How to block IP addresses at the Apache HTTP Server level?

Create a file named block-offending-ips.conf on your server

Open the file in an editor and add a Location directive that blocks all offending IP’s from accessing whatever URLs you want to block. There are two options for the contents of the file below:
A. If the request is proxied (via CDN, Load Balancer, etc) and the remote user’s IP is only in a Header such as X-Forwarded-For then this configuration can be used. Note that this configuration doesn’t apply if the remoteip_module is configured.

LocationMatch "/.*"
    Order Allow,Deny
    Allow from all
    SetEnvif X-Forwarded-For "10\.42\.137\.123" DenyAccess
    SetEnvif X-Forwarded-For "122\.6\.218\.101" DenyAccess
    #Repeat the "SetEnvlf X-Forwarded-For ..." for each IP you want to block
    Deny from env=DenyAccess
    /LocationMatch

B. Alternatively, if the remote user is directly accessing Apache or you are using remoteip_module (see [ 1] below) to extract and set it within Apache, then you can use mod_authz_core’s Require feature directly (Apache 2.4).

LocationMatch "/.*"
    RequireAll
    Require all granted
    Require not ip 10.42.137.123
    Require not ip 122.6.218.101
    #Repeat the "Require not ip ..." for each IP you want to block
    /RequireAll
    /LocationMatch

[ 1] remoteip_module

# Extract true client IP from header added by load balancer/CDN
    IfModule remotetip module
    # valid for ELB or ELB+CloudFront
    RemoteIPHeader X-Forwarded-For
    IfModule

Drop the file block-offending-ips.conf in /etc/conf.d folder of the Apache Web server.

Restart the Apache HTTP Server.