Last updated on June 12th, 2024 at 05:37 am
Apache is a popular web server that provides tons of access control features for web administrators. While running a website, you may need to limit access to URL, files & directories, due to their sensitive information. Apache makes it easy to restrict access using Deny and Allow server directives. In this article, we will look at how to deny access to URL, File & Directory in Apache web server.
Why Deny Access to URLs & Directory
Almost every website has private URLs, files and directories that contain sensitive information. It is essential to prevent unauthorized access to them to protect your website from being exploited. Sometimes you may need to block access to URLs from specific IPs or IP ranges. On the other hand, sometimes you may want to allow access to URLs from specific IPs or IP ranges. In all these cases, you will need to use access control features provided by Apache server.
Apache Deny Access to URL, Files & Directory
Apache provides Deny directive to block one or more IP addresses. Similarly, it provides Allow directive to allow access from one or more IP addresses. Depending on how your website is structured and the kind of access permissions you have, you can add these directives in Apache main configuration file, virtual host file or .htaccess file. Here are the steps to restrict access to URL, files & directories in Apache.
1. Open Apache Configuration File
Apache configuration file is located at one of the following locations, depending on your Linux distribution.
/etc/apache2/httpd.conf/etc/apache2/apache2.conf/etc/httpd/httpd.conf/etc/httpd/conf/httpd.conf
Open terminal and run the following command to open Apache configuration page.
$ sudo vi /etc/httpd/conf/httpd.conf
If you make changes in Apache server configuration file, it will be applicable for all websites/domains that you run on your Apache web server.
Apache Restrict Access by IP in Virtual Host
If you are running multiple websites on Apache server, using virtual host, then open the virtual host configuration file of the website (e.g www.website.com) for which you want to deny access to IP. Let’s say your virtual host configuration file is located at /etc/apache2/sites-enabled/website.conf
$ sudo vi /etc/apache2/sites-enabled/website.conf
Apache Restrict Access using .htaccess
If you do not have access to Apache’s main configuration file or virtual host file, then you will need to modify the .htaccess file of your website. In this case, it is assumed that mod_rewrite(.htaccess) is already enabled on your website. Open the .htaccess file in text editor.
$ sudo vi /var/www/html/.htaccess
Also read : How to Enable Server Side Includes in Apache
2. Restrict Access by IP
Let us assume you want to limit access to /product.html URL by IP 45.34.21.10. Here is the Deny directive to block access from this IP.
Deny 45.34.21.10
We will look at several common use cases to apply this directive.
Block Access to URL
Once you have opened the appropriate configuration file, look for <Location> tag for the above URL. Add the following line in it to prevent access from IP 45.34.21.10.
Deny 45.34.21.10
Your Location tag will look something like the following
<Location /product.html> ... Deny 45.34.21.10 ... </Location>
Block Access to Directory
If you want to block IP from accessing a specific directory such as /admin, then add the above Deny directive location block of /admin subfolder.
<Location /admin> ... Deny 45.34.21.10 ... </Location>
Block Access to File
If you want to block IP from accessing a specific file such as /var/www/html/input.html, then add the above Deny directive in Directory tag of input.html file.
<Directory /var/www/html/input.html> ... Deny 45.34.21.10 ... </Directory>
Please note, use Location block to restrict access to URLs (e.g /index.html, /product ) and directories, and use Directory block to limit access to files (e.g /var/www/html/config.php). These Location and Directory blocks can be placed in Apache server configuration file, or virtual host block. They will not work in .htaccess file. If you are using .htaccess file then you need to simply add the Deny statement directly to .htaccess file and place the .htaccess file in the directory that you want to block.
Restrict Access Using .htaccess
Alternatively, if you are using .htaccess then it is easier to use RedirectMatch directive to block access to URL, Directory and files.
RedirectMatch 403 ^/folder/product.html$ # blocks access to file
RedirectMatch 403 ^/folder/?$ # blocks access to only folder
RedirectMatch 403 ^/folder/.*$ # blocks access to folder and its contents
Also Read : How to Disable ETags in Apache
Apache Limit Access by multiple IPs
If you want to limit access to multiple IPs, add separate Deny directives for each IP. In the following example, we limit access to IPs 45.34.21.10 and 65.34.23.12
<Location /product.html > ... Deny 45.34.21.10 Deny 65.34.23.12 ... </Location>
If you want to restrict access by IP range such as 45.54.20.0-45.54.20.255 then you can do it by using CIDR notation of this IP range. Here’s the configuration to restrict access from above IP range.
<Location /product.html > ... Deny 45.54.20.0/24 ... </Location>
Also read : How to Fix 414 Request Too Large Error
3. Restart Apache web server
Restart Apache web server to apply changes.
# service httpd restart OR # systemctl restart httpd OR # sudo service apache2 restart
Now when a user tries to access your URL, file or directory from blocked IP address, they will get a “403: Access Forbidden” response.
Conclusion
In this article, we have learnt several simple ways to easily deny access to URL, Directories and Files from one or more IP addresses. The key is to place the Deny directive in the appropriate configuration file. Depending on your requirement, you can place it in Apache’s main configuration file, virtual host file or .htaccess file. If you want to block a URL or directory, you need to place it in Location tag whereas if you want to block a file, then you need to place it in Directory tag. If you want to block access from multiple IP addresses, you can add separate Deny statements, one for each IP address. If you want to restrict access from a range of IP addresses, then it is better to use CIDR notation to cover the IP address range, instead of using individual IP addresses. As you can see, it is quite flexible and versatile.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it today!
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.