Apache web server is used by millions of websites and blogs. So it is a common target of attacks by hackers. System administrators often need to restrict access by IP in Apache server. But they are often confused with the sheer number of options available in Apache, for this purpose. In this article, we will learn how to allow or deny requests from one or more IP addresses to an Apache server.
Why Restrict Access By IP
There are several reasons why you may need to restrict access in Apache server:
- Security – These days, many sites and applications are falling prey to DDOS (Distributed Denial of Service) and Brute Force attacks, which overwhelm web server and bring down a site. There are also well-known malicious bots that attack vulnerable sites. In such cases, you have to block IPs that cause these problems.
- Access Control – You may need to restrict your site or its content in certain geo locations (e.g., countries, states, etc.). You may need to restrict certain sites in your organization such as corporate office and schools. You may also need to prevent automated bots from scraping data off your site. In all these cases, you need to restrict access by IP.
- Behavioral Control – Sometimes you may need to ban requests from certain IP addresses, if they violate your site’s terms and conditions. You may also need to block them if they are sending too many requests unnecessarily.
How to Restrict Access by IP in Apache Server
There are mainly two ways to control access in Apache server. The older Apache versions (<2.4) use Allow statement to allow access from one or more IP addresses, and Deny statement to deny access from one or more IP addresses. In modern Apache versions (2.4+), Require and ‘Require not’ statements are preferred over the older Allow and Deny Statements respectively.
These statements can be used within Directory, Files or Location blocks in Apache Config file, or in .htaccess file.
Let us look at both the methods to restrict IP access in Apache – via configuration file as well as using .htaccess file.
1. Using Apache Configuration File
Open Apache configuration file in a text editor.
sudo vi /etc/apache2/apache2.conf
OR
Sudo vi /etc/httpd/conf/httpd.conf
Add the following statements in Directory, Files or Location blocks to allow/block access, as per your requirement.
Here is an example to allow access from only one IP address to root directory of your site /var/www/html
<Directory "/var/www/html">
Require ip 12.34.56.78
</Directory>
Here is the command using Allow statement.
<Directory "/var/www/html">
Deny All
Allow 12.34.56.78
</Directory>
Here is the command to allow access to all URLs in /product subfolder.
<Location "/product">
Require ip 12.34.56.78
</Location>
If you need to provide access from multiple IP addresses, mention separate Require statements for each IP address.
<Directory "/var/www/html">
Require ip 12.34.56.78
Require ip 23.34.45.56
</Directory>
If you need to allow access from a group of IP addresses, then you can also use a CIDR subnet mask to specify the range. Here is an example to allow access from 10.0.0.1 to 10.0.255.255.
<Directory "/var/www/html">
Require ip 10.0.0.0/16
</Directory>
Sometimes you may need to allow access from all IPs except one or more IP addresses. In such cases, use Require All statement to give access to all, followed by ‘Require not’ statements for IP addresses you want to block. Here is an example to allow access from all IP addresses but block IPs 12.23.34.45 and 20.0.0.0-20.0.255.255.
<Directory "/var/www/html">
Require all granted
Require not ip 12.23.34.45
Require not ip 20.0.255.255/16
</Directory>
When you add the above statements to a Directory block, it will be applicable to all sub directories and files present in it. If you add it to File block, it will be applicable only to the said file. If you use it in Location block, then it will be applicable to all URLs served by that block.
2. Using .htaccess file
If you do not have access to Apache configuration file, or do not want to modify it, then you can add the above statements to .htaccess file also.
Here is an example to allow only specific IP address.
Require all denied
Require ip 12.23.34.45
On the other hand, here is an example to block only specific IP address.
Require all granted
Require not ip 12.23.34.45
Please note, if you add this code to an .htaccess file, then it will be applied to all files and subdirectories in that directory. Since a website may have multiple .htaccess files, you may place these codes anywhere you want as needed.
Points to Remember
- Correct IP Address Group – While restricting multiple IP addresses using IP subnets, it is important to ensure that you use the proper subnet mask. Otherwise, it will end up blocking a large number of permitted IP addresses.
- Order of Directives – In older Apache servers (<2.4), the order of directives (Allow, Deny, etc.) matters. Apache will parse these directives sequentially one after the other. If you do not follow the correct order, then IP address blocked by one directive may be unblocked by a subsequent directive, and vice versa.
- Security – It is important to remember that IP address may be spoofed. Also, a single IP address may be used by multiple users. So you need to be very careful when you select IP addresses to be blocked.
Conclusion
In this article, we have learnt how to restrict access by IP in Apache. We have covered many common use cases to help you understand when to use which solution. If you find that your website is under attack or being overwhelmed by one or more IPs, then restricting access by IP is your first line of defense. Once you have identified and blocked the malicious IPs, then you can work on fortifying your server as well as application. Depending on your requirement, you can use any of the above steps to control access to Apache server.
Also read:
How to Upgrade Apache Version in Ubuntu
How to Increase Max URL Length in Apache Server
How to Enable mod_ssl in Apache Server
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.