I set up my .htaccess file so that only certain IP ranges can access the /admin portion of my site, as asked in this question: Deny access to URI
That works... in testing. When I tried this on my live, https enabled, site something strange happened:
When I GET the /admin page, I receive a 403 Forbidden status code but I also get the body as if nothing happened.
How is that possible, and how do I fix it?
Here's the eventual .htaccess:
SetEnvIf Request_URI ^(?!/admin) not_admin_uri
Order deny,allow
Deny from all
Allow from 127.0.0.1
allow from 366.241.93.
allow from env=not_admin_uri
Also: if I remove the last allow rule it actually does block the request (though it then, of course, blocks all reguest)
The document for the 403 status code (which was 403.shtml) did not exist, in which case Apache apparently just executes the request.