Block access to all vhosts / shared vhosts command

nservices

Verified User
Joined
Dec 11, 2008
Messages
301
Hi,
I want to deny IP access to IPs in Apache level, for all vhosts
I try to add
Order Deny,Allow
Allow from all
Deny from 1.1.1.1
in httpd-includes.conf file
but this not working, any suggestion?

Regards,
 
Which Apache version while ip order deny allow is old, so better not for version 2.4.x

Tryouts in htaccess first then read the Apache DOCS/WIKI
 
"Order Deny,Allow" is wrong for your case with the included clauses. With Deny,Allow you first specify the denied origins (the deny clause) and then the exceptions from that rule (the allowed clause). The IP address which you wish to block matches both clauses. So you first deny the IP and then allow it back.

You must do it the opposite way - Order Allow,Deny, so you define firstly what is allowed (allow from all - everything is allowed) and then add a deny clause which is the exception from that rule (you block the specific IP).

Briefly - your rule must be:

Code:
Order Allow,Deny
Deny from 1.1.1.1
Allow from all

Another option is to use Order Deny,Allow, but skip the allowed part, eg:

Code:
Order Deny,Allow
Deny from 1.1.1.1

That way you specify the denied list with the IP first and then, since there is no allowed clause, there is no exception to that rule so it will work :) That will not block other IPs because they won't match in the deny clause.

Most people prefer the first variant - I guess they feel safer when they see "allow from all" explicitly.
 
Last edited:
Back
Top