Restrict access to IP address range
Solution 1
The solution was that I accessed the website via localhost/path/to/site
rather than 1.2.70.59/path/to/site
. Once I changed that, it worked.
Solution 2
First off, are you adding these directives in an .htaccess file or a config file? If the latter, then you need to restart Apache.
Secondly, do you have mod_authz_host enabled? In your httpd.conf, there should be a line like:
LoadModule authz_host_module modules/mod_authz_host.so
Lastly, are you sure it's not working? I.e. are you testing the right path/server? Are you sure a rewrite rule or custom error page isn't making it look like you've gained access to the page even though you're being shown a different page? Also, what's not working? Is it giving access to external IPs or denying access to internal IPs?
Clear your access log (delete the file), restart the server, and test the URL once more; then look at the access log and see what IP address was recorded and what response code was given.
There are other ways of doing it (e.g. via mod_rewrite or SetEnvIf
/Allow from env=
), but what you're doing should work.
Related videos on Youtube
Konrad Rudolph
Updated on September 18, 2022Comments
-
Konrad Rudolph over 1 year
I’m trying to restrict access to a web resource to the intranet of a company via
.htaccess
. Unfortunately, the approach viaAllow from …
isn’t working for me and and I don’t understand subnets well enough to troubleshoot the issue.My IP address is (replaced the first two blocks for privacy) 1.2.70.59, the netmask is given by
ifconfig
as 0xffff0000, i.e. 255.255.0.0. I’ve used an IP address calculator go get the subnet from this.An answer on Stack Overflow led me to believe that the following should work:
Order deny,allow Deny from all Allow from 1.2.0.0/255.255.0.0
Or, using CIDR (only showing the last line):
Allow from 1.2.0.0/16
Neither works. Nor does the following work, as implied by answer on this very site:
Allow from 1.2
In fact, not even the following works:
Allow from 127.0.0.1
But this does work:
Allow from localhost
Although I thought these two to be equivalent. Clearly, I have a gap in my understanding.
For completeness, this is the output of
ifconfig | grep inet[^6]
:inet 127.0.0.1 netmask 0xff000000 inet 1.2.70.59 netmask 0xffff0000 broadcast 1.2.255.255
What am I doing wrong?
-
Konrad Rudolph about 12 yearsActually, I want the opposite – block from everywhere except from a given range. The question is how I specify the range, since my approaches of notating the subnet don’t work.
-
ionFish about 12 yearsThen do:
order deny,allow
and doallow from 127.0.0.1
and such. Just switch the allows and deny's -
Konrad Rudolph about 12 yearsBut that’s exactly what I’m already doing, and it’s not working.
-
ionFish about 12 yearsIn your httpd.conf, is there a line saying allow-override none, specifically near an IP-restricting code like in my post? If so, change to "allow-override all"
-
Konrad Rudolph about 12 yearsNo. Otherwise,
Allow from localhost
wouldn’t work either. -
ionFish about 12 yearsI meant, the .htaccess is really just an override from the httpd.conf, if you don't allow any overrides then .htaccess won't work right. I'm sorry I can't be of more help.
-
Konrad Rudolph about 12 yearsTrue but I definitely allow overrides. I actually succeed in overriding access – otherwise I couldn’t deny access (but I can), nor allow access for localhost (but I can). It just doesn’t work for IP addresses.
-
ionFish about 12 yearsI've never had that happen before, maybe someone else will post.
-
Konrad Rudolph about 12 yearsActually I’m already using
SetEnvIf
for a different purpose since I only want to restrict access to a single (non-physical) resource and I don’t have write access to the server’shttpd.conf
so I cannot use<Location>
. Now, the solution of the puzzle is that I was using the wrong IP address to access the server – vialocalhost
rather than my local network. -
Lèse majesté about 12 years@Konrad: Fairly common mistake. That's why it's always worth the effort to check the access logs.
-
Konrad Rudolph about 12 yearsI’d love to. Unfortunately I don’t have access to it. :-( The server configuration is irking me more and more … Apache 1, PHP 5.0 (full of bugs) …