Last updated on June 19th, 2024 at 06:25 am
Often website administrators need to restrict access to URL by IP. This is commonly required if your site is under attack from certain IP addresses or address ranges. You may also need to temporarily block access to your site if you want to do some urgent maintenance or troubleshooting. Apache allows you to limit access to URL by single IP, multiple IP addresses and even IP address ranges. In this article, we will look at how to restrict access to URL by IP. You can use these steps to secure URL in Apache.
Apache Restrict Access to URL by IP
Apache server provides Deny directive to block access and Allow directive to allow access. Depending on your requirement, you can place them in Apache configuration file, virtual host file or .htaccess file. They can be used to block or allow access to entire website, specific directories or URLs. Here are the steps to restrict access to URL by IP.
1. Open Apache Configuration File
Apache configuration file is located at one of the following locations, depending on your Linux distribution.
/etc/apache2/httpd.conf
/etc/apache2/apache2.conf
/etc/httpd/httpd.conf
/etc/httpd/conf/httpd.conf
Open terminal and run the following command to open Apache configuration page.
$ sudo vi /etc/httpd/conf/httpd.conf
If you make changes in Apache server configuration file, it will be applicable for all websites/domains that you run on your Apache web server.
Apache Restrict Access by IP in Virtual Host
If you are running multiple websites on Apache server, using virtual host, then open the virtual host configuration file of the website (e.g www.website.com) for which you want to deny access to IP. Let’s say your virtual host configuration file is located at /etc/apache2/sites-enabled/website.conf
$ sudo vi /etc/apache2/sites-enabled/website.conf
Apache Restrict Access by IP in .htaccess
If you do not have access to Apache main configuration file or virtual host file, then you will need to open .htaccess file. Open terminal and run the following command to open it. Change file path as per your requirement.
$ sudo vi /var/www/html/.htaccess
2. Restrict Access by IP
Apache provides Deny directive to block one or more IP addresses. Let us assume you want to limit access to /product.html URL by IP 45.34.21.10. Once you have opened the appropriate configuration file, look for <Location> tag for the above URL.
Please note, if you are using .htaccess file, you can directly place the following Deny directive in a .htaccess file in the folder. Location blocks do not work in .htaccess file.
Add the following line in Location tag or .htaccess file.
Deny 45.34.21.10
Restrict Access to URL
Look for the location tag pertaining to the specific URL or create a new one and add the Deny directive in it. Your Location tag will look something like the following.
<Location /product.html> ... Deny 45.34.21.10 ... </Location>
Restrict Access to Folder
If you want to block IP from accessing a specific directory such as /admin, then add the above Deny directive in location block of /admin subfolder. This is similar to blocking access to a single URL. In this case, access to all URLs in folder is restricted.
<Location /admin> ... Deny 45.34.21.10 ... </Location>
Apache Limit Access by multiple IP
If you want to limit access to multiple IPs, add separate Deny directives for each IP. In the following example, we limit access to IPs 45.34.21.10 and 65.34.23.12
<Location /product.html > ... Deny 45.34.21.10 Deny 65.34.23.12 ... </Location>
Restrict Access to IP Range
If you want to restrict access by IP range such as 45.54.20.0-45.54.20.255 then you can do it by using CIDR notation of this IP range. Here’s the configuration to restrict access from above IP range.
<Location /product.html > ... Deny 45.54.20.0/24 ... </Location>
Allow Access from Single IP address
On the other hand, sometimes you may want to restrict access from all IP addresses, except one or more trusted ones. This is required if you want to temporarily disable access to your site to fix some issue. In this case, add the following Deny and Allow directives.
<Location /product.html >
...
Deny from all
Allow 45.34.21.10
Allow 65.34.23.12
...
</Location>
3. Restart Apache web server
Restart Apache web server to apply changes.
# service httpd restart OR # systemctl restart httpd OR # sudo service apache2 restart
Now when a user tries to access your URL or directory from blocked IP address, they will get a “403: Access Forbidden” response.
Conclusion
In this article, we have learnt how to restrict access from one or more IP addresses to a single URL as well as folder. It is very useful if your site is being attacked by malicious bots and attackers. It is also required if you want to quickly restrict site access to do some troubleshooting or maintenance. We have numerous use cases, commonly required by system administrators. As you can see, Apache is very flexible and versatile when it comes to access control.
The key is to add Deny directive to Apache config file, or virtual host file or .htaccess file, whichever you can access. It is important to place the right Deny directive in the appropriate Location block. If you place the Deny directive in wrong Location block, then the wrong URLs will be blocked. Also if you do not specify the right IP address or range after Deny directive, then it will restrict access from wrong IPs.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it today!
Also read
How to Enable HTTP2 in Apache
How to Enable Apache Server Status Dashboard
How to Disable HTTP Options Methods in Apache
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.