1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 <title>Access Control - Apache HTTP Server</title>
9 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
11 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
12 <script src="../style/scripts/prettify.js" type="text/javascript">
15 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
16 <body id="manual-page"><div id="page-header">
17 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
18 <p class="apache">Apache HTTP Server Version 2.5</p>
19 <img alt="" src="../images/feather.gif" /></div>
20 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
22 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">How-To / Tutorials</a></div><div id="page-content"><div id="preamble"><h1>Access Control</h1>
24 <p><span>Available Languages: </span><a href="../en/howto/access.html" title="English"> en </a></p>
27 <p>Access control refers to any means of controlling access to any
28 resource. This is separate from <a href="auth.html">authentication and authorization</a>.</p>
30 <div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#related">Related Modules and Directives</a></li>
31 <li><img alt="" src="../images/down.gif" /> <a href="#host">Access control by host</a></li>
32 <li><img alt="" src="../images/down.gif" /> <a href="#env">Access control by arbitrary variables</a></li>
33 <li><img alt="" src="../images/down.gif" /> <a href="#rewrite">Access control with mod_rewrite</a></li>
34 <li><img alt="" src="../images/down.gif" /> <a href="#moreinformation">More information</a></li>
35 </ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
36 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
38 <h2><a name="related" id="related">Related Modules and Directives</a></h2>
40 <p>Access control can be done by several different modules. The most
41 important of these are <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> and
42 <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>. Also discussed in this document
43 is access control using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code>.</p>
45 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
47 <h2><a name="host" id="host">Access control by host</a></h2>
49 If you wish to restrict access to portions of your site based on the
50 host address of your visitors, this is most easily done using
51 <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>.
54 <p>The <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code>
55 provides a variety of different ways to allow or deny access to
56 resources. In conjunction with the <code class="directive"><a href="../mod/mod_authz_core.html#requireall">RequireAll</a></code>, <code class="directive"><a href="../mod/mod_authz_core.html#requireany">RequireAny</a></code>, and <code class="directive"><a href="../mod/mod_authz_core.html#requirenone">RequireNone</a></code> directives, these
57 requirements may be combined in arbitrarily complex ways, to enforce
58 whatever your access policy happens to be.</p>
60 <div class="warning"><p>
61 The <code class="directive"><a href="../mod/mod_access_compat.html#allow">Allow</a></code>,
62 <code class="directive"><a href="../mod/mod_access_compat.html#deny">Deny</a></code>, and
63 <code class="directive"><a href="../mod/mod_access_compat.html#order">Order</a></code> directives,
64 provided by <code class="module"><a href="../mod/mod_access_compat.html">mod_access_compat</a></code>, are deprecated and
65 will go away in a future version. You should avoid using them, and
66 avoid outdated tutorials recommending their use.
69 <p>The usage of these directives is:</p>
71 <pre class="prettyprint lang-config">
77 <p>In the first form, <var>address</var> is a fully qualified
78 domain name (or a partial domain name); you may provide multiple
79 addresses or domain names, if desired.</p>
81 <p>In the second form, <var>ip.address</var> is an IP address, a
82 partial IP address, a network/netmask pair, or a network/nnn CIDR
83 specification. Either IPv4 or IPv6 addresses may be used.</p>
85 <p>See <a href="../mod/mod_authz_host.html#requiredirectives">the
86 mod_authz_host documentation</a> for further examples of this
89 <p>You can insert <code>not</code> to negate a particular requirement.
90 Note, that since a <code>not</code> is a negation of a value, it cannot
91 be used by itself to allow or deny a request, as <em>not true</em>
92 does not constitute <em>false</em>. Thus, to deny a visit using a negation,
93 the block must have one element that evaluates as true or false.
