Apache httpd: How can I Deny from all, Allow from subnet, but Deny from IP within that subnet?
I haven't tested, but I think you are almost there.
<Location /server-status>
SetHandler server-status
Order Allow,Deny
Deny from 192.168.16.100
Allow from 192.168.16.0/24
</Location>
Deny from all is not needed. In fact it will screw up because everything will match all, and thus denied (and I think Apache is trying to be smart and do something stupid). I have always found Apache's Order, Allow and Deny directives confusing, so always visualize things in a table (taken from the docs):
Match | Allow,Deny result | Deny,Allow result ------------------------------------------------------- Allow only | Allowed | Allowed Deny only | Denied | Denied No match | Default: Denied | Default: Allowed Match both | Final match: Denied | Final match: Allowed
With the above settings:
- Requests from 192.168.16.100 get "Match both" and thus denied.
- Requests from 192.168.16.12 get "Allow only" and thus allowed.
- Requests from 123.123.123.123 get "No match" and thus denied.