6.1.5 Blocking access to files or from IP via .htaccess
The .htaccess file is an Apache web server configuration file that allows you to manage access to files and folders on your site. It is processed by the server first when a resource is requested, making it a powerful tool for managing security and access.
Prerequisites
.htaccess
works on a per-folder basis: rules in this file apply to all files and subfolders in the current directory. If a subfolder has its own .htaccess
, its settings override those of its parent below it in the tree. And so on. This tree-based approach is quite flexible, but requires careful consideration of the file structure.
Additionally: in practice, this means that if .htaccess
is present only in the root directory of a site (e.g. www/mysite.com/
), its rules will apply to all files on the site (unless individual directories are located somewhere outside the root directory). If we add another .htaccess
to the www/mysite.com/admin
directory, then the rules of the new .htaccess
will overwrite the rules of the parent .htaccess
in the root directory for the /admin
directory and its subordinates.
Important: for .htaccess
to work, you must ensure that the AllowOverride directive is enabled in the Apache configuration, which allows the use of certain types of rules. But on our hosting services, this directive is enabled by default.
Blocking access to files
Warning: if there are two web servers installed on the server working in tandem, the .htaccess
rules will only apply to file types processed by Apache2. If certain rules do not work on your hosting, we recommend that you clarify this point with your hosting support.
Sometimes it is important to restrict access to certain types of files to protect confidential data, system logs, or scripts from unauthorized access. Let’s look at the capabilities of .htaccess
in this regard.
Blocking files with specific extensions
To deny access to files with extensions such as .ini, .log, and .sh, add the following code to your .htaccess
file:
<FilesMatch "\.(ini|log|sh)$">
Require all denied
</FilesMatch>
Explanation of the directives:
- <FilesMatch>. Specifies which files the rules will apply to. The regular expression in quotes defines the target file extensions.
- Require all denied. Completely denies access to the specified files for all users. When attempting to open such a file in a browser, the user will receive a
403 Forbidden
error.
Adding a custom error message instead of the default
To make the error message more informative, you can define your own text for the 403 error. To do this, add the line:
ErrorDocument 403 "Access to this file is denied."
Now, when trying to access a protected file, the user will see a clear message instead of the default error.
Tips:
- Make sure that your
.htaccess
rules do not block access to files necessary for the site to work (for example, .css, .js or images). - Test your changes to avoid unintentional blocking. Use browser tools or the
curl
command to test.
Blocking access by IP address
If you want to restrict access to a site or its individual parts for certain users based on their IP addresses, you can also use .htaccess
for this.
IP address access restriction: allow all, deny listed
To deny access from specific IP addresses or ranges, use the following configuration in .htaccess
:
Order Allow,Deny
Allow from all
Deny from 192.168.1.1
Deny from 203.0.113.0/24
Explanation of directives:
- Order Allow,Deny. Determines the order in which the rules are applied. In this case, access is allowed first (
Allow
), and then the denial is applied (Deny
). In the case of.htaccess
this works on a different principle than traditional firewalls and ultimatelyDeny from 192.168.1.1
will actually work despiteAllow from all
if the order isAllow
and thenDeny
. - Allow from all. Allows access to all users by default.
- Deny from. Blocks access from specified IP addresses or ranges.
IP address access restriction: deny all, allow listed
If you want to deny everyone first, and then allow only specific IP addresses or subnets, the .htaccess
directive would look like this:
Order Deny,Allow
Deny from all
Allow from 192.168.1.1
Allow from 203.0.113.0/24
Explanation:
- Order Deny,Allow. Specifies the order in which the rules are applied. In this case, first deny access (
Deny
), then allow access (Allow
). In the case of.htaccess
this works on a different principle than traditional firewalls and ultimatelyAllow from 192.168.1.1
will actually work despiteDeny from all
if the order isDeny
and thenAllow
. - Deny from all. Denies access to all users by default.
- Allow from. Allows access for the specified IP addresses or ranges.
Practical tips:
- Check IP addresses before adding: Use services like our IP checker to make sure you are blocking the right addresses.
- Avoid blocking your IPs: Be careful not to accidentally block yourself, especially if you are using dynamic IPs.
Blocking access by country
To restrict access based on geolocation, you need to use a database of IP addresses corresponding to certain countries. Such lists can be obtained from services such as IP2Location or MaxMind.
After downloading the list of IP addresses, create directives in .htaccess
to block ranges related to unwanted countries:
Order Allow,Deny
Allow from all
Deny from 5.6.7.0/24 # Example IP range for country A
Deny from 8.9.10.0/24 # Example IP range for country B
In practice, such lists can be very long, which should be warned about in advance.
Practical tips:
-
IP addresses of countries may change. Update the database regularly by downloading fresh lists.
-
If there are many ranges to block,
.htaccess
rules may slow down the loading of the site. In this case, consider using the mod_geoip module (more on this below). -
Check the functionality of the settings using VPN or proxy servers to emulate access from prohibited countries.
Automating blocking by country
To automatically block access from certain countries, it is recommended to use the mod_geoip module, which allows Apache to determine the user’s location based on the IP address and apply the appropriate rules.
Attention: mod_geoip
is not installed by default on our shared hosting servers and it is not possible to install it on request. But you can install it on your virtual or dedicated server. You can check its presence on your server with root access as follows:
apachectl -M | grep geoip
1. If the module is missing, install it through your OS package manager. For example, for Ubuntu you can use the following command:
apt-get install libapache2-mod-geoip
Note: The mod_geoip
module is supported in Apache 2.2 and 2.4. Make sure your server is using a compatible version (usually apache2 -v
).
2. Download a GeoIP database (for example, the free version GeoLite2 from MaxMind).
3. Specify the path to the database in the Apache configuration (usually in httpd.conf
or apache2.conf
):
GeoIPDBFile /path/to/GeoLite2-Country.mmdb
4. After completing the preliminary steps, add the following rules to .htaccess
for automatic blocking:
GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
Order Allow,Deny
Allow from all
Deny from env=BlockCountry
Explanation of directives
-
GeoIPEnable On. Enables the use of the mod_geoip module.
-
SetEnvIf GEOIP_COUNTRY_CODE. Sets the BlockCountry environment variable for users from specified countries (e.g. Russia and China).
-
Order Allow,Deny and Deny from env=BlockCountry. Allows access to everyone except those matching the
BlockCountry
environment variable.
Practical tips:
- Use a command to check the integrity of the Apache configuration, for example:
apachectl configtest
*Before making changes to .htaccess
, create a backup copy of the file.
-
Test the correct blocking via VPN or proxy servers to ensure that users from prohibited countries are really blocked.
-
A large number of
.htaccess
rules can reduce performance. If this is a problem, move the rules to the main Apache configuration for the specified WWW domain. -
Update the GeoIP database regularly to keep your blocking up to date.