Blocking IP Addresses using .htaccess IF behind Varnish
If your server is behind Varnish, you may know that Varnish does not pass a user's IP address in the standard fashion. Because of this, blocking IP addresses using your .htaccess file using normal means does not work.
Blocking with .htaccess
If you're using Varnish, you can use the following snippet of code in your .htaccess file to block IP addresses:
order allow,deny SetEnvIF X-Forwarded-For "126.96.36.199" DenyIP Deny from env=DenyIP allow from all
Blocking with APF
Even though this blocks the IP address and returns a 403 forbidden error, apache will still log the user's request. If your server is under a ddos attack, you can block the user's IP address but your apache log file will still be written to. This constant writing to the log file can raise your server load average and affect your server's stability. If you block the IP address with APF using the following command, the request will not hit apache and you can prevent your apache log files from being filled with 403 errors:
apf -d 188.8.131.52