How to Implement Multiple IP Whitelisting Using Require Directive in Apache 2.4


2 views

The shift from Apache 2.2's Order, Allow, and Deny directives to Apache 2.4's Require syntax represents a more flexible and modular approach to access control. While the old syntax worked well for basic scenarios, the new Require directive integrates better with Apache's authentication framework.

Here's how your current 2.2 configuration translates to 2.4 syntax:

<RequireAny>
    Require ip 2001:1000:2000::1/64
    Require ip 1.2.3.4
    Require ip 1.2.3.10
</RequireAny>

Apache 2.4 introduces three key container directives:

  • <RequireAny> - Grants access if any requirement is met
  • <RequireAll> - Requires all conditions to be true
  • <RequireNone> - Denies access if any condition is met

For more complex scenarios, you can combine multiple requirements:

<RequireAll>
    <RequireAny>
        Require ip 192.168.1.0/24
        Require ip 10.0.0.0/8
    </RequireAny>
    Require not ip 192.168.1.100
</RequireAll>

For managing large IP lists, you can use Include directive:

Include conf/extra/ip-whitelist.conf

Then in ip-whitelist.conf:

Require ip 2001:1000:2000::1/64
Require ip 1.2.3.4
Require ip 1.2.3.10

When dealing with extensive IP lists:

  • Group contiguous IPs into CIDR ranges
  • Place frequently accessed IPs first
  • Consider using mod_authz_host caching

Always test your configuration with:

apachectl configtest

And monitor access logs to verify the rules are working as expected.

Apache 2.4 introduced a more flexible and powerful authorization framework, replacing the older Order, Allow, and Deny directives with the Require directive. This change aligns with modern security practices and offers better integration with other authentication modules.

Here's how your Apache 2.2 configuration:

Order deny,allow
Deny from all
Allow from 2001:1000:2000::1/64
Allow from 1.2.3.4
Allow from 1.2.3.10

Translates to Apache 2.4 syntax:

<RequireAny>
    Require ip 2001:1000:2000::1/64
    Require ip 1.2.3.4
    Require ip 1.2.3.10
</RequireAny>

The new syntax offers several improvements:

  • More readable and explicit access control rules
  • Better integration with other authentication methods
  • Support for logical operators (RequireAll, RequireAny, RequireNone)

For more complex scenarios, you can combine multiple requirements:

<RequireAll>
    Require ip 192.168.1.0/24
    <RequireAny>
        Require ip 10.0.0.5
        Require ip 172.16.0.0/12
    </RequireAny>
</RequireAll>

When migrating, watch out for:

  • Make sure mod_authz_host is loaded
  • Remember that the new syntax is case-sensitive for IP versions (ip vs IP)
  • Test your configuration thoroughly as the logic flow is different

For configurations with many IP addresses, consider:

<RequireAny>
    Require ip 192.168.1.0/24
    Require ip 10.0.0.0/8
    # Individual IPs for exceptions
    Require ip 203.0.113.42
</RequireAny>

Using CIDR notation reduces the number of directives and improves performance.