diff --git a/templates/vhost.conf b/templates/vhost.conf
index d3f21a569adfe85ec978a07b7e3c7a57471fb7bd..9dc30624f531709d7bd25abc6d1a379973ecee4e 100644
--- a/templates/vhost.conf
+++ b/templates/vhost.conf
@@ -90,18 +90,33 @@
     AuthType {{ drupal_domain.apache_auth.type }}
     AuthName "{{ drupal_domain.apache_auth.name }}"
     AuthUserFile {{ webRoot }}/passwords/{{ drupal_domain.apache_auth.user }}
-{% if drupal_domain.apache_auth.extra_users is defined %}
+{% if drupal_domain.apache_auth.ips is defined %}
+{% for ip in drupal_domain.apache_auth.ips %}
+    SetEnvIF X-Forwarded-For ^{{ ip|regex_escape() }}$ AllowIP
+{% endfor %}
+{% endif %}
+{% if drupal_domain.apache_auth.extra_users is defined or drupal_domain.apache_auth.ips is defined %}
     <RequireAny>
+{% if drupal_domain.apache_auth.extra_users is defined %}
 {% for user in drupal_domain.apache_auth.extra_users %}
+{% if user.expression is defined %}
       <RequireAll>
         Require expr "{{ user.expression }}"
         Require user {{ user.user }}
       </RequireAll>
+{% else %}
+      Require user {{ user.user }}
+{% endif %}
 {% endfor %}
-      <RequireAll>
-        Require {% if drupal_domain.apache_auth.password is defined %}user {{ drupal_domain.apache_auth.user }}{% else %}all granted{% endif %}
+{% endif %}
+{% if drupal_domain.apache_auth.ips is defined %}
+      Require env AllowIP
+{% for ip in drupal_domain.apache_auth.ips %}
+      Require ip {{ ip }}
+{% endfor %}
+{% endif %}
+      Require {% if drupal_domain.apache_auth.password is defined %}user {{ drupal_domain.apache_auth.user }}{% else %}all granted{% endif %}
 
-      </RequireAll>
     </RequireAny>
 {% else %}
     Require user {{ drupal_domain.apache_auth.user }}