Cloud Platform
Restricting website access
Acquia recommends that you try the Drupal-based IP restriction method. In addition, you can restrict IP addresses. To obtain a list of Acquia IP addresses, create a Support ticket.
If you do not need the flexibility the Drupal IP restriction offers, there are some tasks you can use requiring less code, and if you have a small restriction, may be easier to upkeep.
In a non-Acquia hosting environment, you can use the %{REMOTE_ADDR} variable in the .htaccess file to redirect users to Google if they’re not in the 123.456.* IP address range. This does not work on Cloud Platform because of its load balancing structure.
To carry out the redirect on Cloud Platform, use the %{ENV:AH_Client_IP} variable:
Cloud PlatformRewriteCond %{ENV:AH_Client_IP} !^123\.456\..*
RewriteRule ^http://www.google.com [R=307,L]For more information about blocking with .htaccess and rewrites, see Blocking access using rewrites.
Cloud Platform uses Varnish® and load balancers, causing typical access controls to not work as expected. This method is like the one detailed in Best practices on setting up an edit domain. You can use a combination of an environment variable that is present on your Cloud Platform infrastructure, AH_Client_IP, and Apache’s mod_setenvif and mod_authz_core.
You must ensure that these rules are in the section determining that the Apache mod_rewrite module is enabled. If these rules are not present, the redirects fail.
To block a single IP, the following example sets an environment variable on the specific IP address 192.168.15.20, using mod_setenvif. You must add the following code to the top of the .htaccess file:
<IfModule mod_setenvif.c>
SetEnvIf AH_CLIENT_IP ^192\.168\.15\.20$ DENY=1
</IfModule>
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DENY
</RequireAll>
</IfModule>To block several IPs, the following example blocks addresses from the group 104.128.*.* and the IP address 192.168.10.10. You can specifically deny access to these two subnets and allow access to all other IPs. You must add the following code to the top of the .htaccess file:
<IfModule mod_setenvif.c>
# Match all IP addresses beginning with 104.128
SetEnvIf AH_CLIENT_IP ^104\.128\. DENY
# Match a specific IP address
SetEnvIf AH_CLIENT_IP ^192\.168\.10\.10$ DENY
</IfModule>
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DENY
</RequireAll>
</IfModule>All IPs in the 104.128 subnet and the IP address 192.168.10.10 get a DENY environment variable. The rewrite rules check for allowed, and then deny everyone with a DENY variable.
To restrict access and allow only certain IP addresses to reach a website, you can add the following code to the top of the .htaccess file:
# Restrict everything, only allow access to the following:
<IfModule mod_setenvif.c>
# Match all IP addresses beginning with 111.222
SetEnvIf AH_Client_Ip ^111\.222\. Allow_Host
# Match a specific IP address
SetEnvIf AH_Client_Ip ^123\.123\.11\.22$ Allow_Host
</IfModule>
<IfModule mod_authz_core.c>
<RequireAll>
Require env Allow_Host
</RequireAll>
</IfModule> The most recent preceding code is the opposite of the first example, by using the ALLOW environment variable to give only certain groups access to the website, instead of denying those groups.
If blocking by IP in .htaccess using AH_Client_IP doesn’t work, you can use the X-Forwarded-For header. The following example includes this header in the blocking rules in .htaccess:
<IfModule mod_setenvif.c>
SetEnvIf AH_CLIENT_IP ^123\.234\.123\.234$ DENY=1
SetEnvIf X-Forwarded-For 123\.234\.123\.234 DENY=1
</IfModule>
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DENY
</RequireAll>
</IfModule>The rule based on the X-Forwarded-For (XFF) does not anchor the pattern at the beginning (^) or end ($). If the target string appears anywhere in the value of the XFF header, the request is blocked. However, you must exercise caution when using this approach not to match a pattern more broadly than intended. For example, a pattern like 12.23 matches the IP: 22.112.234.55. For optimum results, Acquia recommends that your patterns are as specific as possible.
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Acquia recommends that you try the Drupal-based IP restriction method. In addition, you can restrict IP addresses. To obtain a list of Acquia IP addresses, create a Support ticket.
If you do not need the flexibility the Drupal IP restriction offers, there are some tasks you can use requiring less code, and if you have a small restriction, may be easier to upkeep.
In a non-Acquia hosting environment, you can use the %{REMOTE_ADDR} variable in the .htaccess file to redirect users to Google if they’re not in the 123.456.* IP address range. This does not work on Cloud Platform because of its load balancing structure.
To carry out the redirect on Cloud Platform, use the %{ENV:AH_Client_IP} variable:
RewriteCond %{ENV:AH_Client_IP} !^123\.456\..*
RewriteRule ^http://www.google.com [R=307,L]For more information about blocking with .htaccess and rewrites, see Blocking access using rewrites.
Cloud Platform uses Varnish® and load balancers, causing typical access controls to not work as expected. This method is like the one detailed in Best practices on setting up an edit domain. You can use a combination of an environment variable that is present on your Cloud Platform infrastructure, AH_Client_IP, and Apache’s mod_setenvif and mod_authz_core.
You must ensure that these rules are in the section determining that the Apache mod_rewrite module is enabled. If these rules are not present, the redirects fail.
To block a single IP, the following example sets an environment variable on the specific IP address 192.168.15.20, using mod_setenvif. You must add the following code to the top of the .htaccess file:
<IfModule mod_setenvif.c>
SetEnvIf AH_CLIENT_IP ^192\.168\.15\.20$ DENY=1
</IfModule>
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DENY
</RequireAll>
</IfModule>To block several IPs, the following example blocks addresses from the group 104.128.*.* and the IP address 192.168.10.10. You can specifically deny access to these two subnets and allow access to all other IPs. You must add the following code to the top of the .htaccess file:
<IfModule mod_setenvif.c>
# Match all IP addresses beginning with 104.128
SetEnvIf AH_CLIENT_IP ^104\.128\. DENY
# Match a specific IP address
SetEnvIf AH_CLIENT_IP ^192\.168\.10\.10$ DENY
</IfModule>
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DENY
</RequireAll>
</IfModule>All IPs in the 104.128 subnet and the IP address 192.168.10.10 get a DENY environment variable. The rewrite rules check for allowed, and then deny everyone with a DENY variable.
To restrict access and allow only certain IP addresses to reach a website, you can add the following code to the top of the .htaccess file:
# Restrict everything, only allow access to the following:
<IfModule mod_setenvif.c>
# Match all IP addresses beginning with 111.222
SetEnvIf AH_Client_Ip ^111\.222\. Allow_Host
# Match a specific IP address
SetEnvIf AH_Client_Ip ^123\.123\.11\.22$ Allow_Host
</IfModule>
<IfModule mod_authz_core.c>
<RequireAll>
Require env Allow_Host
</RequireAll>
</IfModule> The most recent preceding code is the opposite of the first example, by using the ALLOW environment variable to give only certain groups access to the website, instead of denying those groups.
If blocking by IP in .htaccess using AH_Client_IP doesn’t work, you can use the X-Forwarded-For header. The following example includes this header in the blocking rules in .htaccess:
<IfModule mod_setenvif.c>
SetEnvIf AH_CLIENT_IP ^123\.234\.123\.234$ DENY=1
SetEnvIf X-Forwarded-For 123\.234\.123\.234 DENY=1
</IfModule>
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DENY
</RequireAll>
</IfModule>The rule based on the X-Forwarded-For (XFF) does not anchor the pattern at the beginning (^) or end ($). If the target string appears anywhere in the value of the XFF header, the request is blocked. However, you must exercise caution when using this approach not to match a pattern more broadly than intended. For example, a pattern like 12.23 matches the IP: 22.112.234.55. For optimum results, Acquia recommends that your patterns are as specific as possible.
If this content did not answer your questions, try searching or contacting our support team for further assistance.