apache access control

In this post we will learn about access control by host and ip address in Apache 2.4. The Apache 2.4 released with lots of new feature. While working on Apache 2.4 you will surely get attention on new format of access control. The method of using allow,deny or vice-versa is deprecated, it was old styled method before Apache 2.4 versions.

We do expect users have some experience on Apache webserver. Hence, we are directly jumping on ACL of apache 2.4 . We have used all the below given methods inside Apache Virtual Host.
In trailing post, we are going to use directive called RequireAll. So as per Apache 2.4 documentation, know what is RequireAll directive :

apache 2.4 RequireAll

Allow only particular IP Address or Host to access website in Apache 2.4

In this scenario we will allow only particular IP address or hosts to access the website. Rest of the world will not be able to access the website hosted on Apache 2.4 .

Note: Replace Directive value as per your server’s web data path.

<Directory "/var/www/html/website">
Options All
AllowOverride All
Require all denied
## "Require ip" is used here for IP Address/CIDR/Network
Require ip 192.168.56.4 10.10.1.1

## "Require host" is used here for hostname/FQDN
Require host www.example.com server01

As per your requirement you can set ACL either on ip address or Host or both.

Alternatively for this same scenario you can write in below given format also. You should notice the written in below given example.

<Directory "/var/www/html/website">
Options All
AllowOverride All

## "Require ip" is used here for IP Address/CIDR/Network
Require ip 192.168.56.4 10.10.1.1

## "Require host" is used here for hostname/FQDN
Require host www.example.com server01

Deny only particular IP Address or Host to access website in Apache 2.4

In this section, we will deny particular ip address/host to access the website. As mentioned in above section as same as according to your requirement you can set ACL either on ip address or Host or both. Check the directive section where we have applied the ACL.

Note: Replace Directive value as per your server’s web data path.

<Directory "/var/www/html/website">
Options All
AllowOverride All

Require all granted
## "Require ip" is used here for IP Address/CIDR/Network
Require not ip 192.168.56.4 10.10.1.1

## "Require host" is used here for hostname/FQDN
Require not host www.example.com server01

Deny All to access website running on Apache 2.4

In this section, we will define Require all denied directly inside directive. This configuration will deny all to access the website.

Note: Replace Directive value as per your server’s web data path.

<Directory "/var/www/html/website">        
Options All
AllowOverride All
## "Require all denied" will deny all to access the website.
Require all denied

Allow All to access website running on Apache 2.4

In this section, we will define Require all granted directly inside directive. The below given configuration helps all to access the website.

Note: Replace Directive value as per your server’s web data path.

<Directory "/var/www/html/website">        
Options All
AllowOverride All
## "Require all granted" will allow all to access the website.
Require all granted

Restart apache service

After doing changes in apache config file, do not forget to restart the apache service.

### In Ubuntu/Debian/
sudo service apache2 restart

### In CentOS 7/RHEL 7
systemctl restart httpd

### In CentOS|RHEL 5.x,6x.
service httpd restart

Apache Forbidden Error Message

On denying the ip address/host from Apache 2.4. The user will get the “Forbidden” message. Given below is the image reference.

Apache 2.4 Forbidden

So whenever you deny any ip address/host/all in Apache, the “Forbidden” page is expected to be seen by end users.

Read Some More Articles

One Comment

  1. According to https://httpd.apache.org/docs/2.4/upgrading.html I see they have …
    “In the following example, all hosts in the example.org domain are allowed access; all other hosts are denied access.”
    and it shows just “Require host example.org”

    So I believe it is redundant and unnecessary for you to have “Require all denied” in your example before “Require ip 192.168.56.4 10.10.1.1” (this is under subheading “Allow only particular IP Address or Host to access website in Apache 2.4”).

    But I also have a question. Can you allow only 4 IP addresses access by doing this…?
    Require ip 123.123.123.121
    Require ip 123.123.123.122
    Require ip 123.123.123.123
    Require ip 123.123.123.124

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.