Binding Apache to a specific IP address prevents accidental exposure on the wrong network interface, such as a public NIC, VPN tunnel, or test network. This is useful for internal-only apps, staging environments, and localhost backends that sit behind a reverse proxy.

In Apache HTTP Server, the Listen directive defines which address and port the server binds to for inbound connections. A bare Listen 80 binds on all available addresses, while Listen 192.0.2.40:80 binds only to that single IPv4 address; IPv6 listeners use bracket notation like Listen [2001:db8::10]:80.

The listener address must exist on the host when the service starts, and Apache cannot bind to interface names like eth0—only IP addresses. Listener changes can make a site unreachable until reverted, so keep console or out-of-band access and update every active listener (for example, 80 and 443) including any separate IPv6 Listen lines.

Related: How to modify the listen port for Apache
Related: How to test your Apache configuration
Related: How to manage the Apache web server service

Steps to make Apache listen on a specific IP address:

  1. Identify the IP address on the interface that should accept connections. 
    $ ip -br address
lo               UNKNOWN        127.0.0.1/8 ::1/128
##### snipped #####
eth0             UP             192.0.2.40/24
  2. Find the configuration file that defines the Listen directives. 
    $ sudo grep -R --line-number --extended-regexp '^[[:space:]]*Listen' /etc/apache2
/etc/apache2/ports.conf:5:Listen 80
/etc/apache2/ports.conf:8:	Listen 443
/etc/apache2/ports.conf:12:	Listen 443

    On CentOS and RHEL, Listen is commonly set in /etc/httpd/conf/httpd.conf (or an included file under /etc/httpd/conf.d/).

  3. Open /etc/apache2/ports.conf for editing. 
    $ sudoedit /etc/apache2/ports.conf

    Any editor works; sudoedit keeps the editor running as the unprivileged user while writing the file as root.

  4. Replace the wildcard Listen line with an IP-bound listener. 
    Listen 192.0.2.40:80

    Binding to an unreachable IP can make the site inaccessible over the network until the listener is corrected and the service is restarted.

    Local-only bind uses Listen 127.0.0.1:80, multiple addresses use multiple Listen lines, and IPv6 uses brackets like Listen [2001:db8::10]:80.

  5. Ensure each <VirtualHost> matches a configured listener. 
    <VirtualHost 192.0.2.40:80>
    ##### snipped #####
</VirtualHost>

    <VirtualHost *:80> remains valid when the only listener on port 80 is the intended IP-bound Listen.

  6. Validate the Apache configuration syntax. 
    $ sudo apachectl configtest
Syntax OK

    Some systems use apache2ctl or httpd -t instead of apachectl.

    Related: How to test your Apache configuration

  7. Restart the apache2 service to apply the updated listener. 
    $ sudo systemctl restart apache2

    On CentOS and RHEL, the service name is typically httpd (sudo systemctl restart httpd).

    Related: How to manage the Apache web server service

  8. Confirm Apache is listening on the expected address and port. 
    $ sudo ss -lntp | grep -E '192\.0\.2\.40:80\b'
LISTEN 0      511       192.0.2.40:80        0.0.0.0:*    users:(("apache2",pid=9033,fd=3),("apache2",pid=9032,fd=3),("apache2",pid=9029,fd=3))
  9. Verify the site responds on the bound address. 
    $ curl -sI http://192.0.2.40/
HTTP/1.1 200 OK
Date: Sat, 10 Jan 2026 04:16:16 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Sat, 10 Jan 2026 04:10:01 GMT
ETag: "29af-64800d0d6e15b"
Accept-Ranges: bytes
Content-Length: 10671
Vary: Accept-Encoding
Content-Type: text/html

##### snipped #####

    When binding away from loopback, a local request to http://127.0.0.1/ should fail with connection refused unless a separate Listen 127.0.0.1:80 exists.