How to block IP addresses at the Apache HTTP Server level?
Learn how to block IP addresses at the Apache HTTP Server level. Create a .conf file with the IPs to be blocked in the /etc/conf.d folder of the Apache Web server.
Description description
Environment
Adobe Experience Manager
Issues/Symptoms
Our site is experiencing a denial of service attack, spam, or getting hacked. How to block IP addresses at the Apache HTTP Server (AEM Dispatcher) level?
Resolution resolution
Most Web Application Firewalls (WAF), such as mod security, can block lists of IP addresses. However, if you are running Apache HTTP Server and would like to block IP’s immediately follow these steps (not applicable on AEM as a Cloud Service):
-
Create a file named
block-offending-ips.conf
on your server -
Open the file in an editor and add a Location directive that blocks all offending IP’s from accessing whatever URLs you want to block. There are two options for the contents of the file below:
A. If the request is proxied (via CDN, Load Balancer, etc) and the remote user’s IP is only in a Header such as X-Forwarded-For then this configuration can be used. Note that this configuration doesn’t apply if the remoteip_module is configured.code language-none LocationMatch "/.*" Order Allow,Deny Allow from all SetEnvif X-Forwarded-For "10\.42\.137\.123" DenyAccess SetEnvif X-Forwarded-For "122\.6\.218\.101" DenyAccess #Repeat the "SetEnvlf X-Forwarded-For ..." for each IP you want to block Deny from env=DenyAccess /LocationMatch
B. Alternatively, if the remote user is directly accessing Apache or you are using remoteip_module (see
[
1]
below) to extract and set it within Apache, then you can use mod_authz_core’s Require feature directly (Apache 2.4).code language-none LocationMatch "/.*" RequireAll Require all granted Require not ip 10.42.137.123 Require not ip 122.6.218.101 #Repeat the "Require not ip ..." for each IP you want to block /RequireAll /LocationMatch
[
1]
remoteip_modulecode language-none # Extract true client IP from header added by load balancer/CDN IfModule remotetip module # valid for ELB or ELB+CloudFront RemoteIPHeader X-Forwarded-For IfModule
-
Drop the file block-offending-ips.conf in /etc/conf.d folder of the Apache Web server.
-
Restart the Apache HTTP Server.