How to Limit Access to URL in Apache


limit access specific url apache

When you run a website, you might want to block access to specific URLs that contain sensitive or confidential information, and allow access to only certain IPs. Apache allows you to do that with the help mod_auth_basic module. Let us take a look at how to limit access to URL in Apache.

 

How to Limit Access to URL in Apache

Here are the steps to limit access to URL in Apache. In our example, we will limit access to /admin/ directory to authorized users & IPs.

 

1. Open Virtual Host File

Before you proceed, please ensure you have setup Virtual Host for your website. Here are the steps to do it. Otherwise, you can also open the default virtual host file provided by Apache.


$ sudo vim /etc/apache2/sites-available/000-default.conf

 

2. Configure IP based restriction

Let’s say you want to allow only 2 IPs (192.168.11.11 and 123.45.61.89) to access /admin/ folder, then add the following block of code to your virtual host file.


<Location /admin>
 Order deny,allow
 Deny from all
 Allow from 192.168.11.11
 Allow from 123.45.61.89
</Location>

The first line mentions the location for which the rules must be applied. The next line specifies the deny, allow block. Thereafter, we deny all connections except the 2 IPs mentioned above.

 

3. Restart Apache Web Server

Restart Apache web server to apply changes


# service httpd restart # For RHEL based systems
$ sudo service apache2 restart # For Debian based systems

 

Open a web browser, and try accessing /admin/ folder on your website from some other IP. You’ll get a “403:Access forbidden” message

 

You can also limit access to specific URL based on username & password

1. Configure Virtual Host file

Open virtual host file as mentioned above, and add the following block of code


<Location /admin>
 AuthUserFile /var/www/htpasswd/.htpasswd
 AuthName "Password Protected Area"
 AuthType Basic
 Require valid-user
</Location>

In the above code, AuthUserFile specifies the location of authentication file, that contains list of authorized usernames & passwords.

Require mentions the users that are allowed access.

 

2. Create Password File

Create a password file at the location mentioned above (/var/www/htpasswd) using the htpasswd command


# htpasswd -cm /var/www/htpasswd/.htpasswd myuser

You will asked to enter password twice.


New password:
Re-type new password:
Adding password for user myuser

 

3. Restart Apache Web Server

Restart Apache web server to apply changes


# service httpd restart # For RHEL based systems
$ sudo service apache2 restart # For Debian based systems

 

Open a web browser, and try accessing /admin/ folder on your website from some other IP. You’ll get a “403:Access forbidden” message

 

Instead of using virtual host file, you can also add the <Location> block to Apache config file at any of the following locations, depending on your Linux distribution:

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf
  • /etc/httpd/conf/httpd.conf

 

 

 

 

 

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!