Apache: Restrict access by IP address
Crude way to stop an attack in case of an emergency.
3 min read
Keep in mind that this is a static configuration, which is not very effective against adversarial attacks when an attacker constantly changes their tactics.
This guide does not cover managing
Locating config files
Before applying the changes we need to find the location of the config files. The location can vary depending on the way Apache was been installed. To look for the configuration we can run the following command:
apachectl -S # or apache2ctl -S
and look for
# apachectl -S VirtualHost configuration: ServerRoot: "/usr/local/apache2" ...
Alternatively we can run the following command and look for the location of the
which httpd ; which apache ; which apache2
The usual places where the configuration is stored is
/etc/apache2/ /etc/httpd/ /etc/httpd/conf /usr/local/apache2 /opt/apache2 # usually if installed from source C:\Program Files\Apache Software Foundation\Apache2.4\ # Windows /usr/local/etc/httpd/ # Mac OS
The virtual host configuration can be found in the
conf folder under
Restricting a single IP
The module that supports the following directives is
These are the examples of configuration on the directory level:
<Directory "/opt/www/dir"> ... <RequireAll> Require all granted Require not ip 22.214.171.124 </RequireAll> </Directory>
On the virtual host level:
<VirtualHost *:80> ... <Location "/"> <RequireAll> Require all granted Require not ip 126.96.36.199 </RequireAll> </Location> </VirtualHost>
On the endpoint level:
<VirtualHost *:80> ... <Location "/login"> # notice endpoint here <RequireAll> Require all granted Require not ip 188.8.131.52 </RequireAll> </Location> </VirtualHost>
Managing a denylist
To store denylist in a file we can use
<RequireAll> Require all granted Include /etc/apache2/denylist.conf </RequireAll>
denylist.conf can contain each directive divided by a newline.
# cat denylist.conf Require not ip 184.108.40.206 Require not ip 220.127.116.11
Restrict multiple IPs
The directive supports providing multiple IPs along with CIDR ranges and partial IPs.
# single IP Require not ip 18.104.22.168 # multiple IPs Require not ip 22.214.171.124 126.96.36.199 188.8.131.52 # partial IP Require not ip 192.168 # CIDR range Require not ip 184.108.40.206/24
The default error message is a
# curl localhost:8080 <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> </body></html>
There are many different ways to apply and reload the configuration depending on the way Apache was installed. The following example should restart the server gracefully.
apachectl configtest # or httpd -M # or apache2 -M
to test the configuration.
apachectl -k graceful # or /etc/init.d/httpd graceful # or /sbin/service httpd graceful # or /etc/init.d/apache2 reload # or sudo service apache2 reload # or for Windows httpd.exe -k restart # or apache.exe -k restart