Apache is one of the most widely used web servers in the world, offering a robust and flexible platform for hosting websites.
When managing a website, you might need to control who can access certain resources or entire websites. For example, you may want to block specific IP addresses or allow access only from certain regions or networks. Apache makes this possible using a feature called Access Control.
In this guide, we’ll walk through the steps to allow or deny access to websites in Apache using a simple, human-readable configuration.
Apache Access Control Basics
Apache uses two main directives for controlling access:
Require: This is used to allow access to certain users, IP addresses, or groups.DenyandAllow(deprecated in later versions): Previously used in older versions of Apache but replaced by theRequiredirective.
In newer versions of Apache (2.4 and later), the Require directive is the primary way to manage access controls.
Step 1: Edit the Apache Configuration File
Apache configuration files can be found in different locations depending on your system.
For example:
- Ubuntu/Debian:
/etc/apache2/apache2.confor inside the virtual host file (e.g.,/etc/apache2/sites-available/your-site.conf). - CentOS/RHEL:
/etc/httpd/conf/httpd.confor the virtual host file (e.g.,/etc/httpd/conf.d/your-site.conf).
Use a text editor like nano or vi to edit these files.
Step 2: Set Up Access Control Using the Require Directive
The Require directive specifies who is allowed or denied access. Let’s look at examples for both allowing and denying access.
Example 1: Denying Access from Specific IP Addresses
To deny access from specific IP addresses, use the Require not directive.
For example, to block IP 192.168.1.100:
<Directory /var/www/html>
Require all granted
Require not ip 192.168.1.100
</Directory>
In this case:
Require all granted: Allows access to all IP addresses.Require not ip 192.168.1.100: Denies access to the specified IP address.
Example 2: Allowing Access Only to Specific IP Addresses
If you want to allow access only to a specific IP or range of IPs, use the following:
<Directory /var/www/html>
Require ip 192.168.1.0/24
</Directory>
Here, Require ip 192.168.1.0/24 allows access only to IPs within the range 192.168.1.0 to 192.168.1.255 (a common local network range).
Example 3: Denying Access to Everyone Except Specific IPs
You may want to deny access to everyone except a certain IP or group of IPs.
<Directory /var/www/html>
Require all denied
Require ip 192.168.1.10
</Directory>
In this case:
Require all denied: Blocks access to everyone.Require ip 192.168.1.10: Allows access only to the IP address 192.168.1.10.
Example 4: Restrict Access by Hostname
You can also restrict access based on hostnames. For instance, if you want to allow access only to users from a specific domain (like example.com), you can use:
<Directory /var/www/html>
Require host example.com
</Directory>
This would allow only visitors from example.com to access the website.
Step 3: Blocking Entire Countries in Apache
To block traffic from specific countries, you need to install an additional module called mod_maxminddb, which uses a GeoIP database to determine the country based on the visitor’s IP address.
Install mod_maxminddb in Linux
To use mod_maxminddb module, you need to install and configure it.
On Ubuntu/Debian, run:
sudo apt update sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin apache2-dev git clone https://github.com/maxmind/mod_maxminddb.git cd mod_maxminddb sudo apxs -i -a -c mod_maxminddb.c
On CentOS/RHEL, run:
sudo yum install epel-release sudo yum install libmaxminddb libmaxminddb-devel mmdb-bin httpd-devel git clone https://github.com/maxmind/mod_maxminddb.git cd mod_maxminddb sudo apxs -i -a -c mod_maxminddb.c
Download the MaxMind GeoIP Database
MaxMind provides a free GeoLite2 database that we can use to determine the country based on IP addresses.
tar -xvzf GeoLite2-Country.tar.gz sudo mkdir -p /usr/share/GeoIP sudo mv GeoLite2-Country.mmdb /usr/share/GeoIP/
Configure Apache to Use mod_maxminddb
Now, we need to tell Apache to use the mod_maxminddb module and the GeoIP database.
sudo nano /etc/apache2/apache2.conf # On Ubuntu/Debian sudo nano /etc/httpd/conf/httpd.conf # On CentOS/RHEL
Add the following configuration to enable mod_maxminddb and specify the path to the GeoIP database:
<IfModule mod_maxminddb.c>
MaxMindDBEnable On
MaxMindDBFile COUNTRY_DB /usr/share/GeoIP/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE COUNTRY_DB/country/iso_code
</IfModule>
Add Access Control Based on Country
Now that the module is set up, you can use it to block or allow access based on the visitor’s country. For example, to block access from users in China (CN) and Russia (RU), use this configuration in your Apache virtual host file:
<Directory /var/www/html>
SetEnvIf MM_COUNTRY_CODE CN BlockCountry
SetEnvIf MM_COUNTRY_CODE RU BlockCountry
Require all granted
Require not env BlockCountry
</Directory>
After adding the new configurations, restart Apache to apply the changes:
sudo systemctl restart apache2 # On Ubuntu/Debian sudo systemctl restart httpd # On CentOS/RHEL
To confirm that the module is correctly installed, you can check if mod_maxminddb is loaded in Apache:
apachectl -M | grep maxminddb
If it’s loaded correctly, you should see an output similar to:
maxminddb_module (shared)
Conclusion
Controlling access to your website is an essential aspect of managing your web server’s security and functionality. Apache’s access control features allow you to allow or deny access based on IP addresses, hostnames, or even geographic location.
Whether you are blocking bots, restricting internal resources, or protecting your website from unauthorized users, Apache makes it simple and effective to implement these controls.
