IP blocking with .htaccess in Apache 2.4 – Not Working

.htaccessapache-2.4blockconfiguration

I want to block specific IP addresses but allow all others. I'm still struggling with this.

First I modified the apache2.conf file to look like this:

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

AllowOverride from None to All

Then added to .htaccess accordingly to the Apache2 documentation below:

The Allow, Deny, and Order directives, provided by mod_access_compat,
are deprecated and will go away in a future version. You should avoid
using them, and avoid outdated tutorials recommending their use.

So, a more future-proof answer would be:

<RequireAll>
      Require all granted
      Require not ip XXX.XXX.XXX.XXX
    </RequireAll>

where XXX.XXX.XXX.XXX is my IP

In the access.log I see this:

10.10.10.5 (XXX.XXX.XXX.XXX) – – [27/Nov/2018:17:11:46 +0000]

Where 10.10.10.5 is the HA proxy.

It's still not working. Any ideas on what should I do next?

Best Answer

”Where 10.10.10.5 is the HA proxy”

Is your Apache behind a reverse proxy?

Because usually that will result in Apache seeing only the ip-address of the reverse proxy server as the client ip-address (and not the actual ip-address of the client) which makes common ip-address restrictions impossible.

HAProxy can be configured to forward the actual client ip-address (see https://www.haproxy.com/blog/haproxy/proxy-protocol/) and Apache will need to be reconfigured to make use of that client ip address with https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html and then you can expect to see client ip-address filtering work as expected in Apache httpd

Related Solutions

Apache 2.4 with PHP-FPM .htaccess redirection

Your problem is that the .htaccess file is never read. .htaccess is only read after apache has determined that it needs to look for the resource requested on its local filesystem. You are however telling apache to forward the request to another process...

You will need to add the rewrites to your main config.

Apache 2.4: Public Subdirectory with .htaccess

I tested this here and it works for me. Check that the .htaccess file is being read for each directory; perhaps enable authentication on the subdirectory temporarily with a different AuthName so you can verify.

Here's my setup, in case you find it useful. The directory with auth enabled is authtest; its subdirectory noauth has authentication disabled.

$ /usr/sbin/apache2 -v
Server version: Apache/2.4.7 (Debian)
Server built:   Jan  2 2014 01:47:52
$ cat /etc/apache2/conf-enabled/allow-htaccess-authtest.conf 
<Directory /var/www/html/authtest>
    AllowOverride AuthConfig
</Directory>
$ cat /var/www/html/authtest/.htaccess 
AuthType Basic
AuthName "ahoy hoy"
AuthUserFile /home/fission/htpasswd
Require valid-user
$ cat /var/www/html/authtest/noauth/.htaccess 
AuthType None
Require all granted

That syntax was pulled directly from the Apache docs for mod_authn_core

Best Answer

Related Solutions

Apache 2.4 with PHP-FPM .htaccess redirection

Apache 2.4: Public Subdirectory with .htaccess

Related Topic