howto: Server - deny file access        rev  3 jan 2019

> info | usage | example code

.......................................................
info:

  With apache's .htaccess file, you can tell apache to 
  
    * block access through the web browser to
        specified files or directories.
    
    * allow access to specified ip numbers.

    * Blocked visitors will be shown a '403 Forbidden' error message. 
        - You can customise this error message with the 'Error Documents' Directive.

.......................................................
usage:

    * block access to classicpress/wordpress login.


.......................................................
example code - for pre-apache v.2.4:

# This will allow only the specified ip address to access wp-login.php:
# You can add multiple ip addresses, with multiple lines of "allow from"
# However, in my experience when i get more than 20 or so, it seems
# to stop working, or works only randomly.

# help.dreamhost.com says do this way:
#   https://help.dreamhost.com/hc/en-us/articles/216363167-How-do-I-deny-access-to-my-site-with-an-htaccess-file-#Allowing_access_from_a_specific_IP
# This works for me, as long as there aren't too many 'allow from's 
#   (like more than 20).
<Files "wp-login.php">
  order deny, allow
  deny from all 
  allow from 45.113.64.186
  allow from 162.158.159.98
</Files>


# htaccess-guide says do this way:
#   http://www.htaccess-guide.com/deny-visitors-by-ip-address/
# But this doesn't work for me, i am always denied.
<Files "wp-login.php">
  order allow,deny
  allow from 45.113.64.186
  deny from all 
</Files>

.......................................................
gory details:

  * It doesn't work exactly in order of directives.
  *  Also, it does not stop once it finds a match
       (as we would expect in programming).
       It still continues to evaluate.
       This is why we can say 'deny from all' first, and still
       go on to define ips to allow.

  * According to apache docs:
      - First, all Allow directives are evaluated. 
          At least one must match, or the request is rejected. 
      - Next, all Deny directives are evaluated. 
          If any matches, the request is rejected. 
      - Last, any requests which do not match an Allow or a Deny directive:
          Are denied by default. 

* Now i'm confused again.
    baseline: the first example works for me, 
       as long as there aren't too many 'allow from's. (like more than 20)


.......................................................
example code - apache v.2.4 and above:




_______________________________________________________
begin  3 jan 2019
-- 0 --