How do I require an IP range instead of 1 IP?

My IP changes do a different D class, so I want to set a range:

123.123.123.xxx where the last segment can be 0-255.

Right now, Apache says:

<RequireAny>
   Require ip 127.0.0.1
   Require ip ::1
</RequireAny>

Firstly, I'm going to assume you mean Apache 2.4 despite the "apache-2.2" tag since the syntax you've posted is from 2.4.

From the Apache documentation:

ip.address is an IP address, a partial IP address, a network/netmask pair, or a network/nnn CIDR specification.

I assume you mean you wish to allow a /24 since Class D is Multicast addresses, and classful networking died in the 90's. To allow a /24, you can use any of the following:

Require ip 123.123.123
Require ip 123.123.123.0/255.255.255.0
Require ip 123.123.123.0/24

Personally, I find the last to be less ambiguous than the first, and easier to read than the second.

You may find this section of the documentation useful: http://httpd.apache.org/docs/2.4/howto/access.html#host


In Apache 2.2 and below, you could work with:

Order deny,allow
Deny from all
Allow from 24.18    # allow access from home
Allow from 162.12   # allow access from work

in your .htacess, directly on base level (not within any <directive>).

As of Apache 2.4 and above, here you go:

<RequireAny>
    #IPv4 range at my work
    Require ip 207.100
    #IPv4 range I usually get through my mobile provider
    Require ip 29.11
    #IPv6 from home
    Require ip 2a02:4126:2aa4::/48  
</RequireAny>

(all numbers fictional, no worries ;-).

I am using this for many years now, to shield my backend folders against 99% of potential users. (Working very well, unless you are an avid blogger while travelling. If you are a gmail user: “last account activity” Link at the very bottom is a comfy way to figure out your own “IP habbits”).


Apache's Require directive is used during the authorization phase to ensure that a user is allowed or denied access to a resource. mod_authz_host extends the authorization types with ip, host, forward-dns and local. Other authorization types may also be used but may require that additional authorization modules be loaded.

These authorization providers affect which hosts can access an area of the server. Access can be controlled by hostname, IP Address, or IP Address range.

Since v2.4.8, expressions are supported within the host require directives. Require ip

The ip provider allows access to the server to be controlled based on the IP address of the remote client. When Require ip ip-address is specified, then the request is allowed access if the IP address matches.

A full IP address:

Require ip 10.1.2.3
Require ip 192.168.1.104 192.168.1.205

An IP address of a host allowed access

A partial IP address:

Require ip 10.1
Require ip 10 172.20 192.168.2

The first 1 to 3 bytes of an IP address, for subnet restriction.

A network/netmask pair:

Require ip 10.1.0.0/255.255.0.0

A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.

A network/nnn CIDR specification:

Require ip 10.1.0.0/16

Similar to the previous case, except the netmask consists of nnn high-order 1 bits.

Note that the last three examples above match exactly the same set of hosts.

IPv6 addresses and IPv6 subnets can be specified as shown below:

Require ip 2001:db8::a00:20ff:fea7:ccea
Require ip 2001:db8:1:1::a
Require ip 2001:db8:2:1::/64
Require ip 2001:db8:3::/48

Note: As the IP addresses are parsed on startup, expressions are not evaluated at request time.

Source: https://httpd.apache.org/docs/trunk/mod/mod_authz_host.html


Noting that you have now confirmed using Apache 2.2, Apache 2.2 does not support either Require ip or <RequireAny>. As noted in the Overview of new features in Apache HTTP Server 2.4, "Advanced authorization logic may now be specified using the Require directive and the related container directives, such as <RequireAll>." The former are among those improvements added to Apache 2.4.

To deal with this in Apache 2.2, you will probably need to do something like:

Order allow,deny
Allow from 123.123.123    

which will get the whole range specified.


Note: I am leaving this here as others might benefit from it; it is not a direct answer to the question.

For example:

Require ip 192.168.100.0/22

works, while

Require ip 192.168.100.0/22 #localnetwork

fails!

Restarting httpd outputs:

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

So, it seems that no comments are allowed on that line.