Skip to main content

Web Server

Apache HTTP Server Blocklist Tutorial

Block VPN, proxy and Tor traffic in Apache using mod_authz_host and mod_access_compat with IP lists loaded from CSV or TXT blocklist files.

Supported formats: TXT (one IP per line) CSV (ip,type columns)

Steps

  1. 1

    Download the blocklist

    Fetch the IP blocklist TXT file from your AntiProxies dashboard. This file contains one IP address or CIDR range per line.

  2. 2

    Parse the file to Apache directives

    Use a small shell script to convert the raw IP list into Apache Require not ip directives and write them to an include file.

  3. 3

    Include the blocklist in your VirtualHost

    Use the Include or IncludeOptional directive inside your VirtualHost block to load the generated deny rules.

  4. 4

    Test and reload Apache

    Run apachectl configtest to validate the configuration, then apachectl graceful to apply changes without dropping connections.

Need the blocklist files?

Download free sample data or subscribe for daily-updated lists.

Free Sample

VirtualHost – include blocklist

Load the generated IP blocklist include file inside your VirtualHost.

/etc/apache2/sites-available/example.com.conf 
<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/html

    <Directory /var/www/html>
        # Include AntiProxies IP blocklist
        IncludeOptional /etc/apache2/blocklists/antiproxies.conf

        AllowOverride None
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Generated blocklist include

Each blocked IP becomes a "Require not ip" line. Build this file from the downloaded TXT blocklist.

/etc/apache2/blocklists/antiproxies.conf 
<RequireAll>
    Require all granted
    Require not ip 1.2.3.4
    Require not ip 5.6.7.0/24
    Require not ip 10.0.0.1
    Require not ip 192.168.100.0/22
</RequireAll>

Frequently asked questions

Which Apache module handles IP blocking?
mod_authz_host (Apache 2.4+) provides the Require not ip directive. On older 2.2 servers use mod_access_compat with Deny from.
Will a large blocklist slow down Apache?
Apache evaluates Require not ip rules linearly. For lists > 50,000 entries consider moving the check to mod_rewrite with a RewriteMap hash or to a WAF layer (e.g. ModSecurity).
Can I use this in .htaccess?
Yes – paste the RequireAll block directly into your .htaccess. Note that AllowOverride AuthConfig (or All) must be set in the server config for .htaccess to work.
How do I get the real IP behind a reverse proxy?
Enable mod_remoteip and configure RemoteIPHeader X-Forwarded-For and RemoteIPTrustedProxy with your proxy's IP so Apache sees the real client address.

More blocklist guides

Nginx

Web Server

View tutorial

Caddy

Web Server

View tutorial

HAProxy

Load Balancer

View tutorial
View all 9 guides

Want to see what's in the database?

Download once, query as many times as you need. €99/year for all 22 databases, unlimited servers, and a full year of monthly updates. No usage limits, no per-query fees, no data leaving your servers.

View Pricing Contact Us
30-day money-back guarantee
All databases included
Monthly updates