If your Apache website is under a load-balancer or proxy, some features might not work very well. The proxy, for example, might “hide” the true IP from clients, the address your application sees in REMOTE_ADDR attribute (PHP, for example) will be the IP of the proxy renders IP-ban in .htaccess useless.

If such things happen, time to do some configuration. First, you need to enable the mod_remoteip module to handle requests through a proxy. It will allow you to “rewrite” some headers in the request to make your web application to know the true client IP.

Open your httpd.conf in a text editor and uncomment this line:

#LoadModule remoteip_module modules/mod_remoteip.so

by removing the # character at the beginning of line.

Now you need to configure the remote IP address. Depends on what do you have,  you might add a line to httpd.conf

for a load-balancer:

for a proxy:

This will let Apache how to get the true client IP to put into REMOTE_ADDR header.

now you can configure the “proxy” or load-balancer you trust:

How does /24 in the IP mean in this case? /24 means that this allow a range of IPs which match the first 24 bit.

As we all know IPv4 is a 32 bit value, aka 4 bytes. So 3 first bytes 10.0.2 must match, and the last byte can be from 0-255. So will accept to This is usually the range of your “internal network”.

/24 is not the only option, you can have /8 (only matches the first byte, so will match, and /16 ( to, or /32 (only exact IP address is accepted, so is same as only)

It’s important to note that you can have multiple RemoteIPInternalProxy configuration. For example your site can be under a public proxy (CloudFlare, for example) and a private proxy. Just add both of those IPs, each with a line of RemoteIPInternalProxy, and you’re good to go.

Now, just restart your Apache service and it should work. Try to add your own IP in to the deny list in .htaccess to see if you get yourself banned 😉

Leave a Reply

%d bloggers like this: