How to block IP addresses at the Apache HTTP Server level

Create a file named block-offending-ips.conf on your server.

Open the file in an editor and add a Location directive that blocks all offending IPs from accessing whatever URLs you want to block.  There are two options for the contents of the file below:

1. If the request is proxied (via CDN, Load Balancer, etc.) and the remote user’s IP is only in a Header such as X-Forwarded-For then this configuration can be used.  Note that this configuration doesn’t apply if the remoteip_module is configured.

   code language-none
   <LocationMatch "/.*"> Order Allow,Deny Allow from all SetEnvif X-Forwarded-For "123\.123\.123\.123" DenyAccess #Repeat the "SetEnvlf X-Forwarded-For ..." for each IP you want to block Deny from env=DenyAccess </LocationMatch>

2. Alternatively, if the remote user is directly accessing Apache or you are using remoteip_module (see [ 1] ) to extract and set it within Apache then you can use mod_authz_core’s Require feature directly (Apache 2.4):

   code language-none
   <LocationMatch "/.*"> <RequireAll> Require all granted Require not ip 123.123.123.123 #Repeat the "Require not ip ..." for each IP you want to block </RequireAll> ></LocationMatch><

   [ 1]

   code language-none
   # Extract true client IP from header added by load balancer/CDN <IfModule remoteip_module>     # valid for ELB or ELB+CloudFront     RemoteIPHeader X-Forwarded-For </IfModule>

Drop the file block-offending-ips.conf in /etc/conf.d folder of the Apache Web server.

Restart the Apache HTTP Server.