You are running an Apache server. You need to restrict access to certain folders by IP addresses.
Solution to 1st problem:
Use .htacess to deny all access to that folder, then allow certain hosts/IP addresses.
AuthName "simoncpu's dark secret"
<Limit GET POST>
deny from all
allow from 10.0.0.
allow from .example.org
allow from this.is.an.example.invalid
Your Apache is behind a proxy such as nginx. All requests to your Apache server appear to originate from your proxy.
Solution to 2nd problem:
Install mod_rpaf and restart your web server. .htaccess will now correctly restrict access to your folders. Refer to its web page for installation instructions.