Allowing access to an Apache virtual host from the local network only
People landing in this answer, please note that this is specific for Apache 2.2.
Apache 2.4 has deprecated these directives.
The new way is using the module
mod_authz_host and the
Require directives. (link)
In Apache 2.4 you should do
<Directory /var/www/ncp-web/> Require host localhost Require ip 127.0.0.1 Require ip 192.168 Require ip 10 </Directory>
, and remove all Allow directives.
Easy. Just set something like this within your main configuration or your virtual configuration:
<Directory /var/www/path/to/your/web/documents> Order Deny,Allow Deny from all Allow from 127.0.0.1 ::1 Allow from localhost Allow from 192.168 Allow from 10 Satisfy Any </Directory>
<Directory></Directory> statement basically says, “Use these rules for anything in this directory. And by “this directory” that refers to the
/var/www/path/to/your/web/documents which I have set in this example but should be changed to match your site’s local directory path.
Next within the
<Directory></Directory> area you are changing the default Apache behavior which
Allow’s all by default to
Order Deny,Allow. Next, you set
Deny from all from denies access from everyone. Follwing that are the
Allow from statements which allows access from
127.0.0.1 ::1 (localhost IP address),
localhost (the localhost itself). That’s all the standard stuff. Since access from
localhost is needed for many internal system processes.
What follows is the stuff that matters to you.
Allow from for
192.168 as well as
10 will allow access from any/all network addresses within the network range that is prefixed by those numbers.
So by indicating
192.168 that basically means if a user has an address like
192.168.1.123 they will be able to see the website.
And similarly using the
Allow from for the
10 prefix assures that if someone has an IP address of
10.0.1.2 or even
10.90.2.3 they will be able to see the content.
Pretty much all internal networks in the world use either the
192.168 range or something in the
10 range. Nothing external. So using this combo will achieve your goal of blocking access to the outside world but only allow access from within your local network.
Add this section inside your virtual host directive:
<Location /mypathurl> Order deny,allow Deny from all Allow from 192.168.1.10 </Location>
Replace your IP above. This should not be used for financial level security, FYI.