Apache .htaccess require ip not strict enough with IPv6

Let's suppose my IPv6 is 1111:2222:3333:4444:5555:6666:7777:8888

I can write any of these lines in the Apache .htaccess:

Require ip 1111:2222:3333:4444:0000:0000:0000:0000
Require ip 1111:2222:3333:0000::/64
Require ip 1111:2222:0000:0000::/64
Require ip 1111:2222:0000:0000:

I still can access the site. Apache seems to test only the 2 first blocks of IPv6. Did I miss something? How can I really limit to MY IP?

Solution 1:

None of your example IPs are in the same /64 subnet, they can't all match your IP. Compare the 3rd and 4th digit group.

Starting with an IP address, chop off digits at the least-significant end. Use the number of bits remaining in CIDR slash notation. Write out the recommended form with :: compressing as many zeros as possible.

For example, take IP address 2001:db8:1622:c7bb:5919:8f34:f78e:aadd Cutting it half leaves 64 significant bits, so:

Require ip 2001:db8:1622:c7bb::/64

This /64 should be yours, familiar as one of your many subnets. An allow list with only one IP address is not making full use of the address space. Rather, put hosts in a /64 consistent with their purpose or security zone.

mod_authz_host is capable of single IP allow lists, of course. If you really wanted one IP address, it can do that.