Documentation

How to block IP addresses at the Apache HTTP Server level

Last update: September 5, 2024

Most Web Application Firewalls (WAF) can block lists of IP addresses. However, if you are running Apache HTTP Server and would like to block IPs immediately, follow the steps in the article to make an access list or use Apache’s Require feature.

Description

Environment

Adobe Experience Manager (AEM)

Issue

When your site is experiencing a denial of service (DoS) attack, spam, or getting hacked, how do you block IP addresses at the Apache HTTP Server (AEM Dispatcher) level?

Resolution

Most Web Application Firewalls (WAF), such as mod security, can block lists of IP addresses.

However, if you are running Apache HTTP Server and would like to block IPs immediately, follow these steps:

  1. Create a file named block-offending-ips.conf on your server.

  2. Open the file in an editor and add a Location directive that blocks all offending IPs from accessing whatever URLs you want to block.  There are two options for the contents of the file below:

    1. If the request is proxied (via CDN, Load Balancer, etc.) and the remote user’s IP is only in a Header such as X-Forwarded-For then this configuration can be used.  Note that this configuration doesn’t apply if the remoteip_module is configured.

      <LocationMatch "/.*">
Order Allow,Deny
Allow from all
SetEnvif X-Forwarded-For "123\.123\.123\.123" DenyAccess
#Repeat the "SetEnvlf X-Forwarded-For ..." for each IP you want to block
Deny from env=DenyAccess
</LocationMatch>

    2. Alternatively, if the remote user is directly accessing Apache or you are using remoteip_module (see [ 1] ) to extract and set it within Apache then you can use mod_authz_core’s Require feature directly (Apache 2.4):

      <LocationMatch "/.*">
<RequireAll>
Require all granted
Require not ip 123.123.123.123
#Repeat the "Require not ip ..." for each IP you want to block
</RequireAll>
></LocationMatch><

      [ 1]

      # Extract true client IP from header added by load balancer/CDN
<IfModule remoteip_module>
    # valid for ELB or ELB+CloudFront
    RemoteIPHeader X-Forwarded-For
</IfModule>

  3. Drop the file block-offending-ips.conf in /etc/conf.d folder of the Apache Web server.

  4. Restart the Apache HTTP Server.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f