2

I have a very simple .htaccess file:

<RequireAll>
    Require all granted

    # require localhost
    Require ip 127.0.0.1
</RequireAll>

and it works... sometimes!

Sometimes, it will throw me a 403, and the error.log explains:

[client ::1:65443] AH01630: client denied by server configuration

Why won't it match that local client to the Require ip 127.0.0.1 rule?

Domi
  • 22,151
  • 15
  • 92
  • 122

4 Answers4

9

As it turns out, Apache 2.4's Require matches the IP exactly. If you have multiple IP addresses aliasing localhost, you need to list all of them (or use a special alias, if one exists, as explained below).

In this particular case, the error.log entry reveals it all: The client connected through the IPv6 interface (ip == ::1). That needs to be white-listed as well:

<RequireAll>
    Require all granted

    # require localhost
    <RequireAny>
        Require ip 127.0.0.1
        Require ip ::1
    </RequireAny>
</RequireAll>

Any suggestions as to whether there is a simpler/safer method to get this done, are very welcome!

Update

As Helge Klein suggests, Require local is a more concise alternative:

<RequireAll>
    Require all granted

    # require localhost
    Require local
</RequireAll>
Domi
  • 22,151
  • 15
  • 92
  • 122
  • 1
    Use "Require local" instead of listing IP addresses. See http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html for details. – Helge Klein Nov 05 '16 at 22:42
  • Why do you need `Require all granted`? If you want to restrict to local, simply `Require local` would be sufficient, no? – Alexander Nov 05 '17 at 22:50
  • I'm not sure what is the difference as my local config does not have the and instead just puts everything into the and just having Require local in there seems to be denying access for all the machines that are not local host. There is a catch however as Require local will not only allow access from localhost/127.0.0.1, but also the current IP of your computer in the network. This seems to be the main different with just just allowing the 127.0.0.1. Maybe this comment will save someone time on debugging. – Pjotr Sep 14 '21 at 10:29
1
Require ip 127.0.0.1
Require ip ::1
Владимир Горьков
  • 11
  • 3
  • 2
    This seems like a legitimate answer, but please add an *explanation* why it works, so we can all learn! Thanks. :) – Selfish Nov 15 '15 at 16:24
0

The Require all granted is the equivalent to:

Order allow,deny
Allow from all

from earlier Apache versions, which open the site to everyone. If your intention is to block the site to everyone, except certain IPs, you should start with a:

Require all denied

You can find more info here: Upgrading to 2.4 from 2.2

user3430227
  • 84
  • 4
0

I don't use .htaccess since I have Apache installed on my workstation, and have full access to the http.conf file. But for a site like phpmyadmin where I want to limit where people log from, I have this:

Require all denied
Require ip 127.0.0.1

First line denies access to everyone, including my own workstation. Second line adds my workstation localhost ip to the list of only allowed connections.

No RequireAll or RequireAny tags. Again in .htaccess those tags may be needed.

user3430227
  • 84
  • 4
  • Hi and welcome to StackOverflow! Please note that 1) You are suggesting exactly what I have already tried and 2) You can just edit your other answer, you do not have to post more than one answer and 3) Please see [my answer](http://stackoverflow.com/a/26699007/2228771) which already solved this particular problem. – Domi Jul 27 '15 at 08:32