With the Apache HTTP Server 2.4, clients can be blocked based on an IP number, an IP subnet, a domain or a top level domain.
Even entire country IP blocks can be used by copy-pasting from services such as this.
Here is an examples that grants access to all clients except the blacklisted addresses:
<Directory /var/www/> <RequireAll> Require all granted Require not ip 22.214.171.124 Require not ip 126.96.36.199/24 Require not ip 1.2.3 Require not host gov Require not host example.com </RequireAll> <Directory>
The Directory tag is needed when directories are configured from within the main /etc/apache2/apache2.conf file. If you are using .htaccess files then only the RequireAll tag is needed.
The configuration shown in the previous section only applies to content served by Apache HTTP Server itself.
To block access to servers that are reverse proxied through the Apache HTTP Server, add the RequireAll tag inside a Location definition in the virtual host, typically found under /etc/apache2/sites-available/<sitename>.conf:
<VirtualHost *:443> ServerName example.com ProxyRequests Off ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ <Location /> <RequireAll> Require all granted Require not ip 188.8.131.52 Require not ip 184.108.40.206/24 Require not ip 1.2.3 Require not host gov Require not host example.com </RequireAll> </Location> </VirtualHost>
Assuming the Apache HTTP Server is running as a Systemd service, the configuration can be reloaded without restarting the server like this:
$ systemctl reload apache2