{"id":19664590,"url":"https://github.com/sourcebroker/restrictfe","last_synced_at":"2025-10-26T14:11:39.945Z","repository":{"id":57056086,"uuid":"80206848","full_name":"sourcebroker/restrictfe","owner":"sourcebroker","description":"TYPO3 extension restrictfe.  Blocks access to frontend and allows to show it only to some defined exception's like if the request is from an authorized backend user, has specific IP, header etc.","archived":false,"fork":false,"pushed_at":"2025-04-14T13:28:55.000Z","size":136,"stargazers_count":12,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-14T13:44:21.513Z","etag":null,"topics":["development","production","staging","typo3","typo3-cms-extension","typo3-extension"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sourcebroker.png","metadata":{"files":{"readme":"README.rst","changelog":"CHANGELOG.rst","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-01-27T12:48:43.000Z","updated_at":"2025-04-14T13:15:59.000Z","dependencies_parsed_at":"2022-08-24T07:21:11.731Z","dependency_job_id":null,"html_url":"https://github.com/sourcebroker/restrictfe","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcebroker%2Frestrictfe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcebroker%2Frestrictfe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcebroker%2Frestrictfe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcebroker%2Frestrictfe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sourcebroker","download_url":"https://codeload.github.com/sourcebroker/restrictfe/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251391390,"owners_count":21582161,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["development","production","staging","typo3","typo3-cms-extension","typo3-extension"],"created_at":"2024-11-11T16:18:17.555Z","updated_at":"2025-10-26T14:11:39.831Z","avatar_url":"https://github.com/sourcebroker.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"TYPO3 Extension ``restrictfe``\n==============================\n\n    .. image:: https://poser.pugx.org/sourcebroker/restrictfe/d/monthly\n        :target: https://packagist.org/packages/sourcebroker/restrictfe\n\n    .. image:: https://poser.pugx.org/sourcebroker/restrictfe/v/stable\n        :target: https://packagist.org/packages/sourcebroker/restrictfe\n\n    .. image:: https://poser.pugx.org/sourcebroker/restrictfe/license\n        :target: https://packagist.org/packages/sourcebroker/restrictfe\n\n\n.. contents:: :local:\n\nWhat does it do?\n----------------\n\nThis extension blocks access to frontend and allows to show it\nonly to some defined exception's like if the request is from\nan authorized backend user, has specific IP, header, domain, language\nor GET/POST vars. Useful to protect your staging and production instances.\n\nHow this can be useful for me?\n------------------------------\n\nIt will be useful whenever you want to protect whole or part of website\nfrom being public. See following examples for staging and production\ninstances.\n\n**For staging instances**\n\nYou will find restrictfe useful if you have staging instances and you want to\nprotect frontend content form public but at the same time:\n\n- allow to show frontend to authorized backend users,\n- allow to show frontend to IP of your VPN,\n- allow to show frontend to your external spiders for crawling,\n- allow some payment systems to send confirm link to your application endpoint,\n- allow Google Page Speed to make tests,\n- etc.\n\n**For production instances**\n\nYou will find restrictfe useful if you have production instance which is\nalready live but access to some part of website must be yet hidden for\nregular frontend users. At the same time is must be accessible in\nfrontend for logged backend users which must be able to edit content on\nthat hidden part.\n\nInstallation\n------------\n\nJust use composer or download by Extension Manager.\n\n::\n\n  composer require sourcebroker/restrictfe\n\nBe aware that after installation restrictfe blocks all traffic to\nfrontend by default. This is by design because if you will add new\nstaging instances they will be blocked by default so there is no risk\nthat you forgot to protect it and someone will see new staging instance\nor google will index it. Of course you must remember to unblock\nproduction instance with simple line:\n\n::\n\n  $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = ['*' =\u003e true];\n\nPut this config in the file that is included only on live instance!\n\n**Notice!