使用 .htaccess 阻止访问子域以及该子域下的所有文件和文件夹

Question

I have a main domain and a website setup on my cPanel hosting as well as an add-on domain with its own separate website: domain.com and addon.com

Due to the way cPanel configures add-on domains, the add-on domain's website can be accessed via the main domain:

• addon.domain.com/

• domain.com/addon/

What I'd like to do is block all access to the add-on domain's website from the main domain, including any and all files or folders contained within, so:

• Accessing addon.com/anyfolder/anyfile.php works, but;
• Accessing addon.domain.com/anyfolder/anyfile.php or
• Accessing domain.com/addon/anyfolder/anyfile.php fails with a 404 error.

I have had some success with modifying the add-on domain's.htaccess file to achieve this, for example using this in the add-on domain's.htaccess:

RewriteEngine on
RedirectMatch 404 ^/addon/(.*)$

Blocks domain.com/addon/anyfolder/anyfile.php perfectly, displaying a 404 error.

However I have tried various methods to do the same for addon.domain.com and although I can usually get it to display a 404 when accessing only the domain, for any folders or files ( addon.domain.com/anyfolder/anyfile.php ) it will still work with no error and I can't figure out how to go about correcting this with.htaccess.

For example:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^https?://(www\.)addon\.com
RewriteRule ^(.*)$ - [L,R=404]

This makes addon.domain.com display the desired 404 error, but addon.domain.com/anyfolder/anyfile.php still works without issue.

This is just one example of course, I've actually searched for a while and tried several different rewrite conditions among other things to get the desired result without success. Another example that works only for the domain:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www.)?addon.domain.co.uk$ [NC]
RewriteRule ^(.*)$ - [L,R=404]

Once again, this causes addon.domain.com to display the desired 404 error, but addon.domain.com/anyfolder/anyfile.php still works.

The only other thing I can think of doing is editing the main domain's DNS zone and remove (or break somehow) the A record for the subdomain. This would of course result in a "server not found" error which would have the desired affect, but I can't imagine it's an advisable option to take.

Answer 1

You should do something like the following using mod_rewrite near the top of the .htaccess file in the root of the subdomain.

I'm assuming addon.com and www.addon.com should both be accessible.

For example:

RewriteEngine On

RewriteCond %{HTTP_HOST} !^(www\.)?addon\.com$
RewriteRule ^ - [R=404]

The above will block (serve a 404 Not Found) for any request that is not for addon.com (or www.addon.com ). The ! prefix on the CondPattern negates the expression. Any URL-path.

You do not need the L flag when using a return code in the range 4xx.

---

Alternative Method

An alternative approach that does not use mod_rewrite, so won't necessarily be overridden by .htaccess files in subdirectories:

<If "%{HTTP_HOST} !~ /^(www\.)?addon\.com$/">
    Require all denied
</If>

This uses an Apache Expression with mod_authz_core.

The above will serve a 403 Forbidden for any requests that are not for the addon domain.

---

A look at your rules...

 RewriteEngine on RedirectMatch 404 ^/addon/(.*)$

RedirectMatch is a mod_alias directive. This is unrelated to the RewriteEngine directive that initialises mod_rewrite.

 RewriteCond %{HTTP_REFERER}?^https:.//(www\.)addon\.com RewriteRule ^(,*)$ - [L,R=404]

This makes addon.domain.com display the desired 404 error, but addon.domain.com/anyfolder/anyfile.php still works without issue.

This is checking the Referer header (the site you are coming from ), so this will not have the desired result. However, a request for addon.domain.com/anyfolder/anyfile.php should still be blocked by this rule.

Note that the order of directives in the .htaccess file can be important. Any blocking directives should be near the top of the config file.

Another example that works only for the domain:

 RewriteEngine on RewriteCond %{HTTP_HOST} ^(www.)?addon.domain.com$ [NC] RewriteRule ^(.*)$ - [L,R=404]

Once again, this causes addon.domain.com to display the desired 404 error, but addon.domain.com/anyfolder/anyfile.php still works.

This should block addon.domain.com/anyfolder/anyfile.php (with or without the www subdomain) - unless the rule is put in the wrong place and it is conflicting with other rules, as mentioned above.

Note that you don't necessarily need to have just one rule. Two or more rules can perform the job just as efficiently as one sometimes.