP address range with .htaccess

In a non-Acquia hosting environment, you can use the %{REMOTE_ADDR} variable in the .htaccess file to redirect users to Google if they’re not in the 123.456.* IP address range. This doesn’t work on Acquia Cloud because of its load balancing structure.

To carry out the redirect on Acquia Cloud, use the %{ENV:AH_Client_IP} variable:

RewriteCond %{ENV:AH_Client_IP} !^123\.456\..*
RewriteRule ^http://www.google.com [R=307,L]

For more information about blocking with .htaccess and rewrites, see Blocking access using rewrites.

Blocking by IP with mod_rewrite

Acquia Cloud uses Varnish® and load balancers, causing typical access controls to not work as expected. This method is like the one detailed in Best practices on setting up an edit domain. You can use a combination of an environment variable that’s present on your Acquia Cloud server, AH_Client_IP, and Apache’s mod_setenvif.

You should ensure these rules are in the section determining the Apache mod_rewrite module is enabled; if it’s not, these redirects will fail.

If you want to block a single IP, the following example sets an environment variable on the specific IP address 192.168.15.20, using mod_setenvif:

<ifmodule mod_setenvif.c>
SetEnvIf AH_CLIENT_IP ^192\.168\.15\.20$ DENY=1
Order allow,deny
Allow From All
Deny from env=DENY
</ifmodule>

If you want to block several IPs, the following example blocks addresses from the group 104.128.*.* and the IP address 192.168.10.10. We can specifically deny access to these two subnets and allow access to all other IPs:

<ifmodule mod_setenvif.c>
# Match all IP addresses beginning with 104.128
SetEnvIf AH_CLIENT_IP ^104\.128\. Deny_Host
# Match a specific IP address
SetEnvIf AH_CLIENT_IP ^192\.168\.10\.10$ Deny_Host
Order allow,deny
Allow from all
Deny from env=Deny_Host
</ifmodule>

All IPs in the 104.128 subnet and the IP address 192.168.10.10 get a DENY header. The rewrite rules check for allowed, and then deny everyone with a DENY header.

To restrict access and allow only certain IP addresses to reach a website, you can use code like the following:

<ifmodule mod_setenvif.c>
# Match all IP addresses beginning with 104.128
SetEnvIf AH_CLIENT_IP ^104\.128\.
Allow_Host
# Match a specific IP address
SetEnvIf AH_CLIENT_IP ^192\.168\.10\.10$ Allow_Host
Order deny,allow
Deny from all
Allow from env=Allow_Host
</ifmodule>

The most recent preceding code is the opposite of the first example, by using the ALLOW header to give only certain groups access to the website, instead of denying those groups.

Using XFF headers to block by IP address

If blocking by IP in .htaccess using AH_Client_IP doesn’t work, you can use the X-Forwarded-For header. The following example includes this header in the blocking rules in .htaccess:

Important

Due to easily spoofed headers, this method is much less reliable than the other methods described on this webpage.

<ifmodule mod_setenvif.c>
SetEnvIf AH_CLIENT_IP ^123\.234\.123\.234$ DENY=1
SetEnvIf X-Forwarded-For 123\.234\.123\.234 DENY=1
Order allow,deny
Allow From All
Deny from env=DENY
</ifmodule>

XFF headers use a pattern match without the ^ and $ anchors—if the IP address appears anywhere in the value of XFF header, the request will be blocked. This method may generate false positives when using patterns to block entire subnets, such as 123.234.

If everything works as it should (assuming an attacker isn’t spoofing IP addresses), the actual source IP should typically display in the XFF header.

Note

You can’t be sure of the IP address’ position, as its position can vary based on the proxy’s or balancers’ configuration.