Only allow ProxyPass for some IP's

Question

With the following snippet, everyone can access both /foo and /bar

ProxyPass /foo http://example.com/foo
ProxyPassReverse /foo http://example.com/foo 
ProxyPass /bar http://example.com/bar
ProxyPassReverse /bar http://example.com/bar

But what if I want /foo to be accessible for everyone, and /bar only for requests coming from a specific IP, is this possible?

Answer 1

The answer should be as follows. I have included an IP and a subnet in one rule, for those who need to allow a whole subnet rather than a set of single IPs.

<Location /foo>
    Deny from all                       // **This rule is the most IMPORTANT**    
    Allow from 192.168.1.2 10.100       // The second value implies 10.100.0.0/16 subnet
    ProxyPass http://example.com/foo
    ProxyPassReverse http://example.com/foo
</Location>

Answer 2

<Location /bar>
    Allow from 1.2.3.4 2.3.4.5 ...
    ProxyPass http://example.com/bar
    ProxyPassReverse http://example.com/bar
</Location>

Note the first argument to ProxyPass and ProxyPassReverse is implied here to be the target of the location block.

Answer 3

I think you can use a SetEnvIf directive checking the Remote Address (Remote_Addr).

With one IP:

SetEnvIf Remote_Addr "123.123.123.123" TRUST=yes

Checking multiple IPs with regular expression

SetEnvIf Remote_Addr "123\.123\.123\.123|134\.134\.(134\.(134|134)|134\.134)" TRUST=yes

I'm not sure you can do directly this:

ProxyPass /foo http://example.com/foo env=TRUST

But probably you can work with Rewrite Rules and obtain the same result...

For example you can rewrite to a particular page all the IP that are not trusted (env=!TRUST)

Hope it helps.