From f3027cdbc8e418eb1f1ab5c40f91291a7b642270 Mon Sep 17 00:00:00 2001 From: Rich Bowen Date: Tue, 15 Feb 2011 11:54:27 +0000 Subject: [PATCH] Copies the access control howto from the 2.2 docs. However, it's going to need some work to be appropriate for trunk. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1070853 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/howto/access.xml | 188 +++++++++++++++++++++++++++++++++++ docs/manual/howto/index.xml | 12 +++ 2 files changed, 200 insertions(+) create mode 100644 docs/manual/howto/access.xml diff --git a/docs/manual/howto/access.xml b/docs/manual/howto/access.xml new file mode 100644 index 0000000000..c16d29a725 --- /dev/null +++ b/docs/manual/howto/access.xml @@ -0,0 +1,188 @@ + + + + + + + + +How-To / Tutorials + +Access Control + + +

Access control refers to any means of controlling access to any + resource. This is separate from authentication and authorization.

+ + + + +
Access control by host +

+ If you wish to restrict access to portions of your site based on the + host address of your visitors, this is most easily done using + mod_authz_host. +

+ +

The Allow and + Deny directives let + you allow and deny access based on the host name, or host + address, of the machine requesting a document. The + Order directive goes + hand-in-hand with these two, and tells Apache in which order to + apply the filters.

+ +

The usage of these directives is:

+ + + Allow from address + + +

where address is an IP address (or a partial IP + address) or a fully qualified domain name (or a partial domain + name); you may provide multiple addresses or domain names, if + desired.

+ +

For example, if you have someone spamming your message + board, and you want to keep them out, you could do the + following:

+ + + Deny from 10.252.46.165 + + +

Visitors coming from that address will not be able to see + the content covered by this directive. If, instead, you have a + machine name, rather than an IP address, you can use that.

+ + + Deny from host.example.com + + +

And, if you'd like to block access from an entire domain, + you can specify just part of an address or domain name:

+ + + Deny from 192.168.205
+ Deny from phishers.example.com moreidiots.example
+ Deny from ke + + +

Using Order will let you + be sure that you are actually restricting things to the group that you want + to let in, by combining a Deny and an Allow directive:

+ + + Order deny,allow
+ Deny from all
+ Allow from dev.example.com + + +

Listing just the Allow + directive would not do what you want, because it will let folks from that + host in, in addition to letting everyone in. What you want is to let + only those folks in.

+
+ +
Access control by environment variable + +

+ mod_authz_host, in conjunction with + mod_setenvif, can be used to restrict access to + your website based on the value of arbitrary environment variables. + This is done with the Allow from env= and Deny + from env= syntax. +

+ + + SetEnvIf User-Agent BadBot GoAway=1
+ Order allow,deny
+ Allow from all
+ Deny from env=GoAway + + + Warning: +

Access control by User-Agent is an unreliable technique, + since the User-Agent header can be set to anything at all, + at the whim of the end user.

+ + +

+ In the above example, the environment variable GoAway + is set to 1 if the User-Agent matches the + string BadBot. Then we deny access for any request when + this variable is set. This blocks that particular user agent from + the site. +

+ +

An environment variable test can be negated using the =! + syntax:

+ +

+ Allow from env=!GoAway +

+ +
+ +
Access control with mod_rewrite + +

The [F] RewriteRule flag causes a 403 Forbidden +response to be sent. Using this, you can deny access to a resource based +on arbitrary criteria.

+ +

For example, if you wish to block access to a resource between 8pm +and 6am, you can do this using mod_rewrite.

+ + +RewriteEngine On
+RewriteCond %{TIME_HOUR} >20 [OR]
+RewriteCond %{TIME_HOUR} <07
+RewriteRule ^/fridge - [F] + + +

This will return a 403 Forbidden response for any request after 8pm +or before 7am. This technique can be used for any criteria that you wish +to check. You can also redirect, or otherwise rewrite these requests, if +that approach is preferred.

+ +
+ +
More information +

You should also read the documentation for + mod_auth_basic and mod_authz_host which + contain some more information about how this all works. + mod_authn_alias can also help in simplifying certain + authentication configurations.

+ +

See the Authentication and Authorization + howto.

+
+ + + diff --git a/docs/manual/howto/index.xml b/docs/manual/howto/index.xml index ef9f3ac87b..d7d79b4977 100644 --- a/docs/manual/howto/index.xml +++ b/docs/manual/howto/index.xml @@ -41,6 +41,18 @@ +
+
Access Control
+
+

Access control refers to the process of restricting, or + granting access to a resource based on arbitrary criteria. There + are a variety of different ways that this can be + accomplished.

+ +

See: Access Control

+
+
+
Dynamic Content with CGI
-- 2.50.0