Networking

How to block all but LAN traffic on Apache

If you need to limit traffic to Apache, Jack Wallen shows you how to use the Require directive to manage who can see your site.

Have you ever set up a website available only to your Local Area Network (LAN)? If so, did you jump over numerous hurdles to make it happen? What you must do for this to work depends upon the web server you use. If you happen to employ the Apache web server, limiting traffic to LAN-only is actually quite simple.

I'm going to show you how easy it is to lock down an Apache server to only be accessible to your LAN addresses. I will demonstrate on Ubuntu Server 18.04, but the process is similar, regardless of the platform.

How Require is used

In previous incarnations of Apache, it was possible to use the Allow, Deny, and Order directives (provided by mod_access_compat) to make this happen. However, those have deprecated. Instead, you must use the Require directive.

Require is a bit more straightforward than Allow, Deny, and Order. With Require, it is possible to allow or block access by name, address, and domain.

SEE: Quick glossary: Software-defined networking (Tech Pro Research)

The directive is used like so:

Require host ADDRESS
Require ip IP

Where ADDRESS is an address (such as localhost), and IP is an actual IP address.

These directives will be placed in your /etc/apache2/sites-available/ configuration files. Out of the box, you should see one file, named 000-default.conf.

You may have already created your own configuration for your local-only website, but for demonstration purposes, we'll work with 000-default.conf. Just remember, 000-default.conf effects every site coming in on port 80, so if you have a specific virtual host, you'll want to work with that configuration file.

How to configure

Let's say our network address scheme is 192.168.1.x, and we want to lock down Apache to only that address scheme. Issue the command:

sudo nano /etc/apache2/sites-available/000-default.conf

In that default file, you won't see a <Directory> section, so we'll add it. I'm going to assume your Apache document root is /var/www/html. To this new section we'll include the Require directive such that it will allow localhost, 127.0.0.1 (loopback), and our LAN addresses. So our new section will look like:

<Directory /var/www/html/>
     Require host localhost
     Require ip 127.0.0.1
     Require ip 192.168
</Directive>

Save and then close that file.

In order for the changes to take effect, restart Apache with the command:

sudo systemctl restart apache

Now you should only be able to reach the site from machines on your network (as well as the hosting machine).

If you happen to have multiple IP address schemes on your network that need to reach the site, you can add them to the <Directory> section like so:

<Directory /var/www/html/>
     Require host localhost
     Require ip 127.0.0.1
     Require ip 192.168
     Require ip 10.0.1
</Directive>

With the above configuration, IPs from both 192.168.1.x and 10.0.1.x will reach the site (so long as they both have a route to the server). All other addresses will not have access.

How to block addresses

The Require directive also allows you to block addresses. Say you have a specific address on your LAN (we'll say 192.168.1.101) that you don't want to be allowed to reach the server. For that, the directive would be:

Require not ip 192.168.1.101

You can also block domains like so:

Require not host baddomain.com

Where baddomain.com is the domain you want to block.

Easy allowing and blocking

With the new Require directive, allowing and blocking addresses/domains is made significantly easier than before. So if you need to prevent everyone but your LAN from gaining access to a specific website on your server, you now have ability to do so easily.

apachehero.jpg
Image: Jack Wallen

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox