Access Control

Available Languages: en

+ +

Access control refers to any means of controlling access to any + resource. This is separate from authentication and authorization.

Related Modules and Directives
Access control by host
Access control by environment variable
Access control with mod_rewrite
More information

Related Modules and Directives

+ +

Access control can be done by several different modules. The most +important of these are mod_authz_core and +mod_authz_host. Other modules +discussed in this document include mod_rewrite.

+ +

Access control by host

+ If you wish to restrict access to portions of your site based on the + host address of your visitors, this is most easily done using + mod_authz_host. +

+ +

The Allow and + Deny directives let + you allow and deny access based on the host name, or host + address, of the machine requesting a document. The + Order directive goes + hand-in-hand with these two, and tells Apache in which order to + apply the filters.

+ +

The usage of these directives is:

+ +

+ Require host address + Require ip ip.address +

+ +

In the first form, address is a fully qualified + domain name (or a partial domain name); you may provide multiple + addresses or domain names, if desired.

+ +

In the second form, ip.address is an IP address, a + partial IP address, a network/netmask pair, or a network/nnn CIDR + specification. Either IPv4 or IPv6 addresses may be used.

+ +

For example, if you have someone spamming your message + board, and you want to keep them out, you could do the + following:

+ +

+ Require not ip 10.252.46.165 +

+ +

Visitors coming from that address will not be able to see + the content covered by this directive. If, instead, you have a + machine name, rather than an IP address, you can use that.

+ +

+ Require not host host.example.com +

+ +

And, if you'd like to block access from an entire domain, + you can specify just part of an address or domain name:

+ +

+ Require not ip 192.168.205 + Require not host phishers.example.com moreidiots.example + Require not gov +

+ +

Use of the RequireAll, RequireAny, and RequireNone directives may be + used to enforce more complex sets of requirements.

+ +

Access control by environment variable

+ +

Using the <If>, + you can allow or deny access based on arbitrary environment + variables or request header values. For example, to deny access + based on user-agent (the browser type) you might do the + following:

+ +

+ <If "%{HTTP_USER_AGENT} = 'BadBot'"> + + Require All Denied + + </If> +

+ +

Warning:

Access control by User-Agent is an unreliable technique, + since the User-Agent header can be set to anything at all, + at the whim of the end user.

+ +

See the expressions document for a + further discussion of what expression syntaxes and variables are + available to you.

+ +

Access control with mod_rewrite

+ +

The [F] RewriteRule flag causes a 403 Forbidden +response to be sent. Using this, you can deny access to a resource based +on arbitrary criteria.

+ +

For example, if you wish to block access to a resource between 8pm +and 6am, you can do this using mod_rewrite.

+ +

+RewriteEngine On +RewriteCond %{TIME_HOUR} >20 [OR] +RewriteCond %{TIME_HOUR} <07 +RewriteRule ^/fridge - [F] +

+ +

This will return a 403 Forbidden response for any request after 8pm +or before 7am. This technique can be used for any criteria that you wish +to check. You can also redirect, or otherwise rewrite these requests, if +that approach is preferred.

+ +

More information

You should also read the documentation for + mod_auth_basic and mod_authz_host which + contain some more information about how this all works. + mod_authn_alias can also help in simplifying certain + authentication configurations.

+ +

See the Authentication and Authorization + howto.