I should start by saying that I am not very experienced with most of this subject matter, as I've learned most of this for my job, so I may be missing something obvious. I have an apache2 (2.4.29) server hosting a concrete5 site, running on a VM with Ubuntu 18.04 LTS. I'm trying to restrict access to the /login URL used for site editing. Below is my .htaccess file, which is in the server's concrete5 root (/var/www/html/concrete5). I can restrict access completely with .htaccess, but I'm having trouble whitelisting IPs properly.
Here is the big problem I've had: In my REQUEST_URI RewriteCond, Using "!^" in front of IPs seems to do nothing, and the URL is still blocked, but this is what many other people seem to suggest. Omitting the "!" will unblock the login URL, but it unblocks it for ALL IPs. This is where I've been stuck - the REMOTE_ADDR condition seems to either block the URI for all IPs or allow access for all IPs, and the address itself doesn't seem to change anything.
For now, I've resorted to simply blocking off all access, and if I ever need access, I'd have to go in and remove the directives in the .htaccess to temporarily unblock the URL. Obviously, this is not ideal and I'd like to allow access to IPs within my company's internal network.
<IfModule mod_rewrite.c>
# Removes index.php from URL
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php
# URL restriction
RewriteCond %{REQUEST_URI} /login(.*)$ [OR]
RewriteCond %{REQUEST_URI} /dashboard(.*)$ [OR]
RewriteCond %{REQUEST_URI} /index\.php/dashboard(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ / [R=403,L]
</IfModule>
/dashboard/system/permissions/blacklistdashboard page you can add*.*.*.*and::/0to the blacklisted IPs (which prevent anyone from logging in), and your IP address in the whitelisted IPs. - Michele Locati