docs/manual/howto/access.xml - httpd - Git at Google

 <?xml version='1.0' encoding='UTF-8' ?>
 <!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
 <!-- $LastChangedRevision$ -->

 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
 -->

 <manualpage metafile="access.xml.meta">
 <parentdocument href="./">How-To / Tutorials</parentdocument>

 <title>Access Control</title>

 <summary>
     <p>Access control refers to any means of controlling access to any
     resource. This is separate from <a
     href="auth.html">authentication and authorization</a>.</p>
 </summary>

 <section id="related"><title>Related Modules and Directives</title>

 <p>Access control can be done by several different modules. The most
 important of these is <module>mod_authz_host</module>. Other modules
 discussed in this document include <module>mod_setenvif</module> and
 <module>mod_rewrite</module>.</p>

 </section>

 <section id="host"><title>Access control by host</title>
     <p>
     If you wish to restrict access to portions of your site based on the
     host address of your visitors, this is most easily done using
     <module>mod_authz_host</module>.
     </p>

     <p>The <directive module="mod_authz_host">Allow</directive> and
     <directive module="mod_authz_host">Deny</directive> directives let
     you allow and deny access based on the host name, or host
     address, of the machine requesting a document. The
     <directive module="mod_authz_host">Order</directive> directive goes
     hand-in-hand with these two, and tells Apache in which order to
     apply the filters.</p>

     <p>The usage of these directives is:</p>

     <example>
       Allow from <var>address</var>
     </example>

     <p>where <var>address</var> is an IP address (or a partial IP
     address) or a fully qualified domain name (or a partial domain
     name); you may provide multiple addresses or domain names, if
     desired.</p>

     <p>For example, if you have someone spamming your message
     board, and you want to keep them out, you could do the
     following:</p>

     <example>
       Deny from 10.252.46.165
     </example>

     <p>Visitors coming from that address will not be able to see
     the content covered by this directive. If, instead, you have a
     machine name, rather than an IP address, you can use that.</p>

     <example>
       Deny from <var>host.example.com</var>
     </example>

     <p>And, if you'd like to block access from an entire domain,
     you can specify just part of an address or domain name:</p>

     <example>
       Deny from <var>192.168.205</var><br />
       Deny from <var>phishers.example.com</var> <var>moreidiots.example</var><br />
       Deny from ke
     </example>

     <p>Using <directive module="mod_authz_host">Order</directive> will let you
     be sure that you are actually restricting things to the group that you want
     to let in, by combining a <directive
     module="mod_authz_host">Deny</directive> and an <directive
     module="mod_authz_host">Allow</directive> directive:</p>

     <example>
       Order deny,allow<br />
       Deny from all<br />
       Allow from <var>dev.example.com</var>
     </example>

     <p>Listing just the <directive module="mod_authz_host">Allow</directive>
     directive would not do what you want, because it will let folks from that
     host in, in addition to letting everyone in. What you want is to let
     <em>only</em> those folks in.</p>
 </section>

 <section id="env"><title>Access control by environment variable</title>

     <p>
     <module>mod_authz_host</module>, in conjunction with
     <module>mod_setenvif</module>, can be used to restrict access to
     your website based on the value of arbitrary environment variables.
     This is done with the <code>Allow from env=</code> and <code>Deny
     from env=</code> syntax.
     </p>

     <example>
     SetEnvIf User-Agent BadBot GoAway=1<br />
     Order allow,deny<br />
     Allow from all<br />
     Deny from env=GoAway
     </example>

     <note><title>Warning:</title>
     <p>Access control by <code>User-Agent</code> is an unreliable technique,
     since the <code>User-Agent</code> header can be set to anything at all,
     at the whim of the end user.</p>
     </note>

     <p>
     In the above example, the environment variable <code>GoAway</code>
     is set to <code>1</code> if the <code>User-Agent</code> matches the
     string <code>BadBot</code>. Then we deny access for any request when
     this variable is set. This blocks that particular user agent from
     the site.
     </p>

     <p>An environment variable test can be negated using the <code>=!</code>
     syntax:</p>

     <example><p>
     Allow from env=!GoAway
     </p></example>

 </section>

 <section id="rewrite"><title>Access control with mod_rewrite</title>

 <p>The <code>[F]</code> <directive
 module="mod_rewrite">RewriteRule</directive> flag causes a 403 Forbidden
 response to be sent. Using this, you can deny access to a resource based
 on arbitrary criteria.</p>

 <p>For example, if you wish to block access to a resource between 8pm
 and 6am, you can do this using <module>mod_rewrite</module>.</p>

 <example>
 RewriteEngine On<br />
 RewriteCond %{TIME_HOUR} &gt;20 [OR]<br />
 RewriteCond %{TIME_HOUR} &lt;07<br />
 RewriteRule ^/fridge - [F]
 </example>

 <p>This will return a 403 Forbidden response for any request after 8pm
 or before 7am. This technique can be used for any criteria that you wish
 to check. You can also redirect, or otherwise rewrite these requests, if
 that approach is preferred.</p>

 </section>

 <section id="moreinformation"><title>More information</title>
     <p>You should also read the documentation for
     <module>mod_auth_basic</module> and <module>mod_authz_host</module> which
     contain some more information about how this all works.
     <module>mod_authn_alias</module> can also help in simplifying certain
     authentication configurations.</p>

     <p>See the <a href="auth.html">Authentication and Authorization</a>
     howto.</p>
 </section>

 </manualpage>
	<?xml version='1.0' encoding='UTF-8' ?>
	<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
	<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
	<!-- $LastChangedRevision$ -->

	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<manualpage metafile="access.xml.meta">
	<parentdocument href="./">How-To / Tutorials</parentdocument>

	<title>Access Control</title>

	<summary>
	<p>Access control refers to any means of controlling access to any
	resource. This is separate from <a
	href="auth.html">authentication and authorization</a>.</p>
	</summary>

	<section id="related"><title>Related Modules and Directives</title>

	<p>Access control can be done by several different modules. The most
	important of these is <module>mod_authz_host</module>. Other modules
	discussed in this document include <module>mod_setenvif</module> and
	<module>mod_rewrite</module>.</p>

	</section>

	<section id="host"><title>Access control by host</title>
	<p>
	If you wish to restrict access to portions of your site based on the
	host address of your visitors, this is most easily done using
	<module>mod_authz_host</module>.
	</p>

	<p>The <directive module="mod_authz_host">Allow</directive> and
	<directive module="mod_authz_host">Deny</directive> directives let
	you allow and deny access based on the host name, or host
	address, of the machine requesting a document. The
	<directive module="mod_authz_host">Order</directive> directive goes
	hand-in-hand with these two, and tells Apache in which order to
	apply the filters.</p>

	<p>The usage of these directives is:</p>

	<example>
	Allow from <var>address</var>
	</example>

	<p>where <var>address</var> is an IP address (or a partial IP
	address) or a fully qualified domain name (or a partial domain
	name); you may provide multiple addresses or domain names, if
	desired.</p>

	<p>For example, if you have someone spamming your message
	board, and you want to keep them out, you could do the
	following:</p>

	<example>
	Deny from 10.252.46.165
	</example>

	<p>Visitors coming from that address will not be able to see
	the content covered by this directive. If, instead, you have a
	machine name, rather than an IP address, you can use that.</p>

	<example>
	Deny from <var>host.example.com</var>
	</example>

	<p>And, if you'd like to block access from an entire domain,
	you can specify just part of an address or domain name:</p>

	<example>
	Deny from <var>192.168.205</var><br />
	Deny from <var>phishers.example.com</var> <var>moreidiots.example</var><br />
	Deny from ke
	</example>

	<p>Using <directive module="mod_authz_host">Order</directive> will let you
	be sure that you are actually restricting things to the group that you want
	to let in, by combining a <directive
	module="mod_authz_host">Deny</directive> and an <directive
	module="mod_authz_host">Allow</directive> directive:</p>

	<example>
	Order deny,allow<br />
	Deny from all<br />
	Allow from <var>dev.example.com</var>
	</example>

	<p>Listing just the <directive module="mod_authz_host">Allow</directive>
	directive would not do what you want, because it will let folks from that
	host in, in addition to letting everyone in. What you want is to let
	<em>only</em> those folks in.</p>
	</section>

	<section id="env"><title>Access control by environment variable</title>

	<p>
	<module>mod_authz_host</module>, in conjunction with
	<module>mod_setenvif</module>, can be used to restrict access to
	your website based on the value of arbitrary environment variables.
	This is done with the <code>Allow from env=</code> and <code>Deny
	from env=</code> syntax.
	</p>

	<example>
	SetEnvIf User-Agent BadBot GoAway=1<br />
	Order allow,deny<br />
	Allow from all<br />
	Deny from env=GoAway
	</example>

	<note><title>Warning:</title>
	<p>Access control by <code>User-Agent</code> is an unreliable technique,
	since the <code>User-Agent</code> header can be set to anything at all,
	at the whim of the end user.</p>
	</note>

	<p>
	In the above example, the environment variable <code>GoAway</code>
	is set to <code>1</code> if the <code>User-Agent</code> matches the
	string <code>BadBot</code>. Then we deny access for any request when
	this variable is set. This blocks that particular user agent from
	the site.
	</p>

	<p>An environment variable test can be negated using the <code>=!</code>
	syntax:</p>

	<example><p>
	Allow from env=!GoAway
	</p></example>

	</section>

	<section id="rewrite"><title>Access control with mod_rewrite</title>

	<p>The <code>[F]</code> <directive
	module="mod_rewrite">RewriteRule</directive> flag causes a 403 Forbidden
	response to be sent. Using this, you can deny access to a resource based
	on arbitrary criteria.</p>

	<p>For example, if you wish to block access to a resource between 8pm
	and 6am, you can do this using <module>mod_rewrite</module>.</p>

	<example>
	RewriteEngine On<br />
	RewriteCond %{TIME_HOUR} >20 [OR]<br />
	RewriteCond %{TIME_HOUR} <07<br />
	RewriteRule ^/fridge - [F]
	</example>

	<p>This will return a 403 Forbidden response for any request after 8pm
	or before 7am. This technique can be used for any criteria that you wish
	to check. You can also redirect, or otherwise rewrite these requests, if
	that approach is preferred.</p>

	</section>

	<section id="moreinformation"><title>More information</title>
	<p>You should also read the documentation for
	<module>mod_auth_basic</module> and <module>mod_authz_host</module> which
	contain some more information about how this all works.
	<module>mod_authn_alias</module> can also help in simplifying certain
	authentication configurations.</p>

	<p>See the <a href="auth.html">Authentication and Authorization</a>
	howto.</p>
	</section>

	</manualpage>