6.1.5 Blocking access to files or from IP via .htaccess

Htaccess Banner EN

The .htaccess file is an Apache web server configuration file that allows you to manage access to files and folders on your site. It is processed by the server first when a resource is requested, making it a powerful tool for managing security and access.

Prerequisites

.htaccess works on a per-folder basis: rules in this file apply to all files and subfolders in the current directory. If a subfolder has its own .htaccess, its settings override those of its parent below it in the tree. And so on. This tree-based approach is quite flexible, but requires careful consideration of the file structure.

Additionally: in practice, this means that if .htaccess is present only in the root directory of a site (e.g. www/mysite.com/), its rules will apply to all files on the site (unless individual directories are located somewhere outside the root directory). If we add another .htaccess to the www/mysite.com/admin directory, then the rules of the new .htaccess will overwrite the rules of the parent .htaccess in the root directory for the /admin directory and its subordinates.

Important: for .htaccess to work, you must ensure that the AllowOverride directive is enabled in the Apache configuration, which allows the use of certain types of rules. But on our hosting services, this directive is enabled by default.

Blocking access to files

Warning: if there are two web servers installed on the server working in tandem, the .htaccess rules will only apply to file types processed by Apache2. If certain rules do not work on your hosting, we recommend that you clarify this point with your hosting support.

Sometimes it is important to restrict access to certain types of files to protect confidential data, system logs, or scripts from unauthorized access. Let’s look at the capabilities of .htaccess in this regard.

Blocking files with specific extensions

To deny access to files with extensions such as .ini, .log, and .sh, add the following code to your .htaccess file:

<FilesMatch "\.(ini|log|sh)$">
Require all denied
</FilesMatch>

Explanation of the directives:

  • <FilesMatch>. Specifies which files the rules will apply to. The regular expression in quotes defines the target file extensions.
  • Require all denied. Completely denies access to the specified files for all users. When attempting to open such a file in a browser, the user will receive a 403 Forbidden error.
Adding a custom error message instead of the default

To make the error message more informative, you can define your own text for the 403 error. To do this, add the line:

ErrorDocument 403 "Access to this file is denied."

Now, when trying to access a protected file, the user will see a clear message instead of the default error.

Tips:

  • Make sure that your .htaccess rules do not block access to files necessary for the site to work (for example, .css, .js or images).
  • Test your changes to avoid unintentional blocking. Use browser tools or the curl command to test.

Blocking access by IP address

If you want to restrict access to a site or its individual parts for certain users based on their IP addresses, you can also use .htaccess for this.

IP address access restriction: allow all, deny listed

To deny access from specific IP addresses or ranges, use the following configuration in .htaccess:

Order Allow,Deny
Allow from all
Deny from 192.168.1.1
Deny from 203.0.113.0/24

Explanation of directives:

  • Order Allow,Deny. Determines the order in which the rules are applied. In this case, access is allowed first (Allow), and then the denial is applied (Deny). In the case of .htaccess this works on a different principle than traditional firewalls and ultimately Deny from 192.168.1.1 will actually work despite Allow from all if the order is Allow and then Deny.
  • Allow from all. Allows access to all users by default.
  • Deny from. Blocks access from specified IP addresses or ranges.
IP address access restriction: deny all, allow listed

If you want to deny everyone first, and then allow only specific IP addresses or subnets, the .htaccess directive would look like this:

Order Deny,Allow
Deny from all
Allow from 192.168.1.1
Allow from 203.0.113.0/24

Explanation:

  • Order Deny,Allow. Specifies the order in which the rules are applied. In this case, first deny access (Deny), then allow access (Allow). In the case of .htaccess this works on a different principle than traditional firewalls and ultimately Allow from 192.168.1.1 will actually work despite Deny from all if the order is Deny and then Allow.
  • Deny from all. Denies access to all users by default.
  • Allow from. Allows access for the specified IP addresses or ranges.

Practical tips:

  • Check IP addresses before adding: Use services like our IP checker to make sure you are blocking the right addresses.
  • Avoid blocking your IPs: Be careful not to accidentally block yourself, especially if you are using dynamic IPs.

Blocking access by country

To restrict access based on geolocation, you need to use a database of IP addresses corresponding to certain countries. Such lists can be obtained from services such as IP2Location or MaxMind.

After downloading the list of IP addresses, create directives in .htaccess to block ranges related to unwanted countries:

Order Allow,Deny
Allow from all
Deny from 5.6.7.0/24 # Example IP range for country A
Deny from 8.9.10.0/24 # Example IP range for country B

In practice, such lists can be very long, which should be warned about in advance.

Practical tips:

  • IP addresses of countries may change. Update the database regularly by downloading fresh lists.

  • If there are many ranges to block, .htaccess rules may slow down the loading of the site. In this case, consider using the mod_geoip module (more on this below).

  • Check the functionality of the settings using VPN or proxy servers to emulate access from prohibited countries.

Automating blocking by country

To automatically block access from certain countries, it is recommended to use the mod_geoip module, which allows Apache to determine the user’s location based on the IP address and apply the appropriate rules.

Attention: mod_geoip is not installed by default on our shared hosting servers and it is not possible to install it on request. But you can install it on your virtual or dedicated server. You can check its presence on your server with root access as follows:

apachectl -M | grep geoip

1. If the module is missing, install it through your OS package manager. For example, for Ubuntu you can use the following command:

apt-get install libapache2-mod-geoip

Note: The mod_geoip module is supported in Apache 2.2 and 2.4. Make sure your server is using a compatible version (usually apache2 -v).

2. Download a GeoIP database (for example, the free version GeoLite2 from MaxMind).

3. Specify the path to the database in the Apache configuration (usually in httpd.conf or apache2.conf):

GeoIPDBFile /path/to/GeoLite2-Country.mmdb

4. After completing the preliminary steps, add the following rules to .htaccess for automatic blocking:

GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry

Order Allow,Deny
Allow from all
Deny from env=BlockCountry

Explanation of directives

  • GeoIPEnable On. Enables the use of the mod_geoip module.

  • SetEnvIf GEOIP_COUNTRY_CODE. Sets the BlockCountry environment variable for users from specified countries (e.g. Russia and China).

  • Order Allow,Deny and Deny from env=BlockCountry. Allows access to everyone except those matching the BlockCountry environment variable.

Practical tips:

  • Use a command to check the integrity of the Apache configuration, for example:
apachectl configtest

*Before making changes to .htaccess, create a backup copy of the file.

  • Test the correct blocking via VPN or proxy servers to ensure that users from prohibited countries are really blocked.

  • A large number of .htaccess rules can reduce performance. If this is a problem, move the rules to the main Apache configuration for the specified WWW domain.

  • Update the GeoIP database regularly to keep your blocking up to date.