Sling Academy
Home/DevOps/Apache: How to Block Requests by IP/Country

Apache: How to Block Requests by IP/Country

Last updated: January 20, 2024

Table of Contents

  1. Introduction
  2. Blocking by IP
    1. Using the require Directive
    2. Blocking Multiple IPs
  3. Blocking by Country
    1. Using mod_geoip2 or mod_maxminddb Modules
      1. Installation on Ubuntu/Debian:
      2. Installation on CentOS/RedHat:
    2. Configuring mod_geoip
  4. Testing Your Configuration
  5. Conclusion

Introduction

Securing a web server involves various tactics, and one common approach is to control access based on the requestor’s IP address or country. In the Apache web server, this can be achieved using different modules and configurations. In this tutorial, we’ll explore how to block requests by IP or country in an Apache server environment.

Prerequisites

  • Access to Apache web server
  • Basic knowledge of Apache configuration files
  • Command line access with appropriate permissions

Blocking by IP

Firstly, let’s learn how to restrict access by IP address.

Using the require Directive

In Apache 2.4 and later, you can use the Require directive. Open the Apache configuration file or your site’s .htaccess file and add the following:

<Directory "/var/www/html">
  Require all granted
  Require not ip 192.168.1.1
</Directory>

This blocks access to users from the IP 192.168.1.1.

Blocking Multiple IPs

To block multiple specific IP addresses, write:

<Directory "/var/www/html">
  Require all granted
  Require not ip 192.168.1.1 192.168.1.2 192.168.1.3
</Directory>

If you want to block an entire subnet, you can do so like this:

<Directory "/var/www/html">
  Require all granted
  Require not ip 192.168.1.0/24
</Directory>

Blocking by Country

Blocking users by country is more complex than blocking individual IP addresses because you need to access an external database that maps IPs to countries.

Using mod_geoip2 or mod_maxminddb Modules

Apache’s mod_geoip2 module (or the newer mod_maxminddb) allows you to block access by country. First, install the module.

Installation on Ubuntu/Debian:

sudo apt-get update
sudo apt-get install libapache2-mod-geoip

Installation on CentOS/RedHat:

sudo yum install mod_geoip

Next, download the GeoIP database and configure Apache to use it.

Configuring mod_geoip

Add the following to httpd.conf or your site’s .conf file:

GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat

To block or allow specific countries, use:

<Directory "/var/www/html">
  SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
  SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
  Order allow,deny
  Allow from all
  Deny from env=BlockCountry
</Directory>

In the above code, replace ‘CN’ and ‘RU’ with the ISO country codes for the countries you want to block.

In the case of newer Apache versions and mod_maxminddb, the configuration would look like:

MaxMindDBEnable On
MaxMindDBFile DB /path/to/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code
SetEnvIf MM_COUNTRY_CODE ^(RU|CN)$ BlockCountry
<Directory "/var/www/html">
  Require all granted
  Require not env BlockCountry
</Directory>

Testing Your Configuration

Once you’ve applied your changes, you’ll need to test your server configuration.

sudo apachectl configtest

If the output indicates ‘Syntax OK’, go ahead and restart Apache:

sudo systemctl restart apache2
# Or on CentOS/RedHat
sudo service httpd restart

To verify if the blocking is working, you can use VPNs or proxy services that change your IP address to one of the blocked countries or IPs and check whether access is restricted.

Conclusion

Implementing geographic blocking in Apache can be a powerful way to secure your server from unwanted traffic, though it should be part of a broader security strategy. Remember that IP-based blocks can sometimes inadvertently block legitimate users, particularly in cases where IP ranges change or users travel. Therefore, keep your GeoIP database up-to-date and review your access control policies regularly.

Next Article: Apache: How to accept requests from only a range of IPs

Previous Article: Apache: How to block access to a directory

Series: Apache Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide