1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
4 <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 This file is generated from xml source: DO NOT EDIT
8 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10 <title>mod_authz_host - Apache HTTP Server Version 2.5</title>
11 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
12 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
13 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
14 <script src="../style/scripts/prettify.min.js" type="text/javascript">
17 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
19 <div id="page-header">
20 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
21 <p class="apache">Apache HTTP Server Version 2.5</p>
22 <img alt="" src="../images/feather.png" /></div>
23 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
25 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
26 <div id="page-content">
27 <div id="preamble"><h1>Apache Module mod_authz_host</h1>
29 <p><span>Available Languages: </span><a href="../en/mod/mod_authz_host.html" title="English"> en </a> |
30 <a href="../fr/mod/mod_authz_host.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
32 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Group authorizations based on host (name or IP
34 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
35 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>authz_host_module</td></tr>
36 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_authz_host.c</td></tr>
37 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>The <code>forward-dns</code> provider was addded in 2.4.19</td></tr></table>
40 <p>The authorization providers implemented by <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code> are
41 registered using the <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code>
42 directive. The directive can be referenced within a
43 <code class="directive"><a href="../mod/core.html#directory"><Directory></a></code>,
44 <code class="directive"><a href="../mod/core.html#files"><Files></a></code>,
45 or <code class="directive"><a href="../mod/core.html#location"><Location></a></code> section
46 as well as <code><a href="core.html#accessfilename">.htaccess</a>
47 </code> files to control access to particular parts of the server.
48 Access can be controlled based on the client hostname or IP address.</p>
50 <p>In general, access restriction directives apply to all
51 access methods (<code>GET</code>, <code>PUT</code>,
52 <code>POST</code>, etc). This is the desired behavior in most
53 cases. However, it is possible to restrict some methods, while
54 leaving other methods unrestricted, by enclosing the directives
55 in a <code class="directive"><a href="../mod/core.html#limit"><Limit></a></code> section.</p>
57 <div id="quickview"><h3>Topics</h3>
59 <li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li>
60 </ul><h3 class="directives">Directives</h3>
61 <p>This module provides no
63 <h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_authz_host">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_authz_host">Report a bug</a></li></ul><h3>See also</h3>
65 <li><a href="../howto/auth.html">Authentication, Authorization,
66 and Access Control</a></li>
67 <li><code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code></li>
68 <li><a href="#comments_section">Comments</a></li></ul></div>
69 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
71 <h2><a name="requiredirectives" id="requiredirectives">The Require Directives</a><a title="Permanent link" href="#requiredirectives" class="permalink">¶</a></h2>
73 <p>Apache's <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code>
74 directive is used during the authorization phase to ensure that a user is allowed or
75 denied access to a resource. mod_authz_host extends the
76 authorization types with <code>ip</code>, <code>host</code>,
77 <code>forward-dns</code> and <code>local</code>.
78 Other authorization types may also be
79 used but may require that additional authorization modules be loaded.</p>
81 <p>These authorization providers affect which hosts can
82 access an area of the server. Access can be controlled by
83 hostname, IP Address, or IP Address range.</p>
85 <p>Since v2.4.8, <a href="../expr.html">expressions</a> are supported
86 within the host require directives.</p>
88 <h3><a name="reqip" id="reqip">Require ip</a></h3>
90 <p>The <code>ip</code> provider allows access to the server
91 to be controlled based on the IP address of the remote client.
92 When <code>Require ip <var>ip-address</var></code> is specified,
93 then the request is allowed access if the IP address matches.</p>
95 <p>A full IP address:</p>
97 <pre class="prettyprint lang-config">Require ip 10.1.2.3
98 Require ip 192.168.1.104 192.168.1.205</pre>
101 <p>An IP address of a host allowed access</p>
103 <p>A partial IP address:</p>
105 <pre class="prettyprint lang-config">Require ip 10.1
106 Require ip 10 172.20 192.168.2</pre>
108 <p>The first 1 to 3 bytes of an IP address, for subnet
111 <p>A network/netmask pair:</p>
113 <pre class="prettyprint lang-config">Require ip 10.1.0.0/255.255.0.0</pre>
115 <p>A network a.b.c.d, and a netmask w.x.y.z. For more
116 fine-grained subnet restriction.</p>
118 <p>A network/nnn CIDR specification:</p>
120 <pre class="prettyprint lang-config">Require ip 10.1.0.0/16</pre>
122 <p>Similar to the previous case, except the netmask consists of
123 nnn high-order 1 bits.</p>
125 <p>Note that the last three examples above match exactly the
126 same set of hosts.</p>
128 <p>IPv6 addresses and IPv6 subnets can be specified as shown
131 <pre class="prettyprint lang-config">Require ip 2001:db8::a00:20ff:fea7:ccea
132 Require ip 2001:db8:1:1::a
133 Require ip 2001:db8:2:1::/64
134 Require ip 2001:db8:3::/48</pre>
137 <p>Note: As the IP addresses are parsed on startup, expressions are
138 not evaluated at request time.</p>
142 <h3><a name="reqhost" id="reqhost">Require host</a></h3>
144 <p>The <code>host</code> provider allows access to the server
145 to be controlled based on the host name of the remote client.
