Apache deny from list of ip's in external file

Look at the Apache Include directive:

http://httpd.apache.org/docs/2.2/mod/core.html#include

You can create a seperate configuration file contain you denied list and include in any other configuration file i.e a site in sites-available. Example usage below:

In /etc/apache2/sites-enabled/yoursite.conf

<VirtualHost *:80>
...

Include /etc/apache2/sites-access/yoursite.conf

...
</VirtualHost>

In /etc/apache2/sites-access/yoursite.conf

order allow,deny
deny from 10.0.0.1
allow from all

Using a RewriteMap map as the external IP address file works for a list of individual IP addresses:

RewriteEngine on
RewriteMap allowed "txt:${site_dir}/etc/allowed_ip_addresses"

UnsetEnv ALLOWED

RewriteCond ${allowed:%{REMOTE_ADDR}} 1
RewriteRule ^ - [E=ALLOWED]

<Location />
  Deny  from all
  Allow from env=ALLOWED
</Location>

Then allowed_ip_addresses contains lines like:

10.42.1.123      1
192.168.100.456  1

That maps allowed IP addresses to the value 1, and all other IP addresses to the empty string.

The RewriteCond looks up REMOTE_ADDR in the map, and if it's 1 then it sets an environment variable. UnsetEnv ensures that the variable is definitely unset otherwise.

Then Allow from only permits access when that environment variable has been set.

The external map file can have different filesystem permissions from your Apache config, and changes to it take effect immediately, without requiring restarting Apache.

this is not a real security method, but you can put this txt file in a shared directory and with a cron job update apache config...

another method is with htaccess..

order allow,deny
deny from 10.0.0.1
allow from all