I have a very simple .htaccess file:
<RequireAll>
Require all granted
# require localhost
Require ip 127.0.0.1
</RequireAll>
and it works... sometimes!
Sometimes, it will throw me a 403, and the error.log explains:
[client ::1:65443] AH01630: client denied by server configuration
Why won't it match that local client to the Require ip 127.0.0.1 rule?
On
The Require all granted is the equivalent to:
Order allow,deny
Allow from all
from earlier Apache versions, which open the site to everyone. If your intention is to block the site to everyone, except certain IPs, you should start with a:
Require all denied
You can find more info here: Upgrading to 2.4 from 2.2
On
I don't use .htaccess since I have Apache installed on my workstation, and have full access to the http.conf file. But for a site like phpmyadmin where I want to limit where people log from, I have this:
Require all denied
Require ip 127.0.0.1
First line denies access to everyone, including my own workstation. Second line adds my workstation localhost ip to the list of only allowed connections.
No RequireAll or RequireAny tags. Again in .htaccess those tags may be needed.
As it turns out, Apache 2.4's Require matches the IP exactly. If you have multiple IP addresses aliasing
localhost, you need to list all of them (or use a special alias, if one exists, as explained below).In this particular case, the
error.logentry reveals it all: The client connected through the IPv6 interface (ip == ::1). That needs to be white-listed as well:Any suggestions as to whether there is a simpler/safer method to get this done, are very welcome!
Update
As Helge Klein suggests,
Require localis a more concise alternative: