How to Block IP Addresses in .htaccess on Apache 2.4: Updated Syntax Guide


17 views

With Apache 2.4's release, the access control syntax underwent significant changes. The old Order Deny,Allow directive from Apache 2.2 is deprecated in favor of the more flexible Require directive syntax. This change reflects Apache's move toward a more modular architecture.

Here's the modern equivalent of the legacy IP blocking method:


<RequireAll>
    Require all granted
    Require not ip 50.62.136.183
</RequireAll>

Apache 2.4 offers more granular control over access:

Blocking Multiple IPs


<RequireAll>
    Require all granted
    Require not ip 50.62.136.183 192.168.1.100 10.0.0.5
</RequireAll>

Blocking IP Ranges


<RequireAll>
    Require all granted
    Require not ip 192.168.1 10.0.0.0/24
</RequireAll>

Conditional Blocking with SetEnvIf


SetEnvIf Remote_Addr "^50\.62\.136\.183$" block_visitor
<RequireAll>
    Require all granted
    Require not env block_visitor
</RequireAll>

Remember that .htaccess files affect the directory where they reside and all subdirectories. For server-wide blocking, consider using the main configuration file instead.

Also note that IP-based blocking should be one layer in your security strategy, as IPs can be spoofed or changed frequently.

With the release of Apache 2.4, significant changes were made to access control configuration. The traditional Order Deny,Allow and Deny from directives were deprecated in favor of a more flexible and powerful Require directive syntax.

Here's the modern equivalent for blocking a single IP address in Apache 2.4's .htaccess:

<RequireAll>
    Require all granted
    Require not ip 50.62.136.183
</RequireAll>

For more complex blocking requirements, consider these examples:

Blocking multiple IP addresses:

<RequireAll>
    Require all granted
    Require not ip 50.62.136.183 192.168.1.100 203.0.113.42
</RequireAll>

Blocking an entire IP range using CIDR notation:

<RequireAll>
    Require all granted
    Require not ip 192.168.1.0/24
</RequireAll>

If you need to maintain compatibility with both Apache 2.2 and 2.4, you can use this hybrid approach:

<IfVersion < 2.4>
    Order Deny,Allow
    Deny from 50.62.136.183
</IfVersion>
<IfVersion >= 2.4>
    <RequireAll>
        Require all granted
        Require not ip 50.62.136.183
    </RequireAll>
</IfVersion>

For large-scale IP blocking, consider these optimizations:

  • Place frequently blocked IPs at the top of your list
  • Use CIDR ranges instead of individual IPs when possible
  • Consider using mod_authz_host at server config level instead of .htaccess for better performance