I've a website (running on CentOS at Google Cloud, Apache 2.4.37), say it's name is awesomesite.co.id.
There are certain pages on that website, e.g awesomesite.co.id/dev123/secret.html which is not supposed to be accessible from any network, except from whitelisted IPs. So here's what I already did:
- Edited
/etc/httpd/conf.d/awesome-site.conf. I put 2 whitelisted IPs on it.
<VirtualHost *:80>
ServerName awesomesite.co.id
DocumentRoot /var/www/html/awesome
ErrorLog /var/log/httpd/awesome-site-error.log
CustomLog /var/log/httpd/awesome-site-requests.log combined
#commented for testing PHP proxy, allow both http and https work
RewriteEngine on
RewriteCond %{SERVER_NAME} =awesomesite.co.id
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<Directory /dev123/*>
Order deny,allow
Deny from all
Allow from 123.123.100.100
Allow from 200.200.44.59
</Directory>
- Restarted Apache:
systemctl restart http.service
I tried to access awesomesite.co.id/dev123/secret.html on a few mobile devices (all different telco providers). The result is all devices could accessed that page normally.
So what's the correct way, then?
The
Allow,Deny, andOrderdirectives, provided by mod_access_compat, are deprecated as of version 2.4 and will no longer work.Use
Requireinstead:The
Requiredirective is provided by themod_authz_hostmodule.More infirmation can be found in the Apache HTTP Server documentation
Note that a CIDR range such as
Require ip 200.200.44.0/24is possible as well (see here for more examples):