52

I have several named virtual hosts on the same apache server, for one of the virtual host I need to ensure only a specific set of IP addresses are allowed to access.

Please suggest the best way to do this. I have looked at mod_authz_hosts module but it does not look like I can do it inside virtual host.

frameworksnow
  • 907
  • 1
  • 9
  • 11

4 Answers4

60

For Apache 2.4, you would use the Require IP directive. So to only allow machines from the 192.168.0.0/24 network (range 192.168.0.0 - 192.168.0.255)

<VirtualHost *:80>
    <Location />
      Require ip 192.168.0.0/24
    </Location>
    ...
</VirtualHost>

And if you just want the localhost machine to have access, then there's a special Require local directive.

The local provider allows access to the server if any of the following conditions is true:

  • the client address matches 127.0.0.0/8
  • the client address is ::1
  • both the client and the server address of the connection are the same

This allows a convenient way to match connections that originate from the local host:

<VirtualHost *:80>
    <Location />
      Require local
    </Location>
    ...
</VirtualHost>
Community
  • 1
  • 1
Jeff Puckett
  • 37,464
  • 17
  • 118
  • 167
  • Require local should be the answer, as it enables you to get your machine at all three of the following hosts: `localhost`, `127.0.0.1`, and `ServerAlias` set in your vhost (plus ipv6 if enabled). – halpdoge Dec 20 '18 at 08:45
  • 3
    @pydoge thanks! yeah it is really useful for only **one** specific IP address (localhost), but the OP technically is asking for "a specific *set of IP addresses*". And you're right, a lot of people (myself included), found this page while searching for how to restrict it to just localhost - like you point out – Jeff Puckett Dec 20 '18 at 15:57
  • Doesn't work! Running in a docker container may be the problem. I plan to use a reverse proxy and need to block off direct access, and I just cannot get this to work. – AlastairG Jan 14 '21 at 11:40
  • @JeffPuckett - I want to allow 70 IPs. Is there way to define all 70+ IPs in "Require ip" attribute – Mario R Sep 12 '22 at 14:34
59

The mod_authz_host directives need to be inside a <Location> or <Directory> block but I've used the former within <VirtualHost> like so for Apache 2.2:

<VirtualHost *:8080>
    <Location>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
    </Location>

    ...
</VirtualHost>

Reference: https://askubuntu.com/questions/262981/how-to-install-mod-authz-host-in-apache

Neil C. Obremski
  • 18,696
  • 24
  • 83
  • 112
9

If you are using apache 2.2 inside your virtual host you should add following directive (mod_authz_host):

Order deny,allow
Deny from all
Allow from 10.0.0.1

You can even specify a subnet

Allow from 10.0.0

Apache 2.4 looks like a little different as configuration. Maybe better you specify which version of apache are you using.

giuliox
  • 111
  • 3
  • Thank you for the information I was able to configure this by adding the directives inside location tags within virtual hosts – frameworksnow Nov 08 '13 at 04:14
  • @frameworksnow well, if my answer is useful and you don't think this is the right answer, at least vote up ;) – giuliox Nov 08 '13 at 16:22
  • I tried but I don't have the privilege to vote it up as per SO. I hope I get more reputation in SO soon and will come back and vote up. Thank you again for providing the input. – frameworksnow Nov 09 '13 at 02:53
  • The subnet can also be specified as `Allow from 192.168.1.0/24`, which is way more idiomatic and flexible, IMO. – MayeulC Sep 17 '17 at 22:57
8

In Apache 2.4, the authorization configuration syntax has changed, and the Order, Deny or Allow directives should no longer be used.

The new way to do this would be:

<VirtualHost *:8080>
    <Location />
        Require ip 192.168.1.0
    </Location>
    ...
</VirtualHost>

Further examples using the new syntax can be found in the Apache documentation: Upgrading to 2.4 from 2.2

vegarasmul
  • 81
  • 1
  • 1