Allow multiple IPs with the Require directive in Apache 2.4

I am migrating from Apache 2.2 to 2.4, and would like to prefer the use of "Require" than the now discouraged use of Allow, Deny.

My question: How can I allow access from a set of IP addresses or ranges, by having one address/range per line in the configuration file?

With Apache 2.2, I used:

Order deny,allow
Deny from all
Allow from 2001:1000:2000::1/64
Allow from 1.2.3.4
Allow from 1.2.3.10

How would that translate to the new access control syntax?


Solution 1:

The upgrading documentation has clear information on how to do this. It is also something that should be read in case any other configuration changes are required: https://httpd.apache.org/docs/2.4/upgrading.html

Also you do not need to put different IP addresses or networks on separate lines. It is perfectly acceptable to do the following:

# Apache v2.2
Allow from 1.2.3.4 1.2.3.10
# Apache v2.4
Require ip 1.2.3.4 1.2.3.10

Finally, the default is for multiple require directives to be treated as if they are in a <RequireAny> block, so unless you are forming a more complex nested grouping you do not need to add it. Though you may wish to for clarify of course. Reference: https://httpd.apache.org/docs/2.4/howto/auth.html#beyond

Additional Information: One other thought is that when upgrading you should definitely go through all your configuration (including any htaccess files you might have) and convert the older Apache v2.2 directives to the Apache v2.4 ones, and then comment out the loading of the mod_access_compat module. Mixing v2.2 and v.24 directives can cause some very unusual problems that are hard to troubleshoot.

Solution 2:

I know it is an old post but i think that can help with a functional example that i always use!

In apache 2.2 would be like:

    <Location />
       Order deny, allow
       allow from all
    </Location>
    <Location /adm>
        Order deny, allow
        deny from all
        allow from myniceip
    </Location>
    <Location /disabled>
        Order deny, allow
        deny from all
    </Location>

In apache 2.4 would be like:

   <Location />
       require all granted
    </Location>
   #Note that you dont need to use require all denied
   #to require only a group of ips.. 
    <Location /adm>
        require myniceip
    </Location>
    <Location /disabled>
        Require all denied
    </Location>