Introduction
Securing a web server involves various tactics, and one common approach is to control access based on the requestor’s IP address or country. In the Apache web server, this can be achieved using different modules and configurations. In this tutorial, we’ll explore how to block requests by IP or country in an Apache server environment.
Prerequisites
- Access to Apache web server
- Basic knowledge of Apache configuration files
- Command line access with appropriate permissions
Blocking by IP
Firstly, let’s learn how to restrict access by IP address.
Using the require Directive
In Apache 2.4 and later, you can use the Require directive. Open the Apache configuration file or your site’s .htaccess file and add the following:
<Directory "/var/www/html">
Require all granted
Require not ip 192.168.1.1
</Directory>This blocks access to users from the IP 192.168.1.1.
Blocking Multiple IPs
To block multiple specific IP addresses, write:
<Directory "/var/www/html">
Require all granted
Require not ip 192.168.1.1 192.168.1.2 192.168.1.3
</Directory>If you want to block an entire subnet, you can do so like this:
<Directory "/var/www/html">
Require all granted
Require not ip 192.168.1.0/24
</Directory>Blocking by Country
Blocking users by country is more complex than blocking individual IP addresses because you need to access an external database that maps IPs to countries.
Using mod_geoip2 or mod_maxminddb Modules
Apache’s mod_geoip2 module (or the newer mod_maxminddb) allows you to block access by country. First, install the module.
Installation on Ubuntu/Debian:
sudo apt-get update
sudo apt-get install libapache2-mod-geoip
Installation on CentOS/RedHat:
sudo yum install mod_geoip
Next, download the GeoIP database and configure Apache to use it.
Configuring mod_geoip
Add the following to httpd.conf or your site’s .conf file:
GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat
To block or allow specific countries, use:
<Directory "/var/www/html">
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
Order allow,deny
Allow from all
Deny from env=BlockCountry
</Directory>In the above code, replace ‘CN’ and ‘RU’ with the ISO country codes for the countries you want to block.
In the case of newer Apache versions and mod_maxminddb, the configuration would look like:
MaxMindDBEnable On
MaxMindDBFile DB /path/to/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code
SetEnvIf MM_COUNTRY_CODE ^(RU|CN)$ BlockCountry
<Directory "/var/www/html">
Require all granted
Require not env BlockCountry
</Directory>Testing Your Configuration
Once you’ve applied your changes, you’ll need to test your server configuration.
sudo apachectl configtest
If the output indicates ‘Syntax OK’, go ahead and restart Apache:
sudo systemctl restart apache2
# Or on CentOS/RedHat
sudo service httpd restart
To verify if the blocking is working, you can use VPNs or proxy services that change your IP address to one of the blocked countries or IPs and check whether access is restricted.
Conclusion
Implementing geographic blocking in Apache can be a powerful way to secure your server from unwanted traffic, though it should be part of a broader security strategy. Remember that IP-based blocks can sometimes inadvertently block legitimate users, particularly in cases where IP ranges change or users travel. Therefore, keep your GeoIP database up-to-date and review your access control policies regularly.
