12

I have an Apache server that, for the time being, I need to block access to for all but a select group of people. The easiest way to do this, I thought, would be to deny access from all traffic and then allow only the select few IP addresses. From what I have found online, this configuration should do the trick.

This is the entire contents of /etc/apache2/sites-available/000-default.conf:

    <VirtualHost *:80>
            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/html

            <Directory /var/www/html>
                    Order allow,deny
                    Deny from all
                    Allow from my.ip.add.res
            </Directory>

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

However, when I test it, I get 403'd from everywhere, including the allowed "my.ip.add.res" IP address.

I've spent quite a lot of time Googling, but from what I can tell, this should work perfectly. Not sure why it isn't. Am I missing something obvious?

BSnapZ
  • 223
  • First of all, are you using Apache 2.4, as indicated in your tag, or are you using Apache 2.2, as indicated by the access control directives in your v-host configuration? – Colt May 12 '16 at 01:20

3 Answers3

18

If you are using Apache 2.4, make sure that you LOAD the authz_core module,

DELETE:

Order allow,deny
Deny from all
Allow from my.ip.add.res

and, in place of the deleted directives,

INSERT:

Require ip xxx.xxx.xxx.xxx

If you are using Apache 2.2, make sure that you LOAD the authz_host module,

DELETE:

Order allow,deny
Deny from all
Allow from my.ip.add.res

and, in place of the deleted directives,

INSERT:

Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Colt
  • 2,067
  • Ah, that's it. I had no idea that the directives had changed from 2.2 to 2.4 (and I didn't do the initial install of this machine). Thanks heaps! – BSnapZ May 12 '16 at 01:56
  • I have apache 2.4.7 and I tried using the first way you showed but I get You don't have permission to access / on this server. I got my ip address from this website https://whatismyipaddress.com/

    <Directory /var/www/stage/> Require ip 77.138.205.207 </Directory> Why can't I access it?

     – Offir Oct 18 '18 at 09:26
  • @OffirPe'er you need to ask your own separate question after reading the Help Section on asking questions. You can link to this answer if it helps ask your new question, but you need to (1) have your own question so that the whole community sees and help with it, and (2) include your own particular details in that question. – Colt Oct 18 '18 at 11:32
  • @Colt Apachi 2.4.8 - How to put multiple IPs? Require ip 1.2.3.4 works but Require ip 1.2.3.4 5.6.7.8 errors in apache restart. – Rahatur Oct 14 '20 at 19:47
  • @Rahatur Although the syntax you show is correct per Apache documentation, you can try stacking them up, e.g. Require ip 1.2.3.4 on one line and Require ip 5.6.7.8 on the next line. I have the latter working just fine on a server right now. If neither works, I suspect some other issue and you should ask a new question. – Colt Oct 15 '20 at 10:28
  • @Colt I have tried that but did not work. here is the question if you find a solution: https://serverfault.com/questions/1038805/apache-2-4-33-multiple-ip-restriction-throwing-error-but-single-ip-restriction-w – Rahatur Oct 15 '20 at 10:34
2

Colt's answer is the right one. I thought I'll share a functioning example from Apache 2.4, virtualhost.conf

Here's a directive that blocks access to /admin URL (not directory) to internal IPs on my network only.

<Location /admin>
    Require ip 192.168.1.0/24
</Location>
Dr Phil
  • 121
0

I wanted to access the PHPMyAdmin with a specific IP address, I have tried with below it didn't work

Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx

Tried the below and it worked for me, First, check the apache module mod_access_compat should be present, and add the below in the virtual host.

    Alias /phpmyadmin /var/www/phpmyadmin
    <Directory /var/www/phpmyadmin>
     Require ip xx.xxxx.xx.xx xx.xx.xx.xx
    </Directory>
Ninja Man
  • 1