Apache HTTP Server Version 2.2
Access Control
Access control refers to any means of controlling access to any resource. This is separate from authentication and authorization.
Related Modules and Directives
Access control can be done by several different modules. The most
important of these is mod_authz_host
. Other modules
discussed in this document include mod_setenvif
and
mod_rewrite
.
Access control by host
If you wish to restrict access to portions of your site based on the
host address of your visitors, this is most easily done using
mod_authz_host
.
The Allow
and
Deny
directives let
you allow and deny access based on the host name, or host
address, of the machine requesting a document. The
Order
directive goes
hand-in-hand with these two, and tells Apache in which order to
apply the filters.
The usage of these directives is:
Allow from address
where address is an IP address (or a partial IP address) or a fully qualified domain name (or a partial domain name); you may provide multiple addresses or domain names, if desired.
For example, if you have someone spamming your message board, and you want to keep them out, you could do the following:
Deny from 10.252.46.165
Visitors coming from that address will not be able to see the content covered by this directive. If, instead, you have a machine name, rather than an IP address, you can use that.
Deny from host.example.com
And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:
Deny from 192.168.205
Deny from phishers.example.com moreidiots.example
Deny from ke
Using Order
will let you
be sure that you are actually restricting things to the group that you want
to let in, by combining a Deny
and an Allow
directive:
Order deny,allow
Deny from all
Allow from dev.example.com
Listing just the Allow
directive would not do what you want, because it will let folks from that
host in, in addition to letting everyone in. What you want is to let
only those folks in.
Access control by environment variable
mod_authz_host
, in conjunction with
mod_setenvif
, can be used to restrict access to
your website based on the value of arbitrary environment variables.
This is done with the Allow from env=
and Deny
from env=
syntax.
SetEnvIf User-Agent BadBot GoAway=1
Order allow,deny
Allow from all
Deny from env=GoAway
Warning:
Access control by User-Agent
is an unreliable technique,
since the User-Agent
header can be set to anything at all,
at the whim of the end user.
In the above example, the environment variable GoAway
is set to 1
if the User-Agent
matches the
string BadBot
. Then we deny access for any request when
this variable is set. This blocks that particular user agent from
the site.
An environment variable test can be negated using the =!
syntax:
Allow from env=!GoAway
Access control with mod_rewrite
The [F]
RewriteRule
flag causes a 403 Forbidden
response to be sent. Using this, you can deny access to a resource based
on arbitrary criteria.
For example, if you wish to block access to a resource between 8pm
and 6am, you can do this using mod_rewrite
.
RewriteEngine On
RewriteCond %{TIME_HOUR} >20 [OR]
RewriteCond %{TIME_HOUR} <07
RewriteRule ^/fridge - [F]
This will return a 403 Forbidden response for any request after 8pm or before 7am. This technique can be used for any criteria that you wish to check. You can also redirect, or otherwise rewrite these requests, if that approach is preferred.
More information
You should also read the documentation for
mod_auth_basic
and mod_authz_host
which
contain some more information about how this all works.
mod_authn_alias
can also help in simplifying certain
authentication configurations.
See the Authentication and Authorization howto.