Restricting AM REST Administration to Certain IP Addresses Using Apache mod_rewrite Module


There are numerous ways to restrict and protect REST calls by implementing the correct logic in the proxy layer. ForgeRock® Identity Gateway (IG) or an API Gateway can be used to accomplish this type of use case. The approach I will be discussing utilizes basic Apache mod_rewrite rules to only allow ForgeRock® Access Management (AM) REST administration from a specific set of IP addresses.


Enable the module

For reference, my lab environment is running the following:

  • Two load-balanced (mod_proxy) AM servers (6.5.x)
  • Apache 2.4.6/CentOS 7

To enable mod_rewrite, navigate to the base configuration file and uncomment the mod_rewrite line if needed.

vi /etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module modules/ 

Configure rewrite rules

A .htaccess file can be created to modify rewrite rules without using the httpd configuration file. Make sure Apache allows the use of this file:

<Directory “/var/www”>
 AllowOverride All
 # Allow open access:
 Require all granted

The rewrite rules for this exercise are defined as:

<Location /openam652/>
RewriteEngine On
RewriteCond %{HTTP:X-OpenAM-Username} amadmin [NC]
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.7
RewriteRule . - [R=403,L]

As part of the above rule/condition, I have included the header X-OpenAM-Username that will block any request containing ‘amadmin’ with a 403 except from IP

Note: You can use the LocationMatch directive for regex matching and to enable case-insensitive mode = (?i).


From IP

curl -X POST -H "X-OpenAM-Username: tuser1" -H "X-OpenAM-Password: Password1" -H "json" -H "Accept-API-Version: resource=2.1" -k
curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "json" -H "Accept-API-Version: resource=2.1" -k
<title>403 Forbidden</title>
<p>You don't have permission to access /openam652/json/realms/root/authenticate
on this server.</p>

From IP

curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" -k


The Apache mod_rewrite module is a powerful tool. This example can be used as a stepping stone to develop more advanced specific rules depending on the requirement/use case you may have. The key here is to allowlist/denylist appropriately.

For more information on how to control access using this module, visit

Recommended Reads: