Block IP addresses in Apache VHost with proxy

apache-2.2PROXY

I have the vhost as follows:

<VirtualHost *:80>
        ServerName somename.com

        <Proxy *>
                order deny,allow
                Deny from 65.74.5.130
                Allow from all
        </Proxy>

        ProxyPreserveHost On
        ProxyPass / http://0.0.0.0:8890/
        ProxyPassReverse / http://0.0.0.0:8082/
</VirtualHost>

The IPs I put in the Proxy section are not being blocked. Am I not understanding the correct deny/allow order? Or is there some other directive I need to be using?

Best Answer

Your order directive is wrong.

Order indicates how apache evaluates allow and deny directives. In and deny,allow configuration, you first specify your denied origins, and then the exceptions (allowed origins) to the denied list.

As your banned IP matches both directives, you are introducing it as an exception to the deny rule, allowing it to access freely.

Use order allow,deny with the same deny and allow directives you have to restrict its access:

<VirtualHost *:80>
    ServerName somename.com

    <Proxy *>
            order allow,deny
            Deny from 65.74.5.130
            Allow from all
    </Proxy>

    ProxyPreserveHost On
    ProxyPass / http://0.0.0.0:8890/
    ProxyPassReverse / http://0.0.0.0:8082/
</VirtualHost>

Note: the last parameter in order sets the default action if no match for neither deny nor allow is found, so having a xxxx from all is not necessary, but most people like to set it explicitly.

This is equivalent:

order allow,deny
Deny from 65.74.5.130
Allow from all
  • 65.74.5.130 matches both allow and deny, applying order (1st allow, last deny), it will deny access.
  • any other IP would match allow, so it will allow acccess.

to this:

order deny,allow
Deny from 65.74.5.130
  • 65.74.5.130 matches only deny, so it denies access
  • any other IP would not match any allow or deny, so it will take the default action allow, allowing access.
Related Topic