The Apache Software Foundation |
Apache-Perl Integration Project |
The Apache FAQ |
Apache XML Project |
Apache-Related Projects |
The Jakarta Project |
Apache Project |
The Java Apache Project |
Apache Module Registry |
ApacheCon |
PHP Server Side Scripting |
|
|
|
internet.com
Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ECommerce/Marketing
ISP Resources
ASP Resources
Wireless Internet
Downloads
Internet Resources
Internet Lists
International
EarthWeb
Career Resources
Search internet.com
Advertising Info
Corporate Info
|
|
Apache Guide: mod_access: Restricting Access by Host
Nov 13, 2000, 15 :51 UTC (6 Talkback[s]) (16923 reads) (Other stories by Rich Bowen)
|
By
In earlier articles, I talked about restricting access to your web server based on a username and password provided by the user.
You can also restrict access based on the hostname or IP address from which the user is connecting to your site. The apache module mod_access provides this functionality.
There are three main directives that implement this functionality, and they are typically used in combination, rather than individually. I'll talk about each directive, and then we'll look at some ways that you can combine them to have the desired effects.
Deny
The Deny directive, as the name implies, denies access to resources, based on the address of the client machine. The syntax is simple:
Deny from host
The host argument in this directive is extremely flexible. It can be any of the following:
- all
-
Deny from all
Does not permit any hosts to have access to the specified resource. This may seem a little silly at this point, but it has a valid use that we'll see later on.
- A hostname, or a partial domain name
-
Deny from evil.spammer.com
Deny from h4x0rz.com
Deny from .gov
Setting the host argument to a hostname, or a partial hostname, will deny access to any host whose name matches the argument, or ends in the argument.
Something important to note here is that this only matches complete elements. For example, the directive Deny from keys.com will deny all access to hosts on the keys.com network, but people on the monkeys.com network will still be able to get in.
You should also note that this is only going to be useful if you can, in fact, do a reverse lookup on the address in question. If, for example, someone is coming from a .gov address, but there is no reverse-zone record for their address, they will still be permitted to get in.
- An IP address, or partial IP address
-
Deny from 204.255.230.13
Deny from 192.168.
Deny from 9.
As expected, these will deny access to hosts from addresses matching the IP address ranges specified. In the three examples above, the directives deny access from a specific IP address, from all the IP addresses in the private 192.168.*.* IP range, and all IP addresses in the IBM 9.*.*.* range of addresses.
- A network and netmask pair
-
Deny from 10.1.0.0/16
Deny from 10.1.1.0/255.255.0.0
For those that know a little more about how IP works, you can use a network and subnet mask pair to specify a range of addresses. The specifics of what these mean is beyond the scope of this article.
Finally, note that you can specify more than one host argument in this directive:
Deny from evil.hacker.com monkey.loser.com
Allow
The counterpart to Deny is, of course, Allow , which specifies what hosts are to be allowed access. The arguments to Allow are exactly the same as those for Deny , so I won't spend a lot of time going through them.
Allow from all
Allow from 192.168.1.
Allow from .edu
Order: Using Allow and Deny Together
In most real-world situations, you'll want to use Deny and Allow together to allow some folks in, or leave some folks out, and to have a degree of control over who those folks are.
This is where the Order directive comes in. The Order directive tells Apache in which order to process the Allow and Deny directives when they are used together. Order can be set to one of the following values:
- Order Allow,Deny
-
Process the
Allow directives first, and then the Deny directives.
- Order Deny,Allow
-
Process the
Deny directives first, and then the Allow directives.
Which one of these you use depends mostly on whether you are trying to restrict access to just a few people, or if you are trying to let almost everyone on.
For example, if you want to let everyone in, except for that nasty person that keeps posting unpleasant things on your message board, you'd do something like this:
Order Allow,Deny
Allow from all
Deny from monkey.loser.com
On the other hand, if you're trying to make sure that nobody in the world can get to your site except for the small list of people that are connecting from your company, you'd do something like:
Order Deny,Allow
Deny from all
Allow from friends.mycompany.com
Advanced Options with Allow and Deny
When combined with the SetEnvIf directive, you can do some even more powerful stuff with controlling who can get to your content.
SetEnvIf is a directive implemented by mod_setenvif , which allows you to set environment variables based on conditional statements. This is pretty cool, and can let you do some very neat stuff when combined with other directives.
In conjunction with the Allow and Deny directives, it can be made to allow or deny access to resources based on things other than host address.
The syntax for SetEnvIf is as follows:
SetEnvIf attribute regex variable[=value]
If the regular expression matches the attribute (or environment variable) then the variable is set and placed into the environment. For example:
SetEnvIf User-Agent MSIE InternetExplorer
If the User-Agent (browser) variable matches the regular expression MSIE -- that is, if the browser is Internet Explorer -- then the environment variable InternetExplorer will be set true and placed in the environment.
Using SetEnvIf with Allow and Deny
Allow and Deny have an alternate syntax that let them take advantage of environment variables set with SetEnvIf , as well as other environment variables:
SetEnvIf User-Agent EvilRobot GoAway
Order Allow,Deny
Allow from all
Deny from env=GoAway
In the above example, if the User-Agent variable matches the string EvilRobot , then the environment variable GoAway is set. The directive Deny from env=GoAway tells Apache to deny access from hosts for whom the GoAway environment variable is set.
Similarly, Allow from env= permits access based on variables that you can set with SetEnvIf .
Combining Allow, Deny, and Other Access-Control Techniques
You have content on your web site that you want to protect from prying eyes, so you put a password on it. But you don't want people in your company to have to use a password every time. Using the Satisfy directive, you can require either condition:
Deny from all
Allow from 192.101.
Require group Company
Satisfy any
Satisfy any specifies that either the user must come from the specified address range, or that they provide a password, but not necessarily both. Satisfy all would require that all the conditions be met - that the user come from the specified address range, and provide a password.
Summary
Using Allow and Deny lets you have a great deal of conrol over who can and who cannot have access to the content on your site.
Related Stories:
Apache Guide: Configuring Your Apache Compile with ./Configure(Nov 06, 2000)
Apache Guide: Generating Fancy Directory Listings with mod_autoindex(Oct 09, 2000)
Apache Guide: Logging, Part 5: Advanced Logging Techniques and Tips(Sep 25, 2000)
Apache Guide: Logging, Part 4 -- Log-File Analysis(Sep 18, 2000)
Apache Guide: Logging, Part 3 -- Custom Logs(Sep 05, 2000)
Apache Guide: Logging, Part II -- Error Logs(Aug 28, 2000)
Apache Guide: Logging with Apache--Understanding Your access_log(Aug 21, 2000)
Apache Guide: Apache Authentication, Part 4(Aug 14, 2000)
Apache Guide: Apache Authentication, Part 3(Aug 07, 2000)
Apache Guide: Apache Authentication, Part II(Jul 31, 2000)
Apache Guide: Apache Authentication, Part 1(Jul 24, 2000)
Apache Guide: Setting Up Virtual Hosts(Jul 17, 2000)
Apache Guide: Configuring Your Apache Server Installation(Jul 10, 2000)
Apache Guide: The Newbie's Guide to Installing Apache(Jul 03, 2000)
Apache Guide: Advanced SSI Techniques(Jun 26, 2000)
Apache Guide: Introduction to Server Side Includes, Part 2 (Jun 19, 2000)
Apache Guide: Introduction to Server Side Includes(Jun 12, 2000)
Apache Guide: Dynamic Content with CGI(Jun 05, 2000)
|
|