When configuring reverse proxy rules in Apache, we often encounter scenarios where different endpoints require different access restrictions. The standard ProxyPass directive doesn't natively support IP-based access control at the path level, which leads to interesting configuration challenges.
We'll combine Apache's mod_proxy with mod_authz_host to create granular access controls. Here's the implementation strategy:
<Location "/bar">
Require ip 192.168.1.100
Require ip 203.0.113.45
ProxyPass http://example.com/bar
ProxyPassReverse http://example.com/bar
</Location>
<Location "/foo">
ProxyPass http://example.com/foo
ProxyPassReverse http://example.com/foo
</Location>
For more complex scenarios, consider these variations:
# Using CIDR notation for IP ranges
<Location "/admin">
Require ip 192.168.1.0/24
ProxyPass http://example.com/admin
</Location>
# Combining with other authentication methods
<Location "/secure">
Require ip 10.0.0.0/8
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
ProxyPass http://example.com/secure
</Location>
When implementing IP-based restrictions:
- Place IP checks in the main configuration rather than .htaccess for better performance
- Consider using
mod_remoteipwhen behind load balancers - For large IP lists, use
Require ipwith CIDR ranges instead of individual IPs
If your restrictions aren't working:
# Check what IP Apache sees:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
Remember that proxy servers or CDNs might alter the visible client IP. In such cases, configure mod_remoteip with trusted proxies.
For dynamic IP restrictions, consider integrating with mod_lua or external databases, though this requires more advanced configuration beyond basic IP-based controls.
When configuring reverse proxy in Apache, we often encounter situations where different paths need different access restrictions. The standard ProxyPass configuration allows global access, but many real-world scenarios require granular IP-based control.
Apache's
<Location "/bar">
ProxyPass http://example.com/bar
ProxyPassReverse http://example.com/bar
Require ip 192.168.1.100 203.0.113.45
</Location>
<Location "/foo">
ProxyPass http://example.com/foo
ProxyPassReverse http://example.com/foo
Require all granted
</Location>
For more complex scenarios, consider these approaches:
Using IP Ranges and CIDR Notation
Require ip 192.168.1.0/24 10.0.0.0/8
Combining with Other Access Controls
<Location "/admin">
ProxyPass http://example.com/admin
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Require ip 192.168.1.100
</Location>
When implementing IP-based restrictions:
- Place more restrictive paths earlier in configuration
- Consider using mod_remoteip when behind load balancers
- For large IP lists, use files with Require file
# Check Apache syntax
apachectl configtest
# Verify IP detection
tail -f /var/log/apache2/access.log
For complex logic, mod_rewrite can be combined with ProxyPass:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.[0-9]+$
RewriteRule ^/bar(.*)$ http://example.com/bar$1 [P]
ProxyPassReverse /bar http://example.com/bar