How to Configure Apache to Allow an IP Range Instead of Single IP Address


1 views

Many developers face this common scenario - your public IP address keeps changing within a certain range, but your Apache server only allows specific static IPs. This becomes particularly frustrating when working from different locations or when your ISP rotates your public IP within a subnet.

The standard Apache configuration typically looks like this for localhost access:

<RequireAny>
    Require ip 127.0.0.1
    Require ip ::1
</RequireAny>

To allow an entire range of IP addresses (like 123.123.123.0-255), you have several options:

Option 1: CIDR Notation

The most efficient way is to use CIDR notation to specify the network range:

Require ip 123.123.123.0/24

This allows all IPs from 123.123.123.0 to 123.123.123.255.

Option 2: Multiple Require Statements

For non-contiguous ranges, you can list multiple IPs:

<RequireAny>
    Require ip 123.123.123.100
    Require ip 123.123.123.101
    Require ip 123.123.123.102
</RequireAny>

Here's a complete example for a production environment allowing localhost and a specific IP range:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
    
    <RequireAny>
        Require ip 127.0.0.1
        Require ip ::1
        Require ip 192.168.1.0/24
        Require ip 10.0.0.0/8
    </RequireAny>
</Directory>

After making changes to your Apache configuration:

sudo apachectl configtest
sudo systemctl restart apache2

Always verify using a tool like curl from different IP addresses to ensure the restrictions work as intended.

While IP-based restrictions are useful, remember:

  • IP addresses can be spoofed
  • Consider combining with other authentication methods
  • Regularly review your IP ranges to remove unused access

When working with Apache web server configurations, you might encounter situations where you need to allow access from a range of IP addresses rather than just a single IP. This is particularly common when:

  • Your office uses dynamic IP allocation within a subnet
  • You want to whitelist an entire organization's IP range
  • Your own IP address frequently changes within a specific range

The typical Apache configuration for IP restrictions looks like this:


<RequireAny>
    Require ip 127.0.0.1
    Require ip ::1
</RequireAny>

This only allows specific, individual IP addresses. To expand this to a range, we need to modify the syntax.

Apache supports several ways to specify IP ranges:


# CIDR Notation (most precise)
Require ip 192.168.1.0/24

# Wildcard Notation (simple ranges)
Require ip 192.168.1.*

# Specific Range
Require ip 192.168.1.100-192.168.1.200

For your specific case where you want to allow all IPs in the 123.123.123.xxx range, you would use:


<RequireAny>
    Require ip 127.0.0.1
    Require ip ::1
    Require ip 123.123.123.0/24
</RequireAny>

The /24 CIDR notation means "allow all IPs where the first 24 bits (3 octets) match exactly."

For more complex scenarios, you might want to combine multiple ranges:


<RequireAny>
    Require ip 123.123.123.0/24
    Require ip 203.0.113.64/26
    Require ip 198.51.100.100-198.51.100.150
</RequireAny>

After making changes to your Apache configuration:

  1. Test the configuration syntax: apachectl configtest
  2. Reload Apache: systemctl reload apache2 (or equivalent for your OS)
  3. Verify access from different IPs in your range

When opening up an IP range:

  • Make sure the range is as narrow as possible
  • Consider combining with other authentication methods
  • Regularly review your IP range requirements