Apache - Require all denied HTTP status code

Question

I am using Apache 2.4 and I am blocking an access to a specific sub-domain for everyone except one IP address.

.htaccess:

Require all denied
Require ip 111.222.333.444

This returns an "403 Forbidden" status code.

How can I make it return "404 Not Found"?

No-one from outside should know about the existence of this sub-domain. So, from external point of view, I would like to make it "invisible". Thus, everyone who goes to that domain, will receive 404 as if it does not exist.

Is it possible?

Answer 1

You can use a RewriteRule:

RewriteCond %{REMOTE_ADDR} !^111.222.333.444$
RewriteRule ^ - [R=404,L]

However, this doesn't really hide the fact a sub-domain exists. It returns a page not found, which is not the same thing. Presumably your subdomain still has a DNS entry, so it can be looked up.

I would also question the need to do this, 403 exists for a reason and I can't see why not to return it. Whether or not you return a 403 or a 404, the site still exists so I don't know what you're trying to achieve. No method would be enough to deter a determined hacker, and it's probably a safer method to deny an ip at server level rather than trying to obfuscate via http redirects.