How to block IP in .htaccess on Apache 2.4

Question

I've upgraded Apache 2.4 and would like to block an Ip this could be done by using the following in the .htaccess on Apache 2.2

Order Deny,Allow
Deny from 50.62.136.183

However how can I achieve the same in the .htaccess on Apache 2.4

Answer 1

This is another acceptable syntax for .htaccess file:

<RequireAll>
Require all granted
Require not ip 50.62.136.183
</RequireAll>

This syntax is recommended for 2.4 because the order-deny syntax will not always work, as can be seen here http://httpd.apache.org/docs/2.4/upgrading.html

Answer 2

Apache 2.4 makes some big changes in the way it authorizing users.

Authorization components in Apache 2.4 can now use the Require syntax that was previously only available for authentication. This change simplifies the way to define authorization order. The rule sets previous to 2.4 rather could geth pretty complex. The rules in 2.4 are a more logical, specifying a default and then exceptions.

You are asking as a default for accepting traffic, but wish to block a specific IP, the rule would look something like this:

Require all granted
Require not ip 50.62.136.183

This rule will set a default policy of accepting all IP's except any request coming from the 111.111.111.111 IP address.

Examples of before and after Apache 2.4

Apache 2.2

<files somefile.php>
  order allow,deny
  deny from 50.62.136.183
</files>

Apache 2.4

<Files somefile.php>
Require all granted
Require not ip 50.62.136.183
</Files>

Don't forget to block access to your .htaccess file or a quick google search my render your site vulnerable. I have included the pre 2.4 and post 2.4 configuration.

Apache 2.2

# Prevent .htaccess files from being spidered or viewed via a web browser.
<FilesMatch "^\.ht">
  Order allow,deny
  Deny from all
  satisfy all
</FilesMatch>

Apache 2.4

# Prevent .htaccess files from being spidered or viewed via a web browser.
<Files ".ht*">
  Require all denied
</Files>

Answer 3

The configuration of access control has changed, as you can read in http://httpd.apache.org/docs/2.4/upgrading.html#access so you should use the Require directive:

Require all granted
Require not ip 50.62.136.183

If you add that to your .htaccess file (or a Directory section) it should work as you asked.

Answer 4

To Deny visitors by IP address you can put below entry in .htaccess

Order Deny,Allow
Deny from 198.51.100.5

To block IP Range Example:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^00\.00\.00\.
RewriteRule ^ - [F]

To Redirect unwanted visitor to another url:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?169.166.0.5.*$ [NC]
RewriteRule .* 198.51.100.6 [L]

Note: given IP address are Example IPs.

Answer 5

I had error 500 on ionos mutualised servers. The PB came from command order,allow,deny which not work anymore. I change for <RequireAll> Require all granted Require not ip 50.62.136.183 </RequireAll> I tried with my own complet IPV6 and it works ... but I can set just beginnin of IPV4 but not IPV6 !? (maybe, IPV6 doesn't work as IPV4 concerning first number determining a country, so no way to do that ...) So, this works <RequireAll> Require all granted Require not ip 50.62 </RequireAll> But this doesn't work : <RequireAll> Require all granted Require not ip 20a6:5bd2 </RequireAll>