We Keep Coding

/etc/httpd/conf/httpd.conf versus /etc/httpd/conf.d/owncloud.http /Directory directives

Below is a segment from the owncloud.conf file in /etc/httpd/conf.d. It is the intent to lock out all access except the 10.0 intranet and a limited set of external ip address xx.yy.0.0. However the configuration is not locking out other access. All external address are being allowed. Is there something obvious with this configuration.
<Directory /var/www/http/owncloud/>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Require all denied
Order Deny,Allow
Deny from all
Allow from 10.0.0.0/16
Allow from xx.yy.0.0/16
</Directory>

It's either being overridden in a different configuration section (like Location or LocationMatch) or your clients are coming through proxies that make them appear to match your rules.

Try this
Deny from none
How ever swap around your ip config and change it to deny
Allow from 10.0.0.0/16
Allow from xx.yy.0.0/16

Require ip 127.0.0.1 works sometimes and sometimes' it won't

I have a very simple .htaccess file:
<RequireAll>
Require all granted
# require localhost
Require ip 127.0.0.1
</RequireAll>
and it works... sometimes!
Sometimes, it will throw me a 403, and the error.log explains:
[client ::1:65443] AH01630: client denied by server configuration
Why won't it match that local client to the Require ip 127.0.0.1 rule?

As it turns out, Apache 2.4's Require matches the IP exactly. If you have multiple IP addresses aliasing localhost, you need to list all of them (or use a special alias, if one exists, as explained below).
In this particular case, the error.log entry reveals it all: The client connected through the IPv6 interface (ip == ::1). That needs to be white-listed as well:
<RequireAll>
Require all granted
# require localhost
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</RequireAll>
Any suggestions as to whether there is a simpler/safer method to get this done, are very welcome!
Update
As Helge Klein suggests, Require local is a more concise alternative:
<RequireAll>
Require all granted
# require localhost
Require local
</RequireAll>

Require ip 127.0.0.1
Require ip ::1

The Require all granted is the equivalent to:
Order allow,deny
Allow from all
from earlier Apache versions, which open the site to everyone. If your intention is to block the site to everyone, except certain IPs, you should start with a:
Require all denied
You can find more info here: Upgrading to 2.4 from 2.2

I don't use .htaccess since I have Apache installed on my workstation, and have full access to the http.conf file. But for a site like phpmyadmin where I want to limit where people log from, I have this:
Require all denied
Require ip 127.0.0.1
First line denies access to everyone, including my own workstation.
Second line adds my workstation localhost ip to the list of only allowed connections.
No RequireAll or RequireAny tags. Again in .htaccess those tags may be needed.

Denying Access to Particular IPs on Apache

One of my websites is being continuously attacked by spammers originating from a certain set of countries.
There are four culprit IPs that are proving to be a nuisance.
I have tried using the mod_access utility of Apache and have the following lines added to my .htaccess
<Limit GET POST>
order allow,deny
Allow from all
deny from 201.xx.xx.xx
deny from 202.xx.xx.x
deny from 201.xx.xx.xx
deny from 201.xx.xxx.xx
</Limit>
Howeverm for some reason, the spammers are still able to access my site and the spam continuous from the said IPs
Can anyone tell me as to where exactly it is that I am going wrong.

Just remove the limit
order allow,deny
deny from 201.xx.xx.xx
deny from 202.xx.xx.x
deny from 201.xx.xx.xx
deny from 201.xx.xxx.xx
allow from all

.htaccess whitelist IP exept 1 file

I have a internal website which has a .htaccess login except for the office IP. Which IP is white listed. Now I need a cronjob to get a file but I don't want normal users to access that file directly. An overview:
- public_html/
- index.php
- files.php
- all_folders/
- cronjob_only/dump.sql
So all users can access all, except cronjob_only/dump.sql. If they are inside the office they don't require a login. Outside they need to login.
The cronjob_only/dump.sql always requires a login and a the valid user cron_user
I did get it working without the ip whitelisting. My .htaccess file:
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /home/admin/domains/website.com/.htpasswd-file
AuthName "U shall not pass"
Allow from 94.215.167.79 #office IP
require valid-user
Satisfy Any
<FilesMatch "dump.sql">
Require user cron_user
</FilesMatch>
The above allows people inside the ip to access the dump.sql
If I turn off the Allow from.. the login split works.
What am I missing? I tried a lot. Most of it found here on stackoverflow.
Can anybody help?

Try this:
<FilesMatch "dump.sql">
Order allow,deny
Require user cron_user
Satisfy Any
</FilesMatch>
Please note that I'm not sure of this answer.

Need to deny all IPs except mine from accessing site and display friendly error

I need to deny all IPs except mine.
I got my outward facing IP from whatismyip.com. Let's assume it is 200.200.200.200
Here is the beginning of my .htaccess
ErrorDocument 403 /down.html
<Limit GET POST>
order deny,allow
deny from all
allow from 200.200.200.200
</Limit>
This works with the denying part - it shows my down.html page. However it denies me even when I place my correct IP in the .htaccess. Am I doing something wrong?
Also the down.html page contains an image - but seeing as all requests are being denied, I had to host it on a different domain to get it to display. My .htaccess skills are a little rusty, but how would I go about allowing that one image request through using .htaccess on this domain?

<Limit GET POST>
order allow,deny
allow from 200.200.200.200
deny from all
</Limit>