Since x-payments is all about security, why not really lock it down and ONLY permit access from known IP addresses, right? It's built right into the x-pay htaccess:
Code:
# Allow all requests to admin.php and api.php scripts
# If you want restrict access to these scripts by IP-addresses,
# comment this block out and read instructions below
Great. Obvious.
Code:
# Uncomment the lines below to allow access to the admin script
# only from specific IP-addresses
# (replace 192.168.10.32 below to your IP-addresses)
#
<Files ~ "admin.php*">
Order deny,allow
Deny from all
#office
allow from 12.34.56.78
#home
allow from 23.45.67.89
</Files>
Now -- this part broke my connection to xcart:
Code:
# Uncomment the lines below to allow access to the api script
# only from specific IP-addresses
# (replace 192.168.10.32 below to your IP-addresses)
#
<Files ~ "api.php*">
Order deny,allow
Deny from all
Allow from xcart.ip.add.ress
Allow from 12.34.56.78
</Files>
Now that didn't work. DO I need to also allow "localhost" ?
Am I correct in reading this as this constrains the api script to only the ips designated. That's what I want. What did I do wrong?
Who else needs to get to api.php and which IPs should this be set to ?
Thanks.
J