How to correctly configure `.htaccess` for LiteSpeed Web Server (v6.3.4) to allow by range/ip

#1
Hello everyone,



I’m currently hosting a website on LiteSpeed Web Server Enterprise v6.3.4 , and I want to properly configure my .htaccess file for better security.



My goal is to block all direct IP access and allow traffic only from:



- Cloudflare IP ranges (since my site is behind Cloudflare)

- Google bots (for indexing)

- cron-job.org (for scheduled tasks)



I tried a few rules :

Code:
```
Deny from all

# Allow specific IPv4 addresses
Allow from 116.203.134.67
Allow from 116.203.129.16
....```

```
ErrorDocument 403 "Not Allowed"
Deny from all

### Cloudflare IPs ###

Allow from 103.21.244.0/22
Allow from 103.22.200.0/22
Allow from 103.31.4.0/22
....```

```
# Allow Cloudflare IPv4 ranges
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
....```

```
Require all denied

# Allow specific IPv4 addresses
Require ip 116.203.134.67
Require ip 116.203.129.16
Require ip 23.88.105.37
....```

```
Order Deny,Allow
Deny from all

# Allow specific IPv4 addresses
Allow from 116.203.134.67
Allow from 116.203.129.16
Allow from 23.88.105.37
...
```

```
<FilesMatch ".*">
    # Allow specific IPv4 addresses
    Require ip 116.203.134.67
    Require ip 116.203.129.16
    Require ip 23.88.105.37
.....
```

```
<RequireAny>
    # Allow specific IPv4 addresses
    Require ip 116.203.134.67
    Require ip 116.203.129.16
    Require ip 23.88.105.37
....
```
but it seems LiteSpeed behaves slightly differently from Apache ( all either aren't applied or blocking everything ), and I’m not sure what’s the correct syntax or best practice here.



Can anyone share a working example or guide me on how to correctly set up the .htaccess file for this scenario?



I’d like to make sure legitimate requests from Cloudflare and Googlebot aren’t blocked, while all other direct IP access is denied.


Thanks in advance for your help!
 

serpent_driver

Well-Known Member
#2
@LSWSEv634Noob

  • You should not "abuse" the .htaccess if you want to block a huge list of IPs. Blocking by htaccess is not free and costs load. Better use WAF/Proxy or CDN.
  • Blocking IPs by ranges (173.245.48.0/20) doesn't work in .htaccess, neither in LiteSpeed nor in Apache.
  • Define a simple rewriteRule with allowed IPs as condition and every IP that is not defined, is automatically blocked.
 
#5
Code:
<IfModule mod_rewrite.c>
RewriteEngine On

# --- Cloudflare IP Ranges ---
RewriteCond %{REMOTE_ADDR} ^173\.245\. [OR]
RewriteCond %{REMOTE_ADDR} ^103\.21\. [OR]
RewriteCond %{REMOTE_ADDR} ^103\.22\. [OR]
RewriteCond %{REMOTE_ADDR} ^103\.31\. [OR]
RewriteCond %{REMOTE_ADDR} ^141\.101\. [OR]
RewriteCond %{REMOTE_ADDR} ^108\.162\. [OR]
RewriteCond %{REMOTE_ADDR} ^190\.93\. [OR]
RewriteCond %{REMOTE_ADDR} ^188\.114\. [OR]
RewriteCond %{REMOTE_ADDR} ^197\.234\. [OR]
RewriteCond %{REMOTE_ADDR} ^198\.41\. [OR]
RewriteCond %{REMOTE_ADDR} ^162\.15[8-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^104\.1[6-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^104\.2[0-3]\. [OR]
RewriteCond %{REMOTE_ADDR} ^104\.24\. [OR]
RewriteCond %{REMOTE_ADDR} ^172\.6[4-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^172\.7[0-6]\. [OR]
RewriteCond %{REMOTE_ADDR} ^131\.0\.7[2-3]\. [OR]

# --- Your Own IPs ---
RewriteCond %{REMOTE_ADDR} ^116\.203\.134\.67$ [OR]
RewriteCond %{REMOTE_ADDR} ^116\.203\.129\.16$ [OR]
RewriteCond %{REMOTE_ADDR} ^23\.88\.105\.37$ [OR]
RewriteCond %{REMOTE_ADDR} ^128\.140\.8\.200$ [OR]
RewriteCond %{REMOTE_ADDR} ^91\.99\.23\.109$ [OR]

# --- Googlebot IPv4 Ranges (simplified regex prefixes) ---
RewriteCond %{REMOTE_ADDR} ^192\.178\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.100\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.101\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.118\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.126\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.146\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.147\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.151\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.152\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.154\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.155\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.165\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.175\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.176\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.22\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.64\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.65\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.80\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.88\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.89\. [OR]
RewriteCond %{REMOTE_ADDR} ^34\.96\. [OR]
RewriteCond %{REMOTE_ADDR} ^35\.247\. [OR]
RewriteCond %{REMOTE_ADDR} ^66\.249\.6[4-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^66\.249\.7[0-9]\.

# --- If IP matched any condition above: Allow ---
RewriteRule ^ - [L]

# --- Default Deny (403 Forbidden for all others) ---
RewriteRule ^ - [F]

</IfModule>
This is the code i used , thank you @serpent_driver
 
#6
Your code has a serious errors....

Code:
RewriteCond %{REMOTE_ADDR} !^173\.245\.
RewriteCond %{REMOTE_ADDR} !^103\.21\.
RewriteCond %{REMOTE_ADDR} !^103\.22\.
# Add more IPs
RewriteRule .* - [F,L]
Such IPs are not Google bot, but Google Cloud related, mostly bad bots

Code:
RewriteCond %{REMOTE_ADDR} ^34\.
 
#7
Your code has a serious errors....

Code:
RewriteCond %{REMOTE_ADDR} !^173\.245\.
RewriteCond %{REMOTE_ADDR} !^103\.21\.
RewriteCond %{REMOTE_ADDR} !^103\.22\.
# Add more IPs
RewriteRule .* - [F,L]
Such IPs are not Google bot, but Google Cloud related, mostly bad bots

Code:
RewriteCond %{REMOTE_ADDR} ^34\.
the issue , is that i get 403 either way, and that's the main issue
for the Google IPs, i got the list from here "https://developers.google.com/search/apis/ipranges/googlebot.json"
according to google Docs it's the list of IPS for crawlers, indexers
 
Top