Apache is one of the most widely used web servers in the world, offering a robust and flexible platform for hosting websites.

When managing a website, you might need to control who can access certain resources or entire websites. For example, you may want to block specific IP addresses or allow access only from certain regions or networks. Apache makes this possible using a feature called Access Control.

In this guide, we’ll walk through the steps to allow or deny access to websites in Apache using a simple, human-readable configuration.

Apache Access Control Basics

Apache uses two main directives for controlling access:

  • Require: This is used to allow access to certain users, IP addresses, or groups.
  • Deny and Allow (deprecated in later versions): Previously used in older versions of Apache but replaced by the Require directive.

In newer versions of Apache (2.4 and later), the Require directive is the primary way to manage access controls.

Step 1: Edit the Apache Configuration File

Apache configuration files can be found in different locations depending on your system.

For example:

  • Ubuntu/Debian: /etc/apache2/apache2.conf or inside the virtual host file (e.g., /etc/apache2/sites-available/your-site.conf).
  • CentOS/RHEL: /etc/httpd/conf/httpd.conf or the virtual host file (e.g., /etc/httpd/conf.d/your-site.conf).

Use a text editor like nano or vi to edit these files.

Step 2: Set Up Access Control Using the Require Directive

The Require directive specifies who is allowed or denied access. Let’s look at examples for both allowing and denying access.

Example 1: Denying Access from Specific IP Addresses

To deny access from specific IP addresses, use the Require not directive.

For example, to block IP 192.168.1.100:

<Directory /var/www/html>
    Require all granted
    Require not ip 192.168.1.100
</Directory>

In this case:

  • Require all granted: Allows access to all IP addresses.
  • Require not ip 192.168.1.100: Denies access to the specified IP address.

Example 2: Allowing Access Only to Specific IP Addresses

If you want to allow access only to a specific IP or range of IPs, use the following:

<Directory /var/www/html>
    Require ip 192.168.1.0/24
</Directory>

Here, Require ip 192.168.1.0/24 allows access only to IPs within the range 192.168.1.0 to 192.168.1.255 (a common local network range).

Example 3: Denying Access to Everyone Except Specific IPs

You may want to deny access to everyone except a certain IP or group of IPs.

<Directory /var/www/html>
    Require all denied
    Require ip 192.168.1.10
</Directory>

In this case:

  • Require all denied: Blocks access to everyone.
  • Require ip 192.168.1.10: Allows access only to the IP address 192.168.1.10.

Example 4: Restrict Access by Hostname

You can also restrict access based on hostnames. For instance, if you want to allow access only to users from a specific domain (like example.com), you can use:

<Directory /var/www/html>
    Require host example.com
</Directory>

This would allow only visitors from example.com to access the website.

Step 3: Blocking Entire Countries in Apache

To block traffic from specific countries, you need to install an additional module called mod_maxminddb, which uses a GeoIP database to determine the country based on the visitor’s IP address.

Install mod_maxminddb in Linux

To use mod_maxminddb module, you need to install and configure it.

On Ubuntu/Debian, run:

sudo apt update
sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin apache2-dev
git clone https://github.com/maxmind/mod_maxminddb.git
cd mod_maxminddb
sudo apxs -i -a -c mod_maxminddb.c

On CentOS/RHEL, run:

sudo yum install epel-release
sudo yum install libmaxminddb libmaxminddb-devel mmdb-bin httpd-devel
git clone https://github.com/maxmind/mod_maxminddb.git
cd mod_maxminddb
sudo apxs -i -a -c mod_maxminddb.c

Download the MaxMind GeoIP Database

MaxMind provides a free GeoLite2 database that we can use to determine the country based on IP addresses.

tar -xvzf GeoLite2-Country.tar.gz
sudo mkdir -p /usr/share/GeoIP
sudo mv GeoLite2-Country.mmdb /usr/share/GeoIP/

Configure Apache to Use mod_maxminddb

Now, we need to tell Apache to use the mod_maxminddb module and the GeoIP database.

sudo nano /etc/apache2/apache2.conf   # On Ubuntu/Debian
sudo nano /etc/httpd/conf/httpd.conf  # On CentOS/RHEL

Add the following configuration to enable mod_maxminddb and specify the path to the GeoIP database:

<IfModule mod_maxminddb.c>
    MaxMindDBEnable On
    MaxMindDBFile COUNTRY_DB /usr/share/GeoIP/GeoLite2-Country.mmdb
    MaxMindDBEnv MM_COUNTRY_CODE COUNTRY_DB/country/iso_code
</IfModule>

Add Access Control Based on Country

Now that the module is set up, you can use it to block or allow access based on the visitor’s country. For example, to block access from users in China (CN) and Russia (RU), use this configuration in your Apache virtual host file:

<Directory /var/www/html>
    SetEnvIf MM_COUNTRY_CODE CN BlockCountry
    SetEnvIf MM_COUNTRY_CODE RU BlockCountry
    Require all granted
    Require not env BlockCountry
</Directory>

After adding the new configurations, restart Apache to apply the changes:

sudo systemctl restart apache2  # On Ubuntu/Debian
sudo systemctl restart httpd    # On CentOS/RHEL

To confirm that the module is correctly installed, you can check if mod_maxminddb is loaded in Apache:

apachectl -M | grep maxminddb

If it’s loaded correctly, you should see an output similar to:

maxminddb_module (shared)
Conclusion

Controlling access to your website is an essential aspect of managing your web server’s security and functionality. Apache’s access control features allow you to allow or deny access based on IP addresses, hostnames, or even geographic location.

Whether you are blocking bots, restricting internal resources, or protecting your website from unauthorized users, Apache makes it simple and effective to implement these controls.

Similar Posts