146 When <code>Require host <var>host-name</var></code> is specified,
147 then the request is allowed access if the host name matches.</p>
149 <p>A (partial) domain-name</p>
151 <pre class="prettyprint lang-config">Require host example.org
152 Require host .net example.edu</pre>
155 <p>Hosts whose names match, or end in, this string are allowed
156 access. Only complete components are matched, so the above
157 example will match <code>foo.example.org</code> but it will not
158 match <code>fooexample.org</code>. This configuration will cause
159 Apache to perform a double reverse DNS lookup on the client IP
160 address, regardless of the setting of the <code class="directive"><a href="../mod/core.html#hostnamelookups">HostnameLookups</a></code> directive. It will do
161 a reverse DNS lookup on the IP address to find the associated
162 hostname, and then do a forward lookup on the hostname to assure
163 that it matches the original IP address. Only if the forward
164 and reverse DNS are consistent and the hostname matches will
165 access be allowed.</p>
169 <h3><a name="reqfwddns" id="reqfwddns">Require forward-dns</a></h3>
171 <p>The <code>forward-dns</code> provider allows access to the server
172 to be controlled based on simple host names. When
173 <code>Require forward-dns <var>host-name</var></code> is specified,
174 all IP addresses corresponding to <code><var>host-name</var></code>
175 are allowed access.</p>
177 <p>In contrast to the <code>host</code> provider, this provider does not
178 rely on reverse DNS lookups: it simply queries the DNS for the host name
179 and allows a client if its IP matches. As a consequence, it will only
180 work with host names, not domain names. However, as the reverse DNS is
181 not used, it will work with clients which use a dynamic DNS service.</p>
183 <pre class="prettyprint lang-config">Require forward-dns bla.example.org</pre>
186 <p>A client the IP of which is resolved from the name
187 <code>bla.example.org</code> will be granted access.</p>
189 <p>The <code>forward-dns</code> provider was added in 2.4.19.</p>
192 <h3><a name="reqlocal" id="reqlocal">Require local</a></h3>
194 <p>The <code>local</code> provider allows access to the server if any
195 of the following conditions is true:</p>
198 <li>the client address matches 127.0.0.0/8</li>
199 <li>the client address is ::1</li>
200 <li>both the client and the server address of the connection are
204 <p>This allows a convenient way to match connections that originate from
207 <pre class="prettyprint lang-config">Require local</pre>
212 <h3><a name="proxy" id="proxy">Security Note</a></h3>
214 <p>If you are proxying content to your server, you need to be aware
215 that the client address will be the address of your proxy server,
216 not the address of the client, and so using the <code>Require</code>
217 directive in this context may not do what you mean. See
218 <code class="module"><a href="../mod/mod_remoteip.html">mod_remoteip</a></code> for one possible solution to this
225 <div class="bottomlang">
226 <p><span>Available Languages: </span><a href="../en/mod/mod_authz_host.html" title="English"> en </a> |
227 <a href="../fr/mod/mod_authz_host.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
228 </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
229 <script type="text/javascript"><!--//--><![CDATA[//><!--
230 var comments_shortname = 'httpd';
231 var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_authz_host.html';
233 if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
234 d.write('<div id="comments_thread"><\/div>');
235 var s = d.createElement('script');
236 s.type = 'text/javascript';
238 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
239 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
242 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
244 })(window, document);
245 //--><!]]></script></div><div id="footer">
246 <p class="apache">Copyright 2018 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
247 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
248 if (typeof(prettyPrint) !== 'undefined') {