Apache Today [Your Apache News Source]
Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
To internet.com

Apache HTTPD Links
The Apache FAQ
PHP Server Side Scripting
Apache-Perl Integration Project
Apache XML Project
The Jakarta Project
Apache Module Registry
Apache-Related Projects
The Java Apache Project
ApacheCon
Apache Project
The Apache Software Foundation

  internet.com

Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ECommerce/Marketing
ISP Resources
ASP Resources
Wireless Internet
Downloads
Internet Resources
Internet Lists
International
EarthWeb
Career Resources

Search internet.com
Advertising Info
Corporate Info
Apache Guide: mod_access: Restricting Access by Host
Nov 13, 2000, 15 :51 UTC (3 Talkback[s]) (9471 reads) (Other stories by Rich Bowen)

By

In earlier articles, I talked about restricting access to your web server based on a username and password provided by the user.

You can also restrict access based on the hostname or IP address from which the user is connecting to your site. The apache module mod_access provides this functionality.

There are three main directives that implement this functionality, and they are typically used in combination, rather than individually. I'll talk about each directive, and then we'll look at some ways that you can combine them to have the desired effects.

Deny

The Deny directive, as the name implies, denies access to resources, based on the address of the client machine. The syntax is simple:

     Deny from host

The host argument in this directive is extremely flexible. It can be any of the following:

all
     Deny from all

Does not permit any hosts to have access to the specified resource. This may seem a little silly at this point, but it has a valid use that we'll see later on.

A hostname, or a partial domain name
     Deny from evil.spammer.com
     Deny from h4x0rz.com
     Deny from .gov

Setting the host argument to a hostname, or a partial hostname, will deny access to any host whose name matches the argument, or ends in the argument.

Something important to note here is that this only matches complete elements. For example, the directive Deny from keys.com will deny all access to hosts on the keys.com network, but people on the monkeys.com network will still be able to get in.

You should also note that this is only going to be useful if you can, in fact, do a reverse lookup on the address in question. If, for example, someone is coming from a .gov address, but there is no reverse-zone record for their address, they will still be permitted to get in.

An IP address, or partial IP address
     Deny from 204.255.230.13
     Deny from 192.168.
     Deny from 9.

As expected, these will deny access to hosts from addresses matching the IP address ranges specified. In the three examples above, the directives deny access from a specific IP address, from all the IP addresses in the private 192.168.*.* IP range, and all IP addresses in the IBM 9.*.*.* range of addresses.

A network and netmask pair
     Deny from 10.1.0.0/16
     Deny from 10.1.1.0/255.255.0.0

For those that know a little more about how IP works, you can use a network and subnet mask pair to specify a range of addresses. The specifics of what these mean is beyond the scope of this article.

Finally, note that you can specify more than one host argument in this directive:

     Deny from evil.hacker.com monkey.loser.com

Allow

The counterpart to Deny is, of course, Allow, which specifies what hosts are to be allowed access. The arguments to Allow are exactly the same as those for Deny, so I won't spend a lot of time going through them.

     Allow from all
     Allow from 192.168.1.
     Allow from .edu

Order: Using Allow and Deny Together

In most real-world situations, you'll want to use Deny and Allow together to allow some folks in, or leave some folks out, and to have a degree of control over who those folks are.

This is where the Order directive comes in. The Order directive tells Apache in which order to process the Allow and Deny directives when they are used together. Order can be set to one of the following values:

Order Allow,Deny
Process the Allow directives first, and then the Deny directives.

Order Deny,Allow
Process the Deny directives first, and then the Allow directives.

Which one of these you use depends mostly on whether you are trying to restrict access to just a few people, or if you are trying to let almost everyone on.

For example, if you want to let everyone in, except for that nasty person that keeps posting unpleasant things on your message board, you'd do something like this:

     Order Allow,Deny
     Allow from all
     Deny from monkey.loser.com

On the other hand, if you're trying to make sure that nobody in the world can get to your site except for the small list of people that are connecting from your company, you'd do something like:

     Order Deny,Allow
     Deny from all
     Allow from friends.mycompany.com

Advanced Options with Allow and Deny

When combined with the SetEnvIf directive, you can do some even more powerful stuff with controlling who can get to your content.

SetEnvIf is a directive implemented by mod_setenvif, which allows you to set environment variables based on conditional statements. This is pretty cool, and can let you do some very neat stuff when combined with other directives.

In conjunction with the Allow and Deny directives, it can be made to allow or deny access to resources based on things other than host address.

Using SetEnvIf

The syntax for SetEnvIf is as follows:

     SetEnvIf attribute regex variable[=value]

If the regular expression matches the attribute (or environment variable) then the variable is set and placed into the environment. For example:

     SetEnvIf User-Agent MSIE InternetExplorer

If the User-Agent (browser) variable matches the regular expression MSIE -- that is, if the browser is Internet Explorer -- then the environment variable InternetExplorer will be set true and placed in the environment.

Using SetEnvIf with Allow and Deny

Allow and Deny have an alternate syntax that let them take advantage of environment variables set with SetEnvIf, as well as other environment variables:

     SetEnvIf User-Agent EvilRobot GoAway
     Order Allow,Deny
     Allow from all
     Deny from env=GoAway

In the above example, if the User-Agent variable matches the string EvilRobot, then the environment variable GoAway is set. The directive Deny from env=GoAway tells Apache to deny access from hosts for whom the GoAway environment variable is set.

Similarly, Allow from env= permits access based on variables that you can set with SetEnvIf.

Combining Allow, Deny, and Other Access-Control Techniques

You have content on your web site that you want to protect from prying eyes, so you put a password on it. But you don't want people in your company to have to use a password every time. Using the Satisfy directive, you can require either condition:

     Deny from all
     Allow from 192.101.
     Require group Company
     Satisfy any

Satisfy any specifies that either the user must come from the specified address range, or that they provide a password, but not necessarily both. Satisfy all would require that all the conditions be met - that the user come from the specified address range, and provide a password.

Summary

Using Allow and Deny lets you have a great deal of conrol over who can and who cannot have access to the content on your site.

Related Stories:
Apache Guide: Configuring Your Apache Compile with ./Configure(Nov 06, 2000)
Apache Guide: Generating Fancy Directory Listings with mod_autoindex(Oct 09, 2000)
Apache Guide: Logging, Part 5: Advanced Logging Techniques and Tips(Sep 25, 2000)
Apache Guide: Logging, Part 4 -- Log-File Analysis(Sep 18, 2000)
Apache Guide: Logging, Part 3 -- Custom Logs(Sep 05, 2000)
Apache Guide: Logging, Part II -- Error Logs(Aug 28, 2000)
Apache Guide: Logging with Apache--Understanding Your access_log(Aug 21, 2000)
Apache Guide: Apache Authentication, Part 4(Aug 14, 2000)
Apache Guide: Apache Authentication, Part 3(Aug 07, 2000)
Apache Guide: Apache Authentication, Part II(Jul 31, 2000)
Apache Guide: Apache Authentication, Part 1(Jul 24, 2000)
Apache Guide: Setting Up Virtual Hosts(Jul 17, 2000)
Apache Guide: Configuring Your Apache Server Installation(Jul 10, 2000)
Apache Guide: The Newbie's Guide to Installing Apache(Jul 03, 2000)
Apache Guide: Advanced SSI Techniques(Jun 26, 2000)
Apache Guide: Introduction to Server Side Includes, Part 2 (Jun 19, 2000)
Apache Guide: Introduction to Server Side Includes(Jun 12, 2000)
Apache Guide: Dynamic Content with CGI(Jun 05, 2000)

  Current Newswire:
Great Bridge PostgreSQL 7.1 package announced

ApacheCon Dublin sessions listed

Apache Week issue 253 is out

ServerWatch: June 2001 Security Space Survey Results

zez.org: Security flaws in PHP

SECURITY: Bugtraq: Java servlet cross-site scripting vulnerability

mnoGoSearch 3.1.17 released

The June Netcraft Results are Out: Apache Gains Slightly in Market Share

GroupIT site-content engine previewed

Lineo Availix Vertical Clustering 1.0 Ships

 Talkback(s) Name  Date
  My Request
Please give some information code about ASP, PHP, VBScript, Javascript and Cold Fushion.

Thank's a lot   
  Nov 15, 2000, 07:31:07
  HELP
Hello,

I send you this message because I need your help.
I ask you if I can make Apache Server working as a Web Proxy (not for
caching)without changing the settings of the users' browsers.
If yes, how can I do it, please?.
If no, can I use API of Apache in order to make Apache Server working as a Web Proxy (not for caching)without changing the settings of the users' browsers. If yes, how can I do it, please?.
If no, can I include programms writting in C++ or in Perl in the
configuration files of Apache in order to make Apache Server working as a Web Proxy (not for caching)without changing the settings of the users' browsers. If yes, how can I do it, please?.

Sincerlly.

M. Mohammed YOUCEF
[email protected]
  
  Nov 17, 2000, 20:30:55
  directory content restriction
How do I allow users from one group
to view a content of a directory and
deny access to that directory for people
from other groups.

Each user will have a group id. When
the user logins, I will get his or her groupid.
Then when user clicks a button, I will take the user
to the specified groupid directory. if user attempts
to modify the URL to go to another groupid directory,
s/he will fail.

I am aware of the htaccess file that stores names
or ids of users who have access to a directory.
That method is not easy to maintain because I
don't want to update the htaccess file each time
I have a new user. However, updating the file
if a new group id is created is OK.

Your details solution to my question is
really appreciated.

kqh


  
  Dec 12, 2000, 19:44:48
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Newsletters Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.2.12, Apache 1.3.9. and PHP 3.14
Copyright INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/