94 For example, if you have someone spamming your message
95 board, and you want to keep them out, you could do the
98 <pre class="prettyprint lang-config">
101 Require not ip 10.252.46.165
106 <p>Visitors coming from that address (<code>10.252.46.165</code>)
107 will not be able to see the content covered by this directive. If,
108 instead, you have a machine name, rather than an IP address, you
111 <pre class="prettyprint lang-config">Require not host <var>host.example.com</var></pre>
114 <p>And, if you'd like to block access from an entire domain,
115 you can specify just part of an address or domain name:</p>
117 <pre class="prettyprint lang-config">
118 Require not ip 192.168.205
119 Require not host phishers.example.com moreidiots.example
124 <p>Use of the <code class="directive"><a href="../mod/mod_authz_core.html#requireall">RequireAll</a></code>, <code class="directive"><a href="../mod/mod_authz_core.html#requireany">RequireAny</a></code>, and <code class="directive"><a href="../mod/mod_authz_core.html#requirenone">RequireNone</a></code> directives may be
125 used to enforce more complex sets of requirements.</p>
127 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
128 <div class="section">
129 <h2><a name="env" id="env">Access control by arbitrary variables</a></h2>
131 <p>Using the <code class="directive"><a href="../mod/core.html#if"><If></a></code>,
132 you can allow or deny access based on arbitrary environment
133 variables or request header values. For example, to deny access
134 based on user-agent (the browser type) you might do the
137 <pre class="prettyprint lang-config">
138 <If "%{HTTP_USER_AGENT} == 'BadBot'">
144 <div class="note"><h3>Warning:</h3>
145 <p>Access control by <code>User-Agent</code> is an unreliable technique,
146 since the <code>User-Agent</code> header can be set to anything at all,
147 at the whim of the end user.</p>
150 <p>See <a href="../expr.html">the expressions document</a> for a
151 further discussion of what expression syntaxes and variables are
152 available to you.</p>
154 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
155 <div class="section">
156 <h2><a name="rewrite" id="rewrite">Access control with mod_rewrite</a></h2>
158 <p>The <code>[F]</code> <code class="directive"><a href="../mod/mod_rewrite.html#rewriterule">RewriteRule</a></code> flag causes a 403 Forbidden
159 response to be sent. Using this, you can deny access to a resource based
160 on arbitrary criteria.</p>
162 <p>For example, if you wish to block access to a resource between 8pm
163 and 6am, you can do this using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code>.</p>
165 <pre class="prettyprint lang-config">
167 RewriteCond %{TIME_HOUR} >=20 [OR]
168 RewriteCond %{TIME_HOUR} <07
169 RewriteRule ^/fridge - [F]
173 <p>This will return a 403 Forbidden response for any request after 8pm
174 or before 7am. This technique can be used for any criteria that you wish
175 to check. You can also redirect, or otherwise rewrite these requests, if
176 that approach is preferred.</p>
178 <p>The <code class="directive"><a href="../mod/core.html#if"><If></a></code> directive,
179 added in 2.4, replaces many things that <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> has
180 traditionally been used to do, and you should probably look there first
181 before resorting to mod_rewrite.</p>
183 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
184 <div class="section">
185 <h2><a name="moreinformation" id="moreinformation">More information</a></h2>
187 <p>The <a href="../expr.html">expression engine</a> gives you a
188 great deal of power to do a variety of things based on arbitrary
189 server variables, and you should consult that document for more
192 <p>Also, you should read the <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code>
193 documentation for examples of combining multiple access requirements
194 and specifying how they interact.</p>
196 <p>See also the <a href="auth.html">Authentication and Authorization</a>
199 <div class="bottomlang">
200 <p><span>Available Languages: </span><a href="../en/howto/access.html" title="English"> en </a></p>
201 </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
202 <script type="text/javascript"><!--//--><![CDATA[//><!--
203 var comments_shortname = 'httpd';
204 var comments_identifier = 'http://httpd.apache.org/docs/trunk/howto/access.html';
206 if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
207 d.write('<div id="comments_thread"><\/div>');
208 var s = d.createElement('script');
209 s.type = 'text/javascript';
211 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
212 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
215 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
217 })(window, document);
218 //--><!]]></script></div><div id="footer">
219 <p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
220 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
221 if (typeof(prettyPrint) !== 'undefined') {