apache2 : how to allow access from a file

Question

I would like to restrict access to a folder according to some IPs.

I already know how to do that by

<Directory "/path/to/my/directory/">
    Order Deny,Allow
    Deny from all
    Allow from 123.123.123.1 # IP 1
    Allow from 123.123.123.2 # IP 2
    Allow from 127
</Directory>

As I would like to manage the list of allowed IP differently, I would prefer allow them from a text file where the IPs could be notes like that :

123.123.123.1
123.123.123.2

Does anybody know how to do that ? If that's not possible is there another way to do such thing ?

P.S.: To make everything clear, my final purpose is to grab IPs connected to a local VPN (OpenVPN), complete a file with the IP if not already include and restart apache2 so that it can take account of them. It's a little bit strange but on the same server i have html contents that I wanna be accessed only by vpn users. But even if I pass through the vpn, apache2 see the remote IP address not the endpoint one...

Answer 1

You can't include extra files in the apache config like what you want to do, but you could use mod_rewrite's RewriteMap directive to use a mapping file, or run a script.

For example, you can create the map:

RewriteMap allow_ips txt:/path/to/ipfile.txt

And in the /path/to/ipfile.txt you'd have

123.123.123.1  1
123.123.123.2  1
123.123.123.4  1
123.123.123.10  1

Then in your directory container:

RewriteEngine On RewriteCond ${allow_ips:%{REMOTE_ADDR}|0} 0 RewriteRule ^ - [L,F]

The mapping is being used in the condition: ${allow_ips:%{REMOTE_ADDR}|0}. if the remote address is in the /path/to/ipfile.txt, then the mapping will return "1", otherwise it returns "0" which would satisfy the condition and the rule will deny access.

Problem with this kind of mapping is that you need to have something other than a "0" at the end of each IP (in order to form a map).

The other option is to write a script and use the prg map type. The script would look up the IP in a different file and return the appropirate "1" or "0". This is a little less lightweight since the script would be run each time as opposed to a cached map file.