Servers optimize

Quick tip: How to limit access to a web directory by IP address

Ryan Boudreaux explains how to set up an .htaccess file that will limit access to your web directory based on IP address. He also explains the pros and cons of using this method.

There are several methods for protecting web directories in an Apache web server, and in this post, I will review a quick tip for protecting a directory by IP address. This method has its advantages and limitations, which I will review at the end. This tip falls under the general guidelines for authentication, authorization, and access control on an Apache web server.

IP protected web directory

If you would like to protect a web directory and any of the contents it contains from the casual browser or hacker, you can add in an .htaccess file to set up an IP-address-based protection that allows access to a set of defined IP addresses. The .htaccess file used in the demonstration is a directory level web server configuration file that allows decentralized management. A caveat about this technique is that it is not recommended to secure sensitive data. This is simply a tool to protect pre-release documents or items of similar security value.

Steps to protect a directory by IP address

Let's say you want to protect the following directory /intranet/data/web/hr/personnel.

Step #1

In the "personnel" directory that you wish to protect, you will want to create a new .htaccess file. Typically, you can do this in your text editor; another option would be to create a new text file in your file system directory and name it with the extension .htaccess.

Step #2

With the .htaccess file open in your text editor, you will create an order deny, allow access with the following code example:

  Order deny, allow

  Deny from all

  <Limit GET HEAD POST>

      Allow from ###.###.###.###

      Allow from ###.###

  </Limit>
The "order" sets the hierarchy and sees that the Apache web server will apply the access settings defined within the file. The "deny" line automatically denies all access as a default. The "allow" line then grants access only to those specified IP addresses. The ###.###.###.### indicates a specific IP you wish to allow. The ###.### indicates a range of IP's that can be allowed. For example, in the following configuration, the specific IP 74.125.228.98 would have access as well as any IP in the 15.192 subnet.
Order deny, allow

  Deny from all

  <Limit GET HEAD POST>

      Allow from 74.125.228.98

      Allow from 15.192

  </Limit>
Step #3

Save the edited .htaccess file and place it into the directory you wish to protect. In this example, the "personnel" directory. The only devices allowed access to the /intranet/data/web/hr/personnel are now defined in the file by IP address.

Pros and cons of .htaccess

The advantages of the .htaccess file are that the modifications take effect immediately and for every individual request, and do not require the web server to be restarted, bounced, or rebooted. It also allows non-privileged individual users the ability to alter their specific site configurations.

The disadvantages of using .htaccess configuration files are the possible performance loss if several of them are used in subsequent directories or sub-directories, and allowing individual users to modify the server configuration can cause security issues, if not monitored or set up properly. A more secure method would be to utilize the httpd.conf file which is the main Apache web server configuration file, however, typically only one or a few privileged individuals are allowed to modify this configuration file.

In the next quick tip, I will review protecting a web directory with passwords.

About

Ryan has performed in a broad range of technology support roles for electric-generation utilities, including nuclear power plants, and for the telecommunications industry. He has worked in web development for the restaurant industry and the Federal g...

6 comments
markov
markov

[quote] Order deny, allow [/quote] must be written without space, right way is: [b]Order deny,allow[b]

Kieron Seymour-Howell
Kieron Seymour-Howell

I have found that software like 'DNS Kong' or 'PeerBlocker' are extremely simple to manage and they will effectively isolate the entire system from unwanted IP ranges. This type of software (there are others available for all common operating systems in use) is faster and easier to manage than fiddling about with localized text files. For the most security though, take the time to effectively program your hardware switch and set up the ranges there where the chance of hacking is far less likely.

benb
benb

Ryan, if in your next article, it would be really useful if in addition to basic passwords, if you could outline how to authenticate a website's password protected login hosted on a remote Linux server with a local network Windows Active Directory Domain for authentication. This would enable "single sign-on" for various systems that currently require other logins.

TobiF
TobiF

For this tip to work, the .htaccess option needs to be enabled in the Apache configuration! Most commercial web-hotels have this option activated, but in case you've disabled this option on your own server, then, obviously, the server won't even check whether any .htaccess file is present. Oh, by the way, I've been using this additional layer of security in several cases. It works, even when my ip-address changes and when I travel the world: I need to use my VPN-account in order to reach the login-page. Otherwise, I'll just get error 403. In other words, for an attacker to even reach the login page, they first need to use the same VPN-service I'm using. :)

TobiF
TobiF

There are two main carrier protocols on the internet: TCP and UDP. On UDP, you can relatively simply show a different IP address in the "sender" field. In that case, any reply won't reach you, but rather be sent to the address you indicated. In the case of TCP (which is always used for web browsing), IP address spoofing would simply mean that you can't finish the three-way handshake to even start communicating with the server.