mod_rewrite and APEX part 2
Posted by Tyler Muth on August 13, 2008
Here’s another Apache mod_rewrite example that I would love to get some feedback on from the community.
RewriteCond %{REQUEST_URI}%{QUERY_STRING} !/pls/(apex|builder)/f?p=4155:.*
RewriteCond %{REQUEST_URI}%{QUERY_STRING} /pls/(apex|builder)/f?p=(4[0-9]{3}:.*)
RewriteCond %{REMOTE_ADDR} !^(127\.0\.0\.1|192\.168\.1\.[0-9]{1,3})$
RewriteRule /pls/(apex|builder)/ - [F]
- Any request for a 4000 series application (the APEX dev environment) on either the “apex” or “builder” DAD…
- …Not coming from either localhost or a 192.168.1.x address…
- Return a 403 “Forbidden” page.
This is a simple way to protect your development environment from people that don’t belong there. The runtime-only installation option introduced in APEX 3.1 is even more secure, but there may be users on previous versions or that do not want to use the runtime only option. Thoughts?
Christopher Beck said
Tyler,
Think you need to change Line 2 to this:
RewriteCond %{REMOTE_ADDR} !^(127\.[0]{1,3}\.[0]{1,3}\.[0]{1,2}1|192\.168\.[0]{1,2}1\.[0-9]{1,3})$
basically 192.168.1.1 and 192.168.001.01 are the same thing so you need to handle the possibility of leading zeros.
chris.
Tyler Muth said
Thanks to Joel Kallman for pointing out that Application 4155 is used for end-user password resets and should be exempt from this policy. I added line 1 to account for this.
Anton Nielsen said
Tyler,
This is a fairly secure method and we have used the same rules a few times. In general I have favored using Apache as reverse proxy for external traffic to deny the traffic I don’t want, but that has challenges of its own. This works well and does not require any additional hardware, network configs or installations. Nice post.
Anton