How to implement IP whitelist correctly on Apache 2.4?
I've a website (running on CentOS at Google Cloud, Apache 2.4.37), say it's name is awesomesite.co.id.
There are certain pages on that website, e.g awesomesite.co.id/dev123/secret.html which is not supposed to be accessible from any network, except from whitelisted IPs. So here's what I already did:
- Edited
/etc/httpd/conf.d/awesome-site.conf. I put 2 whitelisted IPs on it.
<VirtualHost *:80>
ServerName awesomesite.co.id
DocumentRoot /var/www/html/awesome
ErrorLog /var/log/httpd/awesome-site-error.log
CustomLog /var/log/httpd/awesome-site-requests.log combined
#commented for testing PHP proxy, allow both http and https work
RewriteEngine on
RewriteCond %{SERVER_NAME} =awesomesite.co.id
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<Directory /dev123/*>
Order deny,allow
Deny from all
Allow from 123.123.100.100
Allow from 200.200.44.59
</Directory>
- Restarted Apache:
systemctl restart http.service
I tried to access awesomesite.co.id/dev123/secret.html on a few mobile devices (all different telco providers). The result is all devices could accessed that page normally.
So what's the correct way, then?
Solution 1:
The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated as of version 2.4 and will no longer work.
Use Require instead:
Require ip 123.123.100.100
Require ip 200.200.44.59
The Require directive is provided by the mod_authz_host module.
More infirmation can be found in the Apache HTTP Server documentation
Note that a CIDR range such as Require ip 200.200.44.0/24 is possible as well (see here for more examples):
In the second form, ip.address is an IP address, a partial IP address, a network/netmask pair, or a network/nnn CIDR specification. Either IPv4 or IPv6 addresses may be used.