Lighttpd restrict or deny access by IP address

So how do you restrict or deny access by IP address using Lighttpd web server?

Lighttpd has mod_access module. The access module is used to deny access to files with given trailing path names. You need to combine this with remoteip conditional configuration. Syntax is as follows:

$HTTP[“remoteip”] == “IP” : Match on the remote IP
$HTTP[“remoteip”] !~ “IP1|IP2” : Do not match on the remote IP (perl style regular expression not match)
$HTTP[“remoteip”] =~ “IP1|IP2” : Match on the remote IP (perl style regular expression match)

Task: Match on the remote IP

For example block access to url if IP address is NOT and (restrict access to these 2 IPs only):

Open /etc/lighttpd/lighttpd.conf file
# vi /etc/lighttpd/lighttpd.conf
Append following configuration directive:

$HTTP["remoteip"] !~ "|" {
    $HTTP["url"] =~ "^/stats/" {
      url.access-deny = ( "" )

Save and restart lighttpd:
# /etc/init.d/lighttpd restart

Task: Block single remote IP

Do not allow IP address to access our site:

$HTTP["remoteip"] == "" {
       url.access-deny = ( "" )

Do not allow IP address, to access our site:
Do not allow IP address to access our site:

$HTTP["remoteip"] =~ "|" {
       url.access-deny = ( "" )

See also

=> Lighttpd deny access to certain files

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 16 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
16 comments… add one
  • Bryan Dec 15, 2006 @ 19:04

    Great article! I have a question relating to restricting access to a local server.

    I have two applications(Radiant & Mephisto) on the same shared server. I want to be able to restrict access to RSS feeds generated by Mephisto to the other application (Radiant).

    I reasoned that this could be accomplished using either the servers IP address or localhost. When I tried, it did not restrict anyone.

    Am I on the right track with my logic for this type of mod_access module? Alternatively, is it possible to restrict by domain?



  • 🐧 nixCraft Dec 15, 2006 @ 19:21

    Hello Bryan, is local loopback IP address. This ip address is not routable so you cannot use this IP for restriction i.e. any traffic that a server program sends on the loopback network is addressed to the same server.

    To solve your problem use IP address. For example

    IF user agent is not foo and if it is not our server IP address do something or
    deny access

    $HTTP["useragent"] !~ "foo" {
    $HTTP["remoteip" ] != "SERVER-IP" {

    You can restrict RSS usage using URL match also.

  • Bryan Dec 15, 2006 @ 23:48


    Thanks for the information. I tried several variations without success.

    I spoke with my hosting provider. He explained that the remote ips will be because of the Apache 2 proxy.

    Is there a way to use the Apache HTTP_X_FORWARDED_FOR in the conditional instead of remoteip?

    The access seems to use that to record ips. This article talks about it a little.

    Thanks again for your help. I know this isn’t a standard question but there are probably a lot people in similiar Apache 2/Lighttpd setups.



  • 🐧 nixCraft Dec 16, 2006 @ 0:09

    I don’t think so you can get HTTP_X_FORWARDED_FOR in conditional tags. However you can try something as follows:.

    $HTTP["url"] =~ "^/path/to/rss/" {
    $HTTP["remoteip"] != "your-shared-server-ip" {
    url.access-deny = ( "" )

    Or just paste your current config (removing your actual domain and IP for security purpose) and exact requirements (output) you want. Then may be I can help you out.

    Another possibility is – If you just need to give access to localhost lighttpd from Apache, configure iptables to drop all access.

  • xmlspy Feb 13, 2007 @ 8:03

    how to block multi IPs use mod_access in lighttpd?
    From To

  • 🐧 nixCraft Feb 15, 2007 @ 4:57


    Noop, it is not possible to specify range using –. However, you can specify network such as network or 70.6.2..5/29. For example:

      $HTTP["remoteip"] != "" {
       url.access-deny = ( "" )
  • xmlspy Feb 26, 2007 @ 2:25

    reply nixcraft

    thanks 🙂


    $HTTP[“remoteip”] !~ “||||||||” {
    url.access-deny = (“”)

    why can’t access wesite ?

  • Dude May 2, 2008 @ 10:08

    When using a regular expression match, I seem to have had success by simply leaving out the octet I wanted to use as a wild card.

    instead of “/24”: $HTTP[“remoteip”] =~ “|10.0.0″
    instead of “/16”: $HTTP[“remoteip”] =~ “|10.0″

    It’s been more than a year since the last reply, but hey, a search led me here.

  • Shougun Sep 30, 2008 @ 10:01

    How would you allow on one IP address to view the site, but deny the rest?

  • André Jan 19, 2009 @ 8:21

    Did you even look at the first example?

  • Dan Aug 30, 2009 @ 13:50

    What about denying access to subdomains? How is this done as what I have tried doesn’t work. If I have and I only wish IP 12.345.678.23 to access it how would this be done. The following doesn’t work:

    $HTTP["remoteip"] != "" { #example ip
    $HTTP["url"] =~ "^" {
    url.access-deny = ( "" )

  • dr_agon Feb 16, 2011 @ 2:57

    Nice info, thanks.

    Note, that you must be careful with comparison operators.
    If you want to deny access from everywhere except given IPs like in the example:

    $HTTP[“remoteip”] !~ “|” {

    the IPs like (i.e., .52. and so on) FAILS the condition and are allowed access.
    !~ and =~ are substring operators. You must either use them with ^ and $, or just use != and ==.

    $HTTP[“remoteip”] != “|” {
    will do exact IP matching.

  • dr_agon Feb 23, 2011 @ 19:59

    correction to my previous post:

    $HTTP[“remoteip”] != “|″ {
    in incorrect, of course.
    You can match only one IP using == or != operator, like this:
    $HTTP[“remoteip”] != “″ {

  • chebe Apr 12, 2013 @ 6:35

    How would you deny access from all but from a /64 (IPv6) ?
    thanks for you help

  • someone Feb 6, 2017 @ 9:25

    This however lets you block ‘^/some/’ but anyone can access the same folder directory by playing with the CASES like although it does block “some” directory but i can access the same directory by requesting “Some” , “sOme” , “SoMe” and any similar combination.
    Webserver serves the directory without considering case-sensitivity while it blocks the request based on case-sensitive syntax provided in the conf.
    Is there a work around for this?

    • someone Feb 6, 2017 @ 9:32

      This also sends 404 as the http response code,
      while I want to return 403 as the http response code and redirect the user to a custom error page.
      How can i do that?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum