1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
<!-- $LastChangedRevision: 675570 $ -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<manualpage metafile="access.xml.meta">
<parentdocument href="./">How-To / Tutorials</parentdocument>
<title>Access Control</title>
<summary>
<p>Access control refers to any means of controlling access to any
resource. This is separate from <a
href="auth.html">authentication and authorization</a>.</p>
</summary>
<section id="related"><title>Related Modules and Directives</title>
<p>Access control can be done by several different modules. The most
important of these are <module>mod_authz_core</module> and
<module>mod_authz_host</module>. Other modules
discussed in this document include <module>mod_rewrite</module>.</p>
</section>
<section id="host"><title>Access control by host</title>
<p>
If you wish to restrict access to portions of your site based on the
host address of your visitors, this is most easily done using
<module>mod_authz_host</module>.
</p>
<p>The <directive module="mod_authz_host">Allow</directive> and
<directive module="mod_authz_host">Deny</directive> directives let
you allow and deny access based on the host name, or host
address, of the machine requesting a document. The
<directive module="mod_authz_host">Order</directive> directive goes
hand-in-hand with these two, and tells Apache in which order to
apply the filters.</p>
<p>The usage of these directives is:</p>
<example>
Require host <var>address</var><br />
Require ip <var>ip.address</var>
</example>
<p>In the first form, <var>address</var> is a fully qualified
domain name (or a partial domain name); you may provide multiple
addresses or domain names, if desired.</p>
<p>In the second form, <var>ip.address</var> is an IP address, a
partial IP address, a network/netmask pair, or a network/nnn CIDR
specification. Either IPv4 or IPv6 addresses may be used.</p>
<p>For example, if you have someone spamming your message
board, and you want to keep them out, you could do the
following:</p>
<example>
Require not ip 10.252.46.165
</example>
<p>Visitors coming from that address will not be able to see
the content covered by this directive. If, instead, you have a
machine name, rather than an IP address, you can use that.</p>
<example>
Require not host <var>host.example.com</var>
</example>
<p>And, if you'd like to block access from an entire domain,
you can specify just part of an address or domain name:</p>
<example>
Require not ip <var>192.168.205</var><br />
Require not host <var>phishers.example.com</var> <var>moreidiots.example</var><br />
Require not gov
</example>
<p>Use of the <directive
module="mod_authz_core">RequireAll</directive>, <directive
module="mod_authz_core">RequireAny</directive>, and <directive
module="mod_authz_core">RequireNone</directive> directives may be
used to enforce more complex sets of requirements.</p>
</section>
<section id="env"><title>Access control by environment variable</title>
<p>Using the <directive type="section" module="core">If</directive>,
you can allow or deny access based on arbitrary environment
variables or request header values. For example, to deny access
based on user-agent (the browser type) you might do the
following:</p>
<example>
<If "%{HTTP_USER_AGENT} = 'BadBot'"><br />
<indent>
Require All Denied<br />
</indent>
</If>
</example>
<note><title>Warning:</title>
<p>Access control by <code>User-Agent</code> is an unreliable technique,
since the <code>User-Agent</code> header can be set to anything at all,
at the whim of the end user.</p>
</note>
<p>See <a href="../expr.html">the expressions document</a> for a
further discussion of what expression syntaxes and variables are
available to you.</p>
</section>
<section id="rewrite"><title>Access control with mod_rewrite</title>
<p>The <code>[F]</code> <directive
module="mod_rewrite">RewriteRule</directive> flag causes a 403 Forbidden
response to be sent. Using this, you can deny access to a resource based
on arbitrary criteria.</p>
<p>For example, if you wish to block access to a resource between 8pm
and 6am, you can do this using <module>mod_rewrite</module>.</p>
<example>
RewriteEngine On<br />
RewriteCond %{TIME_HOUR} >20 [OR]<br />
RewriteCond %{TIME_HOUR} <07<br />
RewriteRule ^/fridge - [F]
</example>
<p>This will return a 403 Forbidden response for any request after 8pm
or before 7am. This technique can be used for any criteria that you wish
to check. You can also redirect, or otherwise rewrite these requests, if
that approach is preferred.</p>
</section>
<section id="moreinformation"><title>More information</title>
<p>You should also read the documentation for
<module>mod_auth_basic</module> and <module>mod_authz_host</module> which
contain some more information about how this all works.
<module>mod_authn_alias</module> can also help in simplifying certain
authentication configurations.</p>
<p>See the <a href="auth.html">Authentication and Authorization</a>
howto.</p>
</section>
</manualpage>
|
