Sat, 01/05/2010 - 17:48 — horuskol

First off, restricting access to your entire website is pretty easy.

All you need to do is put the following at the top of the .htaccess file in your website's document root:

Order deny,allow
Deny from all

This will prevent anyone from seeing your website. Admittedly, not terribly useful, but it's a start.

It is important not to have a space in 'deny,allow', as this will cause an Apache server error.

If you are setting up a test website, you will likely want to restrict access to everyone except your own IP address (the computer on which you are testing the site in a browser):

Order deny,allow
Deny from all
Allow from 192.168.1.1

About Order, Deny and Allow

These three directives are all part of mod_access, which is a core module within Apache. Order is used to specify the order in which Deny and Allow directives are processed - we use the order 'deny,allow' to first restrict all access and then allow from a specific IP address.

If we reversed the arguments, then we would always be blocked from the site as the Allow directive is processed first and then the Deny directive (which blocks everyone) would subsequently override it.

Blacklisting

The above configuration is an example of whitelisting. We are restricting access to a limited network.

The opposite to this is, of course, blacklisting. We can allow access to all users, except from a specific IP or network:

Order allow,deny
Allow from all
Deny from 192.168.1.1