One of the problems we have really struggled with at work, is allowing only certain people to access our sites during the initial staging process or when it’s offline for maintenance. There are many ways of achieving this, each of which comes with it’s own benefits and downfalls and some of which are far more suitable for staging than maintenance phases. It’s worth mentioning that we also work with load balanced servers, which tends to complicate almost any task.

I only recently sat down to try and wrap my head around RewriteMap, it’s something I’ve seen before but always pushed aside as, at a glance, it seems complex and not particularly useful. We’ve often talked about how it would be nice if we could dynamically add in RewriteCond’s, and it occurred to me that we could potentially achieve the same results using RewriteMap.  Here’s what I came up with:

First we need to include the map in the file, this must be done in the httpd.conf file.

Next, we need to create the map file itself. We are going to create a whitelist of users based on their IP address.

I’ve only included a single entry. Note that the format of the file is the IP address you wish to allow access and followed by a space then the word ALLOW (this is the value we will be matching against with our RewriteCond).

Now we need to put the magic in place. The remaining code can be placed either in your httpd.conf file or within your .htaccess file, whichever you deem more appropriate.

The first RewriteCond is the line that does the magic, it takes the IP address of the incoming request and uses the allowed.txt file as a lookup table, returning the value next to the IP address. If the IP address is not present in the file then it returns the default value specified, I’ve chosen to use DENY as it’s an apt description of the default behaviour. Since we are always using the same value in our map file, we know that if the IP address is in the file the map will return ALLOW, so we compare this to the value ALLOW.

The second RewriteCond simply checks we are not requesting the offline page (thus avoiding an infinite rewrite loop). If both RewriteCond’s match then the RewriteRule will rewrite all requests to the offline page, or to phase it in English, if the IP is not allowed and the request is not for the offline page then rewrite to the offline page.

Now that our IP white-list is stored in a separate file, we can go ahead and write tools for allowing a user to easily access the site. One example would be a simple login page that simply adds the IP address to the file for anybody that successfully logs in (note that using the above set-up you would also have to not redirect the login page by use of an extra RewriteCond).

Cheers.