IP blocking with .htaccess in Apache 2.4 - Not Working

Question

I want to block specific IP addresses but allow all others. I'm still struggling with this.

First I modified the apache2.conf file to look like this:

<Directory /var/www/> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> 

AllowOverride from None to All

Then added to .htaccess accordingly to the Apache2 documentation below:

The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.

So, a more future-proof answer would be:

<RequireAll> Require all granted Require not ip XXX.XXX.XXX.XXX </RequireAll> 

where XXX.XXX.XXX.XXX is my IP

In the access.log I see this:

10.10.10.5 (XXX.XXX.XXX.XXX) - - [27/Nov/2018:17:11:46 +0000]

Where 10.10.10.5 is the HA proxy.

It's still not working. Any ideas on what should I do next?

Answer 1

”Where 10.10.10.5 is the HA proxy”

Is your Apache behind a reverse proxy?

Because usually that will result in Apache seeing only the ip-address of the reverse proxy server as the client ip-address (and not the actual ip-address of the client) which makes common ip-address restrictions impossible.

HAProxy can be configured to forward the actual client ip-address (see https://www.haproxy.com/blog/haproxy/proxy-protocol/) and Apache will need to be reconfigured to make use of that client ip address with https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html and then you can expect to see client ip-address filtering work as expected in Apache httpd