**\nrestrictfe protection is not working if $_SERVER['REMOTE_ADDR'] == 127.0.0.1 so if you\nare working on your local instance restrictfe is disabled. If you want to to make testing\nand enable it on your local instance insert following line in typo3conf/AdditionalConfiguration.php\nor in some extension ext_localconf.php:\n``$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions']['ip'] = '__UNSET';``\n\n\nDocumentation\n-------------\n\nExceptions\n~~~~~~~~~~\n\nAs stated earlier restrictfe blocks all traffic to frontend and we must\nset exceptions that will allow to see the frontend. Those exceptions\nconditions are written in\n``$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions']``\narray. By default on first level conditions are joined with logical OR\nbut you can join them with AND if you will make AND array key and\nconditions inside. You can nest OR/AND conditions inside arrays. Values\nof conditions can be string or array. If its array its OR'ed. Some\nconditions can be negated. In such case the conditions inside are\nAND'ed.\n\n**The result of this condition checks is used to decide if frontend\nshould be blocked or not. If its true then frontend is not blocked.**\n\nConditions\n~~~~~~~~~~\n\nbackendUser\n+++++++++++\n\n- | *Argument*\n  | Activate (boolean)\n\n- *Note*\n\n  - If activated then frontend will be visible to authorized backend\n    users. Only single authorization is needed and user can log out\n    because special cookie will allow him to see frontend. That also\n    means that BE user can unlog from backend and still see the\n    frontend - its crucial for good testing of caching bugs.\n\n  - For backend user you can check “Clear BE session after login” in\n    backend user record. This will unlog BE user from backend just\n    after authorization. This is useful if you want to create only\n    kind of \"preview\" BE user. This user does not need to have access\n    to any BE module and do not needs rights to read/write any table.\n\n  - As stated in last points after backend user authorization special\n    cookie is set that allows to access frontend even after backend\n    user will be logged off. You can set each aspect of this cookie by\n    setting ``$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['cookie']``\n    array. For example you can set the cookie for multiple subdomains\n    which means that user needs to authorize only once to have access\n    to all protected subdomains. With htaccess password user would\n    need to authorize to each subdomain independently. Example:\n    ``$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['cookie']['domain'] = '.example.com';``\n\n- *Example*\n\n  ::\n\n   $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n       backendUser' =\u003e true\n   ];\n\ndomain\n++++++\n\n- | *Argument*\n  | Domain name (string)\n\n- | *Note*\n  | You can negate this condition with !domain.\n\n- | *Example*\n  | Allow frontend access to all except traffic to domain sub.example.com\n\n  ::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n       '!domain' =\u003e ['sub.example.com']\n    ];\n\nget\n+++\n\n- | *Argument*\n  | \"getName=getValue\" pairs (string)\n\n- | *Note*\n  | You can negate this condition with !get.\n\n- | *Example*\n  | Allow only request with GET param secret=999 to access frontend.\n\n  ::\n\n   $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n    'get' =\u003e 'secret=999'\n   ];\n\nheader\n++++++\n\n- | *Argument*\n  | \"headerName=headerValue\" pairs (string)\n\n- | *Note*\n  | You can negate this condition with !header.\n\n- | *Example*\n  | Allow only request with HTTP header MYHEADER=99 to access frontend.\n\n  ::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n       'header' =\u003e 'MYHEADER=99'\n    ];\n\nip\n++\n\n- | *Argument*\n  | Single IP with mask (string), comma separated list of IPs with\n    mask(string), array of IPs with mask (array string)\n\n- | *Note*\n  | In the background a ``GeneralUtility::cmpIP()`` is used so you can\n    use \\* and mask for IP like 12.12.45.\\* or 13.55.0.0/16.\n  | You can negate this condition with !ip.\n\n- | *Example*\n  | Allow frontend access only for IP 11.11.11.11 or 22.22.22.22 or 33.33.33.33\n\n  ::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n      'ip' =\u003e [\n             '11.11.11.11',  // ip of developers VPN\n             '22.22.22.22'   // ip of client VPN\n             '33.33.33.33'   // payment system confirm request\n           ]\n      ];\n\n\n  Block frontend access to traffic from IP range 34.34.0.0/16\n\n  ::\n\n       $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n           '!ip' =\u003e [\n               '34.34.0.0/16', // some not trusted network\n           ]\n       ];\n\npost\n++++\n\n-  | *Argument*\n   | \"getName=getValue\" pairs (string)\n\n-  | *Note*\n   | You can negate this condition with !post.\n\n-  | *Example*\n   | Allow only request with POST param secret=999 to access frontend.\n\n   ::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n       'post' =\u003e 'secret=999'\n    ];\n\nrequestUri\n++++++++++\n\n-  | *Argument*\n   |  uri part after domain without leading slash (string)\n\n-  | *Note*\n   | You can negate this condition with !requestUri. The argument is search for only on begining of text.\n\n-  | *Example*\n   | Allow only request starting with api/ to be processed.\n\n   ::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n       'requestUri' =\u003e ['api/', 'api2/']\n    ];\n\n\n\nConfiguration examples\n----------------------\n\nSome most useful real live configuration examples:\n\nProduction instance that must have language /fr/ not available public\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n            '!requestUri' =\u003e 'fr/',\n    ];\n\nProduction instance that must have domain \"sub.example.com\" not avaliable public\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n            '!domain' =\u003e 'sub.example.com',\n    ];\n\nStaging instance that needs to unblock frontend for Google Page Speed Insights\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n           'get' =\u003e 'secret=91009123',\n    ];\n\nThen of course the url you give google for testing is:\nhttps://www.example.com/?secret=91009123\n\nStaging instance that needs to unblock frontend for IP=11.11.11.11\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n          'ip' =\u003e '11.11.11.11',\n    ];\n\nExample how the AND condition looks like\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nip and header are AND'ed. array values inside ip and header are OR'ed.\n\n::\n\n    $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions'] = [\n            'AND' =\u003e [\n                 'ip' =\u003e [\n                    '66.249.64.0/19'\n                    '66.249.44.0/19'\n                    ],\n                 'header' =\u003e [\n                    'HTTP_USER_AGENT=Google Page Speed Insights'\n                    'HTTP_USER_AGENT=Google Page Speed'\n                   ],\n                 ]\n            ]\n    ];\n\n\nDefault Configuration\n~~~~~~~~~~~~~~~~~~~~~\n\nBy default following configuration is applied. You can change every\nelement of this array using ``$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']``\n\n::\n\n  [\n    'templatePath' =\u003e ExtensionManagementUtility::siteRelPath('restrictfe').'Resources/Private/Templates/Restricted.html',\n    'cookie'       =\u003e [\n        'expire'   =\u003e time() + 86400 * 30,\n        'path'     =\u003e '/',\n        'domain'   =\u003e null,\n        'secure' =\u003e ((int)$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure'] === 1 || GeneralUtility::getIndpEnv('TYPO3_SSL')),\n        'httponly' =\u003e $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieHttpOnly'],\n    ],\n    'exceptions' =\u003e [\n        'backendUser' =\u003e true,\n        'ip'          =\u003e '127.0.0.1',\n    ],\n  ];\n\n\nFAQ\n---\n\n-  **Extension does not work. The frontend is not blocked at all. What is wrong?**\n   Be sure you are logged from BE and the cookie \"restrictfe\" is deleted. Remember also that\n   restrictfe protection is not working if $_SERVER['REMOTE_ADDR'] == 127.0.0.1 so if you\n   are working on your local instance restrictfe is disabled. To enable it on your local instance\n   insert folowing line:\n   ``$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['exceptions']['ip'] = '__UNSET';``\n\n-  **I am logged out from BE but still frontend is not blocked, why?**\n   From 3.0.0. version after first successful login a cookie is set\n   (name tx\\_restrictfe). If that cookie is present then user do not\n   have to authorize again. So delete that cookie and then your frontend\n   should be blocked again.\n\n\nKnown problems\n--------------\n\nNone.\n\nTo-Do list\n----------\n\n1. Add userFunc for conditions\n2. Add pregmatch for all conditions like '~domain'\n3. Add support for detecting browser language to see proper lang on\n   \"you must log to see the website\" warning screen.\n4. Make unit tests for conditions array.\n\n\nChangelog\n---------\n\nSee https://github.com/sourcebroker/restrictfe/blob/master/CHANGELOG.rst\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsourcebroker%2Frestrictfe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsourcebroker%2Frestrictfe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsourcebroker%2Frestrictfe/lists"}