From 80db94fff6a9620fb469ee911347ed973e3f7735 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Tue, 27 Dec 2011 19:42:03 +0100 Subject: Upstream tarball 2.2.3 --- docs/manual/howto/access.html.en | 189 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 docs/manual/howto/access.html.en (limited to 'docs/manual/howto/access.html.en') diff --git a/docs/manual/howto/access.html.en b/docs/manual/howto/access.html.en new file mode 100644 index 00000000..8b94ac9b --- /dev/null +++ b/docs/manual/howto/access.html.en @@ -0,0 +1,189 @@ + + + +Access Control - Apache HTTP Server + + + + +
+

Modules | Directives | FAQ | Glossary | Sitemap

+

Apache HTTP Server Version 2.2

+
+
<-
+
+Apache > HTTP Server > Documentation > Version 2.2 > How-To / Tutorials

Access Control

+
+

Available Languages:  en 

+
+ +

Access control refers to any means of controlling access to any + resource. This is separate from authentication and authorization.

+
+ +
top
+
+

Related Modules and Directives

+ +

Access control can be done by several different modules. The most +important of these is mod_authz_host. Other modules +discussed in this document include mod_setenvif and +mod_rewrite.

+ +
top
+
+

Access control by host

+

+ If you wish to restrict access to portions of your site based on the + host address of your visitors, this is most easily done using + mod_authz_host. +

+ +

The Allow and + Deny directives let + you allow and deny access based on the host name, or host + address, of the machine requesting a document. The + Order directive goes + hand-in-hand with these two, and tells Apache in which order to + apply the filters.

+ +

The usage of these directives is:

+ +

+ Allow from address +

+ +

where address is an IP address (or a partial IP + address) or a fully qualified domain name (or a partial domain + name); you may provide multiple addresses or domain names, if + desired.

+ +

For example, if you have someone spamming your message + board, and you want to keep them out, you could do the + following:

+ +

+ Deny from 10.252.46.165 +

+ +

Visitors coming from that address will not be able to see + the content covered by this directive. If, instead, you have a + machine name, rather than an IP address, you can use that.

+ +

+ Deny from host.example.com +

+ +

And, if you'd like to block access from an entire domain, + you can specify just part of an address or domain name:

+ +

+ Deny from 192.168.205
+ Deny from phishers.example.com moreidiots.example
+ Deny from ke +

+ +

Using Order will let you + be sure that you are actually restricting things to the group that you want + to let in, by combining a Deny and an Allow directive:

+ +

+ Order deny,allow
+ Deny from all
+ Allow from dev.example.com +

+ +

Listing just the Allow + directive would not do what you want, because it will let folks from that + host in, in addition to letting everyone in. What you want is to let + only those folks in.

+
top
+
+

Access control by environment variable

+ +

+ mod_authz_host, in conjunction with + mod_setenvif, can be used to restrict access to + your website based on the value of arbitrary environment variables. + This is done with the Allow from env= and Deny + from env= syntax. +

+ +

+ SetEnvIf User-Agent BadBot GoAway=1
+ Order allow,deny
+ Allow from all
+ Deny from env=GoAway +

+ +

Warning:

+

Access control by User-Agent is an unreliable technique, + since the User-Agent header can be set to anything at all, + at the whim of the end user.

+
+ +

+ In the above example, the environment variable GoAway + is set to 1 if the User-Agent matches the + string BadBot. Then we deny access for any request when + this variable is set. This blocks that particular user agent from + the site. +

+ +

An environment variable test can be negated using the =! + syntax:

+ +

+ Allow from env=!GoAway +

+ +
top
+
+

Access control with mod_rewrite

+ +

The [F] RewriteRule flag causes a 403 Forbidden +response to be sent. Using this, you can deny access to a resource based +on arbitrary criteria.

+ +

For example, if you wish to block access to a resource between 8pm +and 6am, you can do this using mod_rewrite.

+ +

+RewriteEngine On
+RewriteCond %{TIME_HOUR} > 20 [OR]
+RewriteCond %{TIME_HOUR} < 07
+RewriteRule ^/fridge - [F] +

+ +

This will return a 403 Forbidden response for any request after 8pm +or before 7am. This technique can be used for any criteria that you wish +to check. You can also redirect, or otherwise rewrite these requests, if +that approach is preferred.

+ +
top
+
+

More information

+

You should also read the documentation for + mod_auth_basic and mod_authz_host which + contain some more information about how this all works. + mod_authn_alias can also help in simplifying certain + authentication configurations.

+ +

See the Authentication and Authorization + howto.

+
+
+

Available Languages:  en 

+
+ \ No newline at end of file -- cgit v1.2.3