How to restrict access to specific directories in Apache

Restricting access to sensitive directories in Apache prevents accidental exposure of backups, private uploads, administrative tools, and application internals. A single reachable folder under the web root can leak configuration, source code, or data that enables further compromise. Tight directory rules also reduce unwanted indexing and automated scraping of non-public assets.

Access decisions in Apache are made after a request is mapped to a filesystem path and configuration contexts are evaluated. The Directory context applies to filesystem locations (not URL paths), and on Apache 2.4 authorization is defined using Require rules such as Require all denied or Require ip. More specific Directory matches typically take precedence for a given path.

Validation with apache2ctl configtest prevents lockouts caused by typos that stop Apache from reloading cleanly. Commands assume the Ubuntu/Debian layout (/etc/apache2/ and the apache2 systemd unit); RHEL/CentOS commonly uses /etc/httpd/ and the httpd unit. IP allowlists depend on the remote address reported to Apache, which may require proxy-aware configuration when traffic arrives through a load balancer.

Steps to restrict access to specific directories in Apache:

List active virtual hosts to locate the site configuration file.

$ sudo apache2ctl -S
VirtualHost configuration:
*:80                   host.example.net (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
##### snipped #####

Confirm the site DocumentRoot so the restriction targets a real filesystem path.

$ sudo grep -RIn "DocumentRoot" /etc/apache2/sites-enabled/000-default.conf
12:	DocumentRoot /var/www/html

Locate existing Directory sections to choose a consistent place for new rules.

$ sudo grep -RIn "<Directory" /etc/apache2/
/etc/apache2/sites-available/default-ssl.conf:98:	<Directory /usr/lib/cgi-bin>
/etc/apache2/mods-available/userdir.conf:4:<Directory /home/*/public_html>
/etc/apache2/mods-available/alias.conf:15:<Directory "/usr/share/apache2/icons">
/etc/apache2/conf-available/localized-error-pages.conf:50:#			<Directory "/usr/share/apache2/error">
/etc/apache2/conf-available/serve-cgi-bin.conf:12:		<Directory "/usr/lib/cgi-bin">
/etc/apache2/conf-enabled/localized-error-pages.conf:50:#			<Directory "/usr/share/apache2/error">
/etc/apache2/conf-enabled/serve-cgi-bin.conf:12:		<Directory "/usr/lib/cgi-bin">
/etc/apache2/apache2.conf:159:<Directory />
/etc/apache2/apache2.conf:165:<Directory /usr/share>
/etc/apache2/apache2.conf:170:<Directory /var/www/>
/etc/apache2/apache2.conf:176:#<Directory /srv/>
/etc/apache2/mods-enabled/alias.conf:15:<Directory "/usr/share/apache2/icons">

Open the virtual host configuration file for editing.
```
$ sudo vi /etc/apache2/sites-available/000-default.conf
```
Related: Location for Apache configuration file
Add a Directory block that denies access to the sensitive folder.
```
<Directory "/var/www/html/forbid">
    Require all denied
</Directory>
```
Placing Require all denied on a parent path like /var/www/html blocks the entire site.

Directory applies to filesystem paths; URL-only restrictions belong in Location or LocationMatch. Legacy Order/Deny/Allow rules require mod_access_compat on Apache 2.4.
Use a Require ip allowlist to permit only trusted addresses.
```
<Directory "/var/www/html/forbid">
    Require ip 192.168.1.100 192.168.1.0/24
</Directory>
```
CIDR ranges (for example 192.168.1.0/24) keep allowlists readable.
Save the configuration file.
Create the target directory if it does not already exist.
```
$ sudo mkdir -p /var/www/html/forbid
```
Test the Apache configuration for syntax errors.
```
$ sudo apache2ctl configtest
Syntax OK
```
Related: How to test your Apache configuration
Reload the apache2 service to apply the change.
```
$ sudo systemctl reload apache2
```
Related: How to manage the Apache web server service

Request the restricted URL to confirm a 403 Forbidden response.

$ curl -i -H 'Host: host.example.net' http://127.0.0.1/forbid/
HTTP/1.1 403 Forbidden
Date: Sat, 10 Jan 2026 05:43:59 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 281
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.58 (Ubuntu) Server at host.example.net Port 80</address>
</body></html>

A 404 response usually indicates the URL does not map to the intended filesystem directory.

Check the Apache error log for an authorization denial entry.

$ sudo tail -n 10 /var/log/apache2/error.log
##### snipped #####
[Sat Jan 10 13:43:59.564867 2026] [authz_core:error] [pid 8367:tid 253133136851232] [client 127.0.0.1:44368] AH01630: client denied by server configuration: /var/www/html/forbid/

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.