Apache Module mod_authz_host

Available Languages: en | + fr

+ + + + +

Description:	Group authorizations based on host (name or IP +address)
Status:	Base
Module Identifier:	authz_host_module
Source File:	mod_authz_host.c
Compatibility:	The `forward-dns` provider was added in 2.4.19

Summary

+ +

The authorization providers implemented by mod_authz_host are + registered using the Require + directive. The directive can be referenced within a + <Directory>, + <Files>, + or <Location> section + as well as .htaccess + files to control access to particular parts of the server. + Access can be controlled based on the client hostname or IP address.

+ +

In general, access restriction directives apply to all + access methods (GET, PUT, + POST, etc). This is the desired behavior in most + cases. However, it is possible to restrict some methods, while + leaving other methods unrestricted, by enclosing the directives + in a <Limit> section.

Topics

The Require Directives

Directives

This module provides no + directives.

Bugfix checklist

The Require Directives

+ +

Apache's Require + directive is used during the authorization phase to ensure that a user is allowed or + denied access to a resource. mod_authz_host extends the + authorization types with ip, host, + forward-dns and local. + Other authorization types may also be + used but may require that additional authorization modules be loaded.

+ +

These authorization providers affect which hosts can + access an area of the server. Access can be controlled by + hostname, IP Address, or IP Address range.

+ +

Since v2.4.8, expressions are supported + within the host require directives.

+ +

Require ip

+ +

The ip provider allows access to the server + to be controlled based on the IP address of the remote client. + When Require ip ip-address is specified, + then the request is allowed access if the IP address matches.

+ +

A full IP address:

+ +

Require ip 10.1.2.3
+Require ip 192.168.1.104 192.168.1.205

+ + +

An IP address of a host allowed access

+ +

A partial IP address:

+ +

Require ip 10.1
+Require ip 10 172.20 192.168.2

+ +

The first 1 to 3 bytes of an IP address, for subnet + restriction.

+ +

A network/netmask pair:

+ +

Require ip 10.1.0.0/255.255.0.0

+ +

A network a.b.c.d, and a netmask w.x.y.z. For more + fine-grained subnet restriction.

+ +

A network/nnn CIDR specification:

+ +

Require ip 10.1.0.0/16

+ +

Similar to the previous case, except the netmask consists of + nnn high-order 1 bits.

+ +

Note that the last three examples above match exactly the + same set of hosts.

+ +

IPv6 addresses and IPv6 subnets can be specified as shown + below:

+ +

Require ip 2001:db8::a00:20ff:fea7:ccea
+Require ip 2001:db8:1:1::a
+Require ip 2001:db8:2:1::/64
+Require ip 2001:db8:3::/48

+ + +

Note: As the IP addresses are parsed on startup, expressions are + not evaluated at request time.

+ + + +

Require host

+ +

The host provider allows access to the server + to be controlled based on the host name of the remote client. + When Require host host-name is specified, + then the request is allowed access if the host name matches.

+ +

A (partial) domain-name

+ +

Require host example.org
+Require host .net example.edu

+ + +

Hosts whose names match, or end in, this string are allowed + access. Only complete components are matched, so the above + example will match foo.example.org but it will not + match fooexample.org. This configuration will cause + Apache to perform a double reverse DNS lookup on the client IP + address, regardless of the setting of the HostnameLookups directive. It will do + a reverse DNS lookup on the IP address to find the associated + hostname, and then do a forward lookup on the hostname to assure + that it matches the original IP address. Only if the forward + and reverse DNS are consistent and the hostname matches will + access be allowed.

+ + + +

Require forward-dns

+ +

The forward-dns provider allows access to the server + to be controlled based on simple host names. When + Require forward-dns host-name is specified, + all IP addresses corresponding to host-name + are allowed access.

+ +

In contrast to the