31

My IP changes do a different D class, so I want to set a range:

123.123.123.xxx where the last segment can be 0-255.

Right now, Apache says:

<RequireAny>
   Require ip 127.0.0.1
   Require ip ::1
</RequireAny>
Raptor
  • 1,001
  • 4
  • 19
  • 38
user281497
  • 321
  • 1
  • 3
  • 3

5 Answers5

37

Firstly, I'm going to assume you mean Apache 2.4 despite the "apache-2.2" tag since the syntax you've posted is from 2.4.

From the Apache documentation:

ip.address is an IP address, a partial IP address, a network/netmask pair, or a network/nnn CIDR specification.

I assume you mean you wish to allow a /24 since Class D is Multicast addresses, and classful networking died in the 90's. To allow a /24, you can use any of the following:

Require ip 123.123.123
Require ip 123.123.123.0/255.255.255.0
Require ip 123.123.123.0/24

Personally, I find the last to be less ambiguous than the first, and easier to read than the second.

You may find this section of the documentation useful: http://httpd.apache.org/docs/2.4/howto/access.html#host

fukawi2
  • 5,396
  • 3
  • 32
  • 51
  • So this won't work on Apache 2.2? phpMyAdmin works on both 2.2 and 2.4 and I just checked to see what this server was running and it's 2.2 – user281497 Apr 14 '15 at 04:29
  • Unless something has been backported to enable it, I've never seen that syntax in 2.2 config files. – fukawi2 Apr 14 '15 at 05:56
  • @fukawi2 - Yes, you are of course correct. For user281497: While `Require` has limited support in Apache 2.2, Apache 2.2 does not support either `Require ip` or ``. As noted in the [Overview of new features in Apache HTTP Server 2.4](http://httpd.apache.org/docs/2.4/new_features_2_4.html#module), "Advanced authorization logic may now be specified using the `Require` directive and the related container directives, such as ``." The former are among those improvements added to Apache 2.4. – Colt May 25 '16 at 03:34
18

In Apache 2.2 and below, you could work with:

Order deny,allow
Deny from all
Allow from 24.18    # allow access from home
Allow from 162.12   # allow access from work

in your .htaccess, directly on base level (not within any <directive>).

As of Apache 2.4 and above, here you go:

<RequireAny>
    #IPv4 range at my work
    Require ip 207.100
    #IPv4 range I usually get through my mobile provider
    Require ip 29.11
    #IPv6 from home
    Require ip 2a02:4126:2aa4::/48
</RequireAny>

(all numbers fictional, no worries ;-).

I have been using this for many years now to shield my back end folders against 99% of potential users. (Working very well, unless you are an avid blogger while traveling. If you are a gmail user: “last account activity” Link at the very bottom is a comfy way to figure out your own “IP habits”).

Stephen Ostermiller
  • 484
  • 9
  • 23
Frank N
  • 600
  • 8
  • 18
  • What's the difference between `Require ip 2a02:4126:2aa4::/48` and `Require ip 2a02:4126:2aa4::`? Both don't produce syntax errors for me, but only the former works. – Geremia Sep 22 '17 at 00:30
  • 4
    Is it because 2a02:4126:2aa4:: = 2a02:4126:2aa4:0000:0000:0000:0000:0000, whereas 2a02:4126:2aa4::/48 matches all addresses that begin with 2a02:4126:2aa4? – Geremia Sep 22 '17 at 02:10
  • I just saw this: PLease use Require ip 29.11. (with a trailing dot). Otherwise an adress like 29.110.1.1 may gain access as well (the documentation is not clear here). – philipp May 02 '23 at 09:10
2

Apache's Require directive is used during the authorization phase to ensure that a user is allowed or denied access to a resource. mod_authz_host extends the authorization types with ip, host, forward-dns and local. Other authorization types may also be used but may require that additional authorization modules be loaded.

These authorization providers affect which hosts can access an area of the server. Access can be controlled by hostname, IP Address, or IP Address range.

Since v2.4.8, expressions are supported within the host require directives. Require ip

The ip provider allows access to the server to be controlled based on the IP address of the remote client. When Require ip ip-address is specified, then the request is allowed access if the IP address matches.

A full IP address:

Require ip 10.1.2.3
Require ip 192.168.1.104 192.168.1.205

An IP address of a host allowed access

A partial IP address:

Require ip 10.1
Require ip 10 172.20 192.168.2

The first 1 to 3 bytes of an IP address, for subnet restriction.

A network/netmask pair:

Require ip 10.1.0.0/255.255.0.0

A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.

A network/nnn CIDR specification:

Require ip 10.1.0.0/16

Similar to the previous case, except the netmask consists of nnn high-order 1 bits.

Note that the last three examples above match exactly the same set of hosts.

IPv6 addresses and IPv6 subnets can be specified as shown below:

Require ip 2001:db8::a00:20ff:fea7:ccea
Require ip 2001:db8:1:1::a
Require ip 2001:db8:2:1::/64
Require ip 2001:db8:3::/48

Note: As the IP addresses are parsed on startup, expressions are not evaluated at request time.

Source: https://httpd.apache.org/docs/trunk/mod/mod_authz_host.html

BlueCacti
  • 197
  • 1
  • 1
  • 12
mohsen nazari
  • 41
  • 1
1

Noting that you have now confirmed using Apache 2.2, Apache 2.2 does not support either Require ip or <RequireAny>. As noted in the Overview of new features in Apache HTTP Server 2.4, "Advanced authorization logic may now be specified using the Require directive and the related container directives, such as <RequireAll>." The former are among those improvements added to Apache 2.4.

To deal with this in Apache 2.2, you will probably need to do something like:

Order allow,deny
Allow from 123.123.123

which will get the whole range specified.

Community
  • 1
Colt
  • 2,029
  • 6
  • 21
  • 27
1

Note: I am leaving this here as others might benefit from it; it is not a direct answer to the question.

For example:

Require ip 192.168.100.0/22

works, while

Require ip 192.168.100.0/22 #localnetwork

fails!

Restarting httpd outputs:

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

So, it seems that no comments are allowed on that line.

Sorin Negulescu
  • 11
  • 1
  • 2
    Comments are not allowed anywhere inside a configuration line, see https://httpd.apache.org/docs/2.4/configuring.html : "Lines that begin with the hash character "#" are considered comments, and are ignored. Comments may not be included on the same line as a configuration directive. " – Patrick Mevzek Apr 03 '19 at 19:04