This chapter is from the book
This chapter is from the book
This chapter is from the book
Access Control
The mod_access module, enabled by default, enables you to restrict access to resources based on parameters of the client request, such as the presence of a specific header or the IP address or hostname of the client.
Access Rules
You can specify access rules using the Allow and Deny directives. Each of these directives takes a list of arguments such as IP addresses, environment variables, and domain names.
IP Addresses
You can deny or grant access to a client based on its IP address:
Allow from 10.0.0.1 10.0.0.2 10.0.0.3
You can also specify IP address ranges, with a partial IP address or a network/mask pair.
A Partial IP Address
You can specify the first one, two, or three bytes of an IP address. Any IP address containing those will match this rule. For example, the rule
Deny from 10.0
will match any address starting with 10.0, such as 10.0.1.0 and 10.0.0.1.
A Network/Mask Pair
The IP address specifies the network and the mask specifies which bits belong to the network prefix and which ones belong to the nodes.
Allow from 10.0.0.0/255.255.255.0
will match IP addresses 10.0.0.1, 10.0.0.2, and so on, to 10.0.0.254.
You can also specify the network mask via high-order bits. For example, the previous rule could be written as
Allow from 10.0.0.0/24
Domain Name
You can control access based on specific hostnames or partial domain names. For example, Allow from example.com will match http://www.example.com, foo.example.com, and so on.
NOTE
Enabling access rules based on domain names will force Apache to do a reverse DNS lookup on the client address, bypassing the settings of the HostNameLookups directive. The HostNameLookups directive is described in Hour 8, "Logging and Monitoring." This has performance implications.
Environment Variables
You can specify access rules based on the presence of a certain environment variable, prefixing the name of the variable with env=. You can use this feature to grant or deny access to certain browsers or browser versions, to prevent specific sites from linking to your resources, and so on. Listing 7.4 shows you how to implement browser blocking.
Listing 7.4 Using Environment Variables to Restrict Access
BrowserMatch MSIE iexplorer Deny from env=iexplorer
Note that, for this example to work as intended, the client needs to transmit the User-Agent header. Because the client sends this header, it could be omitted or manipulated, but most users will not do so and the technique will work in most cases.
How to set environment variables is explained in Hour 9, "Content Negotiation and Environment Variables."
All Clients
The keyword all matches all clients. You can specify Allow from all or Deny from all to grant or deny access to all clients.
Access Rules Evaluation
You can have several Allow and Deny access rules. You can choose the order in which the rules are evaluated by using the Order directive. Rules that are evaluated later have higher precedence. Order accepts one argument, which can be Deny,Allow, Allow,Deny, or Mutual-Failure. Deny,Allow is the default value for the Order directive. Note that there is no space in the value.
Deny,Allow
Deny,Allow specifies that Deny directives are evaluated before Allow directives. With Deny,Allow, the client is granted access by default if there are no Allow or Deny directives or the client does not match any of the rules. If the client matches a Deny rule, it will be denied access unless it also matches an Allow rule, which will take precedence because Allow directives are evaluated last and have greater priority.
Listing 7.5 shows how to configure Apache to allow access to the /private location to clients coming from the internal network or the domain example.com and deny access to everyone else.
Listing 7.5 Sample Access Control Configuration
1: <location /private> 2: Order Deny,Allow 3: Allow from 10.0.0.0/255.255.255.0 example.com 4: Deny from all 5: </location>
Allow,Deny
Allow,Deny specifies that Allow directives are evaluated before Deny directives. With Allow,Deny, the client is denied access by default if there are no Allow or Deny directives or if the client does not match any of the rules. If the client matches an Allow rule, it will be granted access unless it also matches a Deny rule, which will take precedence.
Note that the presence of Order Allow,Deny without any Allow or Deny rules will cause all requests to the specified resource to be denied because the default behavior is to deny access.
Listing 7.6 allows access to everyone except a specific host.
Listing 7.6 Sample Access Control Configuration
1: <location /some/location/> 2: Order Allow,Deny 3: Allow from all 4: Deny from host.example.com 5: </location>
Mutual-Failure
In this case, the host will be granted access only if it matches an Allow directive and does not match any Deny directive.