Quick tip: How to limit access to a web directory by IP address

Ryan Boudreaux explains how to set up an .htaccess file that will limit access to your web directory based on IP address. He also explains the pros and cons of using this method.

There are several methods for protecting web directories in an Apache web server, and in this post, I will review a quick tip for protecting a directory by IP address. This method has its advantages and limitations, which I will review at the end. This tip falls under the general guidelines for authentication, authorization, and access control on an Apache web server.

IP protected web directory

If you would like to protect a web directory and any of the contents it contains from the casual browser or hacker, you can add in an .htaccess file to set up an IP-address-based protection that allows access to a set of defined IP addresses. The .htaccess file used in the demonstration is a directory level web server configuration file that allows decentralized management. A caveat about this technique is that it is not recommended to secure sensitive data. This is simply a tool to protect pre-release documents or items of similar security value.

Steps to protect a directory by IP address

Let's say you want to protect the following directory /intranet/data/web/hr/personnel.

Step #1

In the "personnel" directory that you wish to protect, you will want to create a new .htaccess file. Typically, you can do this in your text editor; another option would be to create a new text file in your file system directory and name it with the extension .htaccess.

Step #2

With the .htaccess file open in your text editor, you will create an order deny, allow access with the following code example:

  Order deny, allow

  Deny from all


      Allow from ###.###.###.###

      Allow from ###.###

The "order" sets the hierarchy and sees that the Apache web server will apply the access settings defined within the file. The "deny" line automatically denies all access as a default. The "allow" line then grants access only to those specified IP addresses. The ###.###.###.### indicates a specific IP you wish to allow. The ###.### indicates a range of IP's that can be allowed. For example, in the following configuration, the specific IP would have access as well as any IP in the 15.192 subnet.
Order deny, allow

  Deny from all


      Allow from

      Allow from 15.192

Step #3

Save the edited .htaccess file and place it into the directory you wish to protect. In this example, the "personnel" directory. The only devices allowed access to the /intranet/data/web/hr/personnel are now defined in the file by IP address.

Pros and cons of .htaccess

The advantages of the .htaccess file are that the modifications take effect immediately and for every individual request, and do not require the web server to be restarted, bounced, or rebooted. It also allows non-privileged individual users the ability to alter their specific site configurations.

The disadvantages of using .htaccess configuration files are the possible performance loss if several of them are used in subsequent directories or sub-directories, and allowing individual users to modify the server configuration can cause security issues, if not monitored or set up properly. A more secure method would be to utilize the httpd.conf file which is the main Apache web server configuration file, however, typically only one or a few privileged individuals are allowed to modify this configuration file.

In the next quick tip, I will review protecting a web directory with passwords.

By Ryan Boudreaux

Ryan has performed in a broad range of technology support roles for electric-generation utilities, including nuclear power plants, and for the telecommunications industry. He has worked in web development for the restaurant industry and the Federal g...