I had a case where Apache did not respect the directives in .htaccess with ‘require ip‘ and I couldn’t limit the website to certain addresses. The problem is that when Apache is behind a proxy ( HAProxy in this case ), the ‘require ip‘ will not pass the correct IP address. The correct IP address of the visitor is located in the ‘X-Forwarded-For’ variable. Therefore, .htaccess needs to be modified so that instead of ‘require ip’, it will respect another variable into which we will pass the values of ‘X-Forwarded-For’.
Below is an example of how it was solved in a case where it was necessary to request a password only if the website visitor did not come from a specific IP address which is added to the exceptions.”
Example:
<If "%{HTTP_HOST} == 'this.isnowworking.com'">
SetEnv IF_MATCHES_HOST true
AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName "Restricted access"
SetEnvIF X-Forwarded-For "1.1.1.1" AllowIP
SetEnvIF X-Forwarded-For "2.2.2.2" AllowIP
SetEnvIF X-Forwarded-For "3.3.3.3" AllowIP
<RequireAny>
Require valid-user
Require env AllowIP
</RequireAny>
</If>