From 0543fa40a32ea671c7fdf95f8c51eaeaa50b6abb Mon Sep 17 00:00:00 2001 From: Rich Bowen Date: Tue, 15 Feb 2011 12:13:54 +0000 Subject: [PATCH] Updates the access control howto for trunk. Could use a lot more examples. The expression doc could use examples, too. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1070859 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/howto/access.xml | 88 ++++++++++++++---------------------- 1 file changed, 35 insertions(+), 53 deletions(-) diff --git a/docs/manual/howto/access.xml b/docs/manual/howto/access.xml index c16d29a725..7d67c9a520 100644 --- a/docs/manual/howto/access.xml +++ b/docs/manual/howto/access.xml @@ -34,9 +34,9 @@ @@ -58,20 +58,24 @@ discussed in this document include mod_setenvif and

The usage of these directives is:

- Allow from address + Require host address
+ Require ip ip.address -

where address is an IP address (or a partial IP - address) or a fully qualified domain name (or a partial domain - name); you may provide multiple addresses or domain names, if - desired.

+

In the first form, address is a fully qualified + domain name (or a partial domain name); you may provide multiple + addresses or domain names, if desired.

+ +

In the second form, ip.address is an IP address, a + partial IP address, a network/netmask pair, or a network/nnn CIDR + specification. Either IPv4 or IPv6 addresses may be used.

For example, if you have someone spamming your message board, and you want to keep them out, you could do the following:

- Deny from 10.252.46.165 + Require not ip 10.252.46.165

Visitors coming from that address will not be able to see @@ -79,51 +83,40 @@ discussed in this document include mod_setenvif and machine name, rather than an IP address, you can use that.

- Deny from host.example.com + Require not host host.example.com

And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:

- Deny from 192.168.205
- Deny from phishers.example.com moreidiots.example
- Deny from ke + Require not ip 192.168.205
+ Require not host phishers.example.com moreidiots.example
+ Require not gov -

Using Order will let you - be sure that you are actually restricting things to the group that you want - to let in, by combining a Deny and an Allow directive:

- - - Order deny,allow
- Deny from all
- Allow from dev.example.com - +

Use of the RequireAll, RequireAny, and RequireNone directives may be + used to enforce more complex sets of requirements.

-

Listing just the Allow - directive would not do what you want, because it will let folks from that - host in, in addition to letting everyone in. What you want is to let - only those folks in.

Access control by environment variable -

- mod_authz_host, in conjunction with - mod_setenvif, can be used to restrict access to - your website based on the value of arbitrary environment variables. - This is done with the Allow from env= and Deny - from env= syntax. -

+

Using the If, + you can allow or deny access based on arbitrary environment + variables or request header values. For example, to deny access + based on user-agent (the browser type) you might do the + following:

- SetEnvIf User-Agent BadBot GoAway=1
- Order allow,deny
- Allow from all
- Deny from env=GoAway + <If "%{HTTP_USER_AGENT} = 'BadBot'">
+ + Require All Denied
+ + </If> Warning: @@ -132,20 +125,9 @@ discussed in this document include mod_setenvif and at the whim of the end user.

 -

- In the above example, the environment variable GoAway - is set to 1 if the User-Agent matches the - string BadBot. Then we deny access for any request when - this variable is set. This blocks that particular user agent from - the site. -

- -

An environment variable test can be negated using the =! - syntax:

- -

- Allow from env=!GoAway -

+

See the expressions document for a + further discussion of what expression syntaxes and variables are + available to you.

-- 2.40.0