How to Restrict Access to Specific URLs by IP in Apache 2.4: A Practical Guide for Developers


2 views 


When configuring Apache 2.4, I needed to implement IP-based access control for a specific virtual URL (/secret) that doesn't physically exist on the server. The requirement was to:
1. Allow access only from whitelisted IPs
2. Redirect unauthorized users to homepage
3. Handle virtual URLs properly


Many developers try these approaches that DON'T work well:

    Order allow,deny
    Allow from 123.123.123.123
    Deny from all


This deprecated method doesn't handle virtual URLs properly in modern Apache.



Here's the configuration that finally worked:




    RewriteEngine On
    
    # Whitelist IP (replace with your actual IP)
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    # Optional: Add more IPs using [OR]
    RewriteCond %{REMOTE_ADDR} !^124\.124\.124\.124$ [OR]
    
    # Redirect unauthorized access
    RewriteRule ^.*$ / [R=302,L]
    
    # Debugging (remove in production)
    LogLevel alert rewrite:trace3




For network ranges, use mod_authz_core with Require ip:




    
        Require ip 123.123.123.0/24
        Require ip 2001:db8::/32
    
    ErrorDocument 403 /homepage.html




Since /secret is virtual:

1. Ensure proper RewriteBase is set

2. Verify DocumentRoot permissions

3. Test with different HTTP methods (GET/POST)


Check these when it's not working:



tail -f /var/log/apache2/error.log
apachectl -t -D DUMP_MODULES | grep rewrite
curl -I http://yoursite.com/secret



For high-traffic sites:

1. Use IP hash tables for faster matching

2. Consider CDN-level IP filtering

3. Cache authorized responses




When securing web applications, administrators often need to restrict access to specific URLs based on client IP addresses. In Apache 2.4, this can be achieved through various methods including Location directives and mod_rewrite rules.


The original attempt combines two different methods that conflict with each other. The commented-out If directive shows promise but needs proper syntax, while the active RewriteRules have logical issues in the IP matching pattern.


Here's a corrected version using mod_rewrite that properly handles IP restriction and redirection:




    RewriteEngine On
    # Allow specific IP
    RewriteCond %{REMOTE_ADDR} =123.123.123.123 [OR]
    RewriteCond %{REMOTE_ADDR} =124.124.124.124
    RewriteRule ^ - [L]
    
    # Redirect all others
    RewriteRule .* / [R=303,L]




For Apache 2.4+, the Require directive provides a cleaner approach:




    
        Require ip 123.123.123.123
        Require ip 124.124.124.124
    
    ErrorDocument 403 /index.html




For more complex IP restrictions, you can use CIDR notation:




    
        Require ip 123.123.123.0/24
        Require ip 2001:db8::/32
    
    ErrorDocument 403 /index.html




    

  • Ensure mod_rewrite is enabled: a2enmod rewrite
    • 

  • For the Require method, ensure mod_authz_core is enabled
    • 

  • Test with different client IPs to verify behavior
    • 

  • Check Apache error logs when debugging
    • 



Here's how this would look in a complete virtual host configuration:




    ServerName example.com
    DocumentRoot /var/www/html
    
    
        # IP-based access control
        
            Require ip 203.0.113.45
            Require ip 198.51.100.0/24
        
        
        # Custom error document
        ErrorDocument 403 /access-denied.html
    




If the restrictions aren't working as expected:


    

  1. Verify the client's actual IP address (might be behind proxy)
    2. 

  2. Check for conflicting directives in .htaccess files
    3. 

  3. Ensure modules are properly loaded
    4. 

  4. Test with curl -I to see response headers
    5.