How to limit website access to a number of IP addresses
If you want to limit access to your website instance to a small number of IP
addresses, for example before the official launch, you’d usually use the
following lines in your .htaccess
file (with Apache 2.2):
Order allow,deny
Deny from All
Allow from 1.2.3.4
Allow from 2.3.4.5
Here’s the equivalent configuration for Apache 2.4:
<RequireAny>
Require ip 1.2.3.4 2.3.4.5
</RequireAny>
But because your application boxes don’t get their requests directly from your visitors but via our Edge Routers and the Content Cache/Load Balancer, this will not work. The sender will always appear to be one of the Load Balancer nodes.
You can get the actual visitor IP address from the HTTP header X-Forwarded-For
which is set by our Edge Routers. By evaluating this header, Apache can take
this information into account. Here’s a complete configuration snippet that
works with both Apache 2.4 and Apache 2.2:
SetEnvIf X-Forwarded-For "1.2.3.4" AllowIP
SetEnvIf X-Forwarded-For "2.3.4.5" AllowIP
<IfModule mod_authz_core.c>
<RequireAny>
Require env AllowIP
Require ip 1.2.3.4 2.3.4.5
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from All
Allow from env=AllowIP
Allow from 1.2.3.4
Allow from 2.3.4.5
</IfModule>