Creating an IP Protected Directory

EPA builds all web content in the Drupal WebCMS as of January 2013. All new microsites and resource directories will be created using Drupal.  There is still content on EPA's legacy servers and this content will be maintained there until it is transformed and moved into the Drupal WebCMS.  The following information should be used only for minor updates/maintenance of existing pages; any significant updates or revisions to existing pages should be done in the context of One EPA Web content transformation into the Drupal WebCMS

If you would like to protect a directory and its contents from the casual browser, you can utilize Apache's .htaccess file to set up IP-based protection. Note: this technique is not recommended to secure sensitive data. This is simply a tool to protect pre-release documents or items of similar security value.

  1. Change to the directory you wish to IP protect. For example:
      cd /public/data/webmast1/web/NewProject
    		
  2. If a .htaccess file does not already exist, you must create one. Using the editor of your choice, open the .htaccess file. Then insert the following code:
    Order deny, allow
    		
      Deny from all
      <Limit GET HEAD POST>
          Allow from ###.###.###.###
          Allow from ###.###
      </Limit>
    The "deny" line automatically denies all access as a default. The "allow" lines then grant access only to those specifed IP's. The ###.###.###.### indicates a specific IP you wish to allow. The ###.### indicates a range of IP's can be allowed. For example, in the following configuration the IP 127.164.132.21 would have access as well as any IP in the 134.67 subnet.
      Order deny,allow
      Deny from all
      <Limit GET HEAD POST>
          Allow from 127.164.132.21
          Allow 134.67
      </Limit>

    Once your .htaccess file is saved, your directory should be protected.

  3. Open the protected directory on your browser.
    In this example: http://www.epa.gov/webmast1/NewProject/. If your IP is included in an "allow" statement, you will have access to the directory and its contents. If your IP is not included, you will receive an "Access Forbidden" response.

    To further protect your directory from the casual user, you can add Password Protection and prohibit the Search Engine from indexing and displaying its files. For more information on this, refer to Creating a Password Protected Directory and Hiding Web Pages from Search Engines.

Top of Page