Control de Acceso

Idiomas disponibles: en | + es | + fr

+ +

El control de acceso, hace referencia a todos los medios que proporcionan + una forma de controlar el acceso a cualquier recurso. Esta parte está + separada de autenticación y autorización.

Módulos y Directivas relacionados
Control de Acceso por host
Access control by arbitrary variables
Access control with mod_rewrite
More information

Consulte también

Comentarios

Módulos y Directivas relacionados

+ +

El control de acceso puede efectuarse mediante diferentes módulos. Los + más importantes de éstos son mod_authz_core y + mod_authz_host. También se habla en este documento de + el control de acceso usando el módulo mod_rewrite.

+ +

Control de Acceso por host

+ Si lo que se quiere es restringir algunas zonas del sitio web, basándonos + en la dirección del visitante, esto puede ser realizado de manera + fácil con el módulo mod_authz_host. +

+ +

La directiva Require + proporciona una variedad de diferentes maneras de permitir o denegar el acceso a los recursos. Además puede ser usada junto con las directivas:RequireAll, RequireAny, y RequireNone, estos requerimientos pueden + ser combinados de forma compleja y arbitraria, para cumplir cualquiera que + sean tus políticas de acceso.

+ +

+ Las directivas Allow, + Deny, y + Order, + proporcionadas por mod_access_compat, están obsoletas y + serán quitadas en futuras versiones. Deberá evitar su uso, y también + los tutoriales desactualizaos que recomienden su uso. +

+ +

El uso de estas directivas es:

+ +

Require host address
+Require ip ip.address
+

+ + +

En la primera formaIn the first form, address is a fully qualified + domain name (or a partial domain name); you may provide multiple + addresses or domain names, if desired.

+ +

In the second form, ip.address is an IP address, a + partial IP address, a network/netmask pair, or a network/nnn CIDR + specification. Either IPv4 or IPv6 addresses may be used.

+ +

See the + mod_authz_host documentation for further examples of this + syntax.

+ +

You can insert not to negate a particular requirement. + Note, that since a not is a negation of a value, it cannot + be used by itself to allow or deny a request, as not true + does not constitute false. Thus, to deny a visit using a negation, + the block must have one element that evaluates as true or false. + For example, if you have someone spamming your message + board, and you want to keep them out, you could do the + following:

+ +

<RequireAll>
+    Require all granted
+    Require not ip 10.252.46.165
+</RequireAll>

+ + +

Visitors coming from that address (10.252.46.165) + will not be able to see the content covered by this directive. If, + instead, you have a machine name, rather than an IP address, you + can use that.

+ +

Require not host host.example.com
+

+ + +

And, if you'd like to block access from an entire domain, + you can specify just part of an address or domain name:

+ +

Require not ip 192.168.205
+Require not host phishers.example.com moreidiots.example
+Require not host gov

+ + +

Use of the RequireAll, RequireAny, and RequireNone directives may be + used to enforce more complex sets of requirements.

+ +

Access control by arbitrary variables

+ +

Using the <If>, + you can allow or deny access based on arbitrary environment + variables or request header values. For example, to deny access + based on user-agent (the browser type) you might do the + following:

+ +

<If "%{HTTP_USER_AGENT} == 'BadBot'">
+    Require all denied
+</If>

+ + +

Using the Require + expr syntax, this could also be written as:

+ + +

Require expr %{HTTP_USER_AGENT} != 'BadBot'

+ + +

Warning:

Access control by User-Agent is an unreliable technique, + since the User-Agent header can be set to anything at all, + at the whim of the end user.

+ +

See the expressions document for a + further discussion of what expression syntaxes and variables are + available to you.

+ +

Access control with mod_rewrite

+ +

The [F] RewriteRule flag causes a 403 Forbidden + response to be sent. Using this, you can deny access to a resource based + on arbitrary criteria.

+ +

For example, if you wish to block access to a resource between 8pm + and 6am, you can do this using mod_rewrite.

+ +

RewriteEngine On
+RewriteCond "%{TIME_HOUR}" ">=20" [OR]
+RewriteCond "%{TIME_HOUR}" "<07"
+RewriteRule "^/fridge"     "-"       [F]

+ + +

This will return a 403 Forbidden response for any request after 8pm + or before 7am. This technique can be used for any criteria that you wish + to check. You can also redirect, or otherwise rewrite these requests, if + that approach is preferred.

+ +

The <If> directive, + added in 2.4, replaces many things that mod_rewrite has + traditionally been used to do, and you should probably look there first + before resorting to mod_rewrite.

+ +

More information

+ +

The expression engine gives you a + great deal of power to do a variety of things based on arbitrary + server variables, and you should consult that document for more + detail.

+ +

Also, you should read the mod_authz_core + documentation for examples of combining multiple access requirements + and specifying how they interact.

+ +

See also the Authentication and Authorization + howto.

Control de Acceso

Consulte también

Módulos y Directivas relacionados

Control de Acceso por host

Access control by arbitrary variables

Warning:

Access control with mod_rewrite

More information

Comentarios