sorenpoulsen.com header

Block IP addresses on Apache HTTP Server 2.4

With the Apache HTTP Server 2.4, clients can be blocked based on an IP number, an IP subnet, a domain or a top level domain.

Even entire country IP blocks can be used by copy-pasting from services such as this.

Here is an examples that grants access to all clients except the blacklisted addresses:

<Directory /var/www/>
  <RequireAll>
    Require all granted
    Require not ip 1.2.3.4
    Require not ip 1.2.3.0/24
    Require not ip 1.2.3
    Require not host gov
    Require not host example.com
  </RequireAll>
<Directory>

The Directory tag is needed when directories are configured from within the main /etc/apache2/apache2.conf file. If you are using .htaccess files then only the RequireAll tag is needed.

Block access to reverse proxy virtual hosts

The configuration shown in the previous section only applies to content served by Apache HTTP Server itself.

To block access to servers that are reverse proxied through the Apache HTTP Server, add the RequireAll tag inside a Location definition in the virtual host, typically found under /etc/apache2/sites-available/<sitename>.conf:

<VirtualHost *:443>
  ServerName example.com
  ProxyRequests Off
  ProxyPass / http://localhost:8080/
  ProxyPassReverse / http://localhost:8080/
  <Location />
    <RequireAll>
      Require all granted
      Require not ip 1.2.3.4
      Require not ip 1.2.3.0/24
      Require not ip 1.2.3
      Require not host gov
      Require not host example.com
    </RequireAll>
  </Location>
</VirtualHost>

Assuming the Apache HTTP Server is running as a Systemd service, the configuration can be reloaded without restarting the server like this:

$ systemctl reload apache2

{{model.usr.name}}
{{cmt.user.name}}
{{cmt.user.name}}
{{childcmt.user.name}}
{{childcmt.user.name}}