How I block people from visiting a website

Inspired by the article Block a Website for Everyone But You over at CSS Tricks, I thought I’d post my way of blocking people from accessing my websites while I work on them.

Chris Coyier over at CSS Tricks uses the following code in his .htaccess file to block visitors.

RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^71\.225\.113\.171
RewriteCond %{REMOTE_HOST} !^71\.185\.239\.212
RewriteCond %{REMOTE_HOST} !^69\.253\.223\.254
RewriteCond %{REQUEST_URI} !/comingsoon\.html$
RewriteRule .* /comingsoon.html [R=302,L]

What he’s doing there is checking for specific IP addresses that are allowed to see the website but everyone else is sent to the “comingsoon.html” webpage. This is great for people who have specific IP addresses but if you’re behind a proxy like I am at work then everyone else with you behind that proxy can still see the site.

I find it much easier to redirect everyone but check for a custom cookie that I can set using the Webdeveloper Firefox extension. That way I can check to make sure that the redirect to the maintenance page is actually working. Here’s the relevant code that I use (taken from a RoR tutorial of old)

RewriteCond %{DOCUMENT_ROOT}/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteCond %{HTTP_COOKIE} !^.*access_cookie=1.*$
RewriteRule ^.*$ /maintenance.html [L]

where the text “access_cookie” (sans quotes) would be whatever cookie name you want to use. I just create a “session cookie” set to a value of “1″ (or whatever you want to make it) and check for it’s existence.

That gets around the problem of DHCP granted or spoofed IP addresses. Sure a cookie is easy to add but if you make the name and/or value sufficiently difficult to guess, no one is getting in.

Now just add your cookie.

Note in the image that I have set it to be a “session cookie”. This helps when you forget to delete the cookie. Just close your tab (FF) or browser (IE), reopen it and the cookie will be gone.

Oh yeah. The other thing that my .htaccess code does is, on the first line, check for the existence of the “maintenance.html” file. I don’t want to have to add and remove this code everytime I want to take the site down. It’s much easier to just have this code permanently in my .htaccess file and then upload the file that people will see when the site is down. I then delete it when the site is ready to be reopened. This is all performed using a custom Capistrano command that I run when I’m ready to deploy a new version.

1 comment

  1. I like it. It’s kind of the reverse approach. Instead of block everyone but me, it’s allow only me.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>