Apache provides a simple web application firewall by a allowing for a “.htaccess” file with certain rules in it. This is a file you put in your document root and may restrict or allow access from certain specific IP addresses. NB: These commands may also be put directly in the virtual host configuration file in “/etc/apache2/sites-available/”.
Use Case #1: Test environment
Sometimes you may want to lock down a site and only grant access from a limited set of IP addresses. The following example (for Apache 2.2) only allows access from the IP address “127.0.0.1” and blocks any other request:
Order Allow,Deny Deny from all Allow from 127.0.0.1
In Apache 2.4 the syntax has slightly changed:
Require all denied Require ip 127.0.0.1
You can find your IP address on: whatismyipaddress.com
Use Case #2: Application level firewall
If you run a production server and somebody is abusing your system with a lot of requests then you may want to block a specific IP address. The following example (for Apache 2.2) only blocks access from the IP address “172.28.255.2” and allows any other request:
Order deny,allow Allow from all Deny from 172.28.255.2
In Apache 2.4 the syntax has slightly changed:
Require all granted Require not ip 172.28.255.2
If you want to block an entire range you may also specify CIDR notation:
Require all granted Require not ip 10.0.0.0/8 Require not ip 172.16.0.0/12 Require not ip 192.168.0.0/16
NB: Not only IPv4, but also IPv6 addresses may be used.