Apache deny from CIDR range but allow from IP within that range
Solution 1
The Apache manual section on mod_authz_host is instructive here. The order of your allow and deny statements does not matter. With order allow,deny, you must match at least one allow and no deny directives for your request to be accepted. I think you want order deny,allow.
Solution 2
Apache first processes all Deny and all Allow directives. Then works it's way through them matching rules based on the Order statement - the last match wins. This means that your deny from 83.140.0.0/16 rule will be matched after your allow from 83.140.19.38 rule and you are denied access. To solve this change the Order to Order Deny,Allow.
Chase
Updated on September 18, 2022Comments
-
Chase over 1 year
I am using a long CIDR blacklist to block several countries from a site, but I need to allow specific IP addresses within the blocked CIDR ranges. Here's an excerpt of my conf file (this is the order that I am currently trying, though I have tried moving the "allow" lines above the "deny" lines as well):
order allow,deny deny from 27.116.56.0/22 deny from 58.147.128.0/19 deny from 61.5.192.0/20 deny from 83.140.0.0/16 # ... allow from 83.140.19.38The blacklist works fine, but the "allow" lines are not honored whether I place them above the "deny" section or below it. Is there any other configuration that I should need to get this to work? Apache documentation led me to believe that "allow" should come after "deny," but it did not seem to answer this question directly either way.