Allowing access to an Apache virtual host from the local network only

People landing in this answer, please note that this is specific for Apache 2.2.

Apache 2.4 has deprecated these directives.

The new way is using the module mod_authz_host and the Require directives. (link)

In Apache 2.4 you should do

<Directory /var/www/ncp-web/>
  Require host localhost
  Require ip 127.0.0.1
  Require ip 192.168
  Require ip 10
</Directory>

, and remove all Allow directives.


Easy. Just set something like this within your main configuration or your virtual configuration:

<Directory /var/www/path/to/your/web/documents>

  Order Deny,Allow
  Deny from all
  Allow from 127.0.0.1 ::1
  Allow from localhost
  Allow from 192.168
  Allow from 10
  Satisfy Any

</Directory>

The <Directory></Directory> statement basically says, “Use these rules for anything in this directory. And by “this directory” that refers to the /var/www/path/to/your/web/documents which I have set in this example but should be changed to match your site’s local directory path.

Next within the <Directory></Directory> area you are changing the default Apache behavior which Allow’s all by default to Order Deny,Allow. Next, you set Deny from all from denies access from everyone. Follwing that are the Allow from statements which allows access from 127.0.0.1 ::1 (localhost IP address), localhost (the localhost itself). That’s all the standard stuff. Since access from localhost is needed for many internal system processes.

What follows is the stuff that matters to you.

The Allow from for 192.168 as well as 10 will allow access from any/all network addresses within the network range that is prefixed by those numbers.

So by indicating 192.168 that basically means if a user has an address like 192.168.59.27 or 192.168.1.123 they will be able to see the website.

And similarly using the Allow from for the 10 prefix assures that if someone has an IP address of 10.0.1.2 or even 10.90.2.3 they will be able to see the content.

Pretty much all internal networks in the world use either the 192.168 range or something in the 10 range. Nothing external. So using this combo will achieve your goal of blocking access to the outside world but only allow access from within your local network.


Add this section inside your virtual host directive:

<Location /mypathurl>
    Order deny,allow
    Deny from all
    Allow from 192.168.1.10
</Location>

Replace your IP above. This should not be used for financial level security, FYI.

Tags:

Linux

Apache

Apache2

Recent Posts