dtateii · August 23, 2016 13:55
diff --git a/.htaccess b/.htaccess
 # BEGIN Access Control
 <IfModule mod_setenvif.c>

  # Check Host, set "edit" domain env
  SetEnvIf Host "edit.domain.com" edit=1 # Prod
  SetEnvIf Host "edit-stg.domain.com" edit=1 # Staging
  SetEnvIf Host "edit.domain.loc|dev" edit=1 # Local Dev

  # Build Edit-domain Whitelist
  SetEnvIf REMOTE_ADDR ^nnn\.nnn\.nnn\.nnn$ whitelist=1 # Client HQ
  SetEnvIf REMOTE_ADDR ^nnn\.nnn\.nnn\.nnn$ whitelist=1 # Vendor HQ
  SetEnvIf REMOTE_ADDR "^192\.168\.33\.1$" whitelist=1 # Local Dev
  SetEnvIf REMOTE_ADDR ^127\.0\.0\.1$ whitelist=1 # Local Dev

  # EDIT DOMAIN Access Control
  # Deny Edit-domain to all, then un-deny Edit-domain to whitelisted (for Apache v2.2-)
  Order deny,allow
  Deny from env=edit
  Allow from env=whitelist
  
  # Apply Edit-domain Access Control (for Apache v2.4+)
  #<RequireAny>
  #  <RequireAll>
  #    # If not Edit-domain, grant all
  #    Require not env edit
  #    Require all granted
  #  </RequireAll>
  #  <RequireAll>
  #    # If Edit-domain, must also be on IP whitelist
  #    Require env edit
  #    Require env whitelist
  #  </RequireAll>
  #</RequireAny>

  # PUBLIC DOMAIN Access Control
  # Deny to all access to sensitive paths on non-edit domains
  RewriteCond %{ENV:edit} !1
  RewriteRule ^(custom-login-path|users|scripts|profile|includes|filter($|/)|user($|/)|admin($|/)|node($|/)) - [F,L]
 </IfModule>

 # Block core Drupal files for everyone
 <IfModule mod_alias.c>
  RewriteRule ^((CHANGELOG|COPYRIGHT|INSTALL(.*)|LICENSE|MAINTAINERS|UPGRADE).txt|README(.*)|cron.php|install.php|update.php|web.config|xmlrpc.php) - [F,L]
 </IfModule>
 # END Access Control
	# BEGIN Access Control
	<IfModule mod_setenvif.c>

	# Check Host, set "edit" domain env
	SetEnvIf Host "edit.domain.com" edit=1 # Prod
	SetEnvIf Host "edit-stg.domain.com" edit=1 # Staging
	SetEnvIf Host "edit.domain.loc\|dev" edit=1 # Local Dev

	# Build Edit-domain Whitelist
	SetEnvIf REMOTE_ADDR ^nnn\.nnn\.nnn\.nnn$ whitelist=1 # Client HQ
	SetEnvIf REMOTE_ADDR ^nnn\.nnn\.nnn\.nnn$ whitelist=1 # Vendor HQ
	SetEnvIf REMOTE_ADDR "^192\.168\.33\.1$" whitelist=1 # Local Dev
	SetEnvIf REMOTE_ADDR ^127\.0\.0\.1$ whitelist=1 # Local Dev

	# EDIT DOMAIN Access Control
	# Deny Edit-domain to all, then un-deny Edit-domain to whitelisted (for Apache v2.2-)
	Order deny,allow
	Deny from env=edit
	Allow from env=whitelist

	# Apply Edit-domain Access Control (for Apache v2.4+)
	#<RequireAny>
	# <RequireAll>
	# # If not Edit-domain, grant all
	# Require not env edit
	# Require all granted
	# </RequireAll>
	# <RequireAll>
	# # If Edit-domain, must also be on IP whitelist
	# Require env edit
	# Require env whitelist
	# </RequireAll>
	#</RequireAny>

	# PUBLIC DOMAIN Access Control
	# Deny to all access to sensitive paths on non-edit domains
	RewriteCond %{ENV:edit} !1
	RewriteRule ^(custom-login-path\|users\|scripts\|profile\|includes\|filter($\|/)\|user($\|/)\|admin($\|/)\|node($\|/)) - [F,L]
	</IfModule>

	# Block core Drupal files for everyone
	<IfModule mod_alias.c>
	RewriteRule ^((CHANGELOG\|COPYRIGHT\|INSTALL(.)\|LICENSE\|MAINTAINERS\|UPGRADE).txt\|README(.)\|cron.php\|install.php\|update.php\|web.config\|xmlrpc.php) - [F,L]
	</IfModule>
	# END Access Control