Limit The .htaccess file might contain allow, deny, and
order directives.File System Authentication and Access
Control
You’re likely to include material on your website that isn’t supposed to be
available to the public. You must be able to lock out this material from public
access and provide designated users with the means to unlock the material.
Apache provides two methods for accomplishing this type of access:
authentication and authorization. You can use different criteria to control
access to sections of your website, including checking the client’s IP address
or hostname or requiring a username and password. This section briefly
covers some of these methods.
CAUTION
Allowing individual users to put web content on your server poses several
important security risks. If you’re operating a web server on the Internet
rather than on a private network, check out https://www.w3.org/Security/.Restricting Access with Require
One of the simplest ways to limit access to website material is to restrict
access to a specific group of users, based on IP addresses or hostnames.
Apache uses the Require directive to accomplish this. Here are some
examples with comments, that could be placed within the apache2.conf
file:
Click here to view code image
Require all granted #permit all to access
Require not ip 10.252.46.163 #except from this ip address
Require not host horriblepeople.com #and also not from this domain
Require not host gov #and finally, not from any .gov
There are many options beyond RequireAll, including RequireAny and
RequireNone, along with a detailed set of options for each. For more, see
https://httpd.apache.org/docs/2.4/howto/access.html.