I wanted to have a site only available within my LAN.
The configuration should be as simple as this:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 192.168.178
Thanks to monit I found that from time to time (about once a month) my site was accessed from an external IP address.
I checked my configuration over and over again, but did not see anything wrong. Still, I had these occasional external requests coming through.
In the end, I decided to use the authz_host_module with the following configuration:
Require local
Require ip 192.168.178
Require host localhost
Since then, there have been no more reports of external IPs accessing my site.
I still do not quite understand why the original approach failed intermittently, but hey, it is secured now.
Update 2021-12-15
After a while the external IPs appeared again in my log. It seems the above was an "accidental solution", because it required me to restart the Apache web server.
I added a cron job to restart Apache every 24 hrs, hoping that this will "fix" the issue for good. If not, I will post an update.