From fe39ffb8b90ae4e002ed73fe98617cd590abb467 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 08:33:50 +0200 Subject: Adding upstream version 2.4.56. Signed-off-by: Daniel Baumann --- docs/manual/howto/access.html.en | 229 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 docs/manual/howto/access.html.en (limited to 'docs/manual/howto/access.html.en') diff --git a/docs/manual/howto/access.html.en b/docs/manual/howto/access.html.en new file mode 100644 index 0000000..1bd3e0e --- /dev/null +++ b/docs/manual/howto/access.html.en @@ -0,0 +1,229 @@ + + + + + +Access Control - Apache HTTP Server Version 2.4 + + + + + + +
+

Modules | Directives | FAQ | Glossary | Sitemap

+

Apache HTTP Server Version 2.4

+
+
<-
+

Access Control

+
+

Available Languages:  en  | + es  | + fr 

+
+ +

Access control refers to any means of controlling access to any + resource. This is separate from authentication and authorization.

+
+ +
top
+
+

Related Modules and Directives

+ +

Access control can be done by several different modules. The most + important of these are mod_authz_core and + mod_authz_host. Also discussed in this document + is access control using mod_rewrite.

+ +
top
+
+

Access control by host

+

+ If you wish to restrict access to portions of your site based on the + host address of your visitors, this is most easily done using + mod_authz_host. +

+ +

The Require + provides a variety of different ways to allow or deny access to + resources. In conjunction with the RequireAll, RequireAny, and RequireNone directives, these + requirements may be combined in arbitrarily complex ways, to enforce + whatever your access policy happens to be.

+ +

+ The Allow, + Deny, and + Order directives, + provided by mod_access_compat, are deprecated and + will go away in a future version. You should avoid using them, and + avoid outdated tutorials recommending their use. +

+ +

The usage of these directives is:

+ + 
Require host address
+Require ip ip.address
+ + +

In the first form, address is a fully qualified + domain name (or a partial domain name); you may provide multiple + addresses or domain names, if desired.

+ +

In the second form, ip.address is an IP address, a + partial IP address, a network/netmask pair, or a network/nnn CIDR + specification. Either IPv4 or IPv6 addresses may be used.

+ +

See the + mod_authz_host documentation for further examples of this + syntax.

+ +

You can insert not to negate a particular requirement. + Note, that since a not is a negation of a value, it cannot + be used by itself to allow or deny a request, as not true + does not constitute false. Thus, to deny a visit using a negation, + the block must have one element that evaluates as true or false. + For example, if you have someone spamming your message + board, and you want to keep them out, you could do the + following:

+ + 
<RequireAll>
+    Require all granted
+    Require not ip 10.252.46.165
+</RequireAll>
+ + +

Visitors coming from that address (10.252.46.165) + will not be able to see the content covered by this directive. If, + instead, you have a machine name, rather than an IP address, you + can use that.

+ + 
Require not host host.example.com
+
+ + +

And, if you'd like to block access from an entire domain, + you can specify just part of an address or domain name:

+ + 
Require not ip 192.168.205
+Require not host phishers.example.com moreidiots.example
+Require not host gov
+ + +

Use of the RequireAll, RequireAny, and RequireNone directives may be + used to enforce more complex sets of requirements.

+ +
top
+
+

Access control by arbitrary variables

+ +

Using the <If>, + you can allow or deny access based on arbitrary environment + variables or request header values. For example, to deny access + based on user-agent (the browser type) you might do the + following:

+ + 
<If "%{HTTP_USER_AGENT} == 'BadBot'">
+    Require all denied
+</If>
+ + +

Using the Require + expr syntax, this could also be written as:

+ + + 
Require expr %{HTTP_USER_AGENT} != 'BadBot'
+ + +

Warning:

+

Access control by User-Agent is an unreliable technique, + since the User-Agent header can be set to anything at all, + at the whim of the end user.

+
+ +

See the expressions document for a + further discussion of what expression syntaxes and variables are + available to you.

+ +
top
+
+

Access control with mod_rewrite

+ +

The [F] RewriteRule flag causes a 403 Forbidden + response to be sent. Using this, you can deny access to a resource based + on arbitrary criteria.

+ +

For example, if you wish to block access to a resource between 8pm + and 7am, you can do this using mod_rewrite.

+ + 
RewriteEngine On
+RewriteCond "%{TIME_HOUR}" ">=20" [OR]
+RewriteCond "%{TIME_HOUR}" "<07"
+RewriteRule "^/fridge"     "-" [F]
+ + +

This will return a 403 Forbidden response for any request after 8pm + or before 7am. This technique can be used for any criteria that you wish + to check. You can also redirect, or otherwise rewrite these requests, if + that approach is preferred.

+ +

The <If> directive, + added in 2.4, replaces many things that mod_rewrite has + traditionally been used to do, and you should probably look there first + before resorting to mod_rewrite.

+ +
top
+
+

More information

+ +

The expression engine gives you a + great deal of power to do a variety of things based on arbitrary + server variables, and you should consult that document for more + detail.

+ +

Also, you should read the mod_authz_core + documentation for examples of combining multiple access requirements + and specifying how they interact.

+ +

See also the Authentication and Authorization + howto.

+
+
+

Available Languages:  en  | + es  | + fr 

+
top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our mailing lists.
+
+ \ No newline at end of file -- cgit v1.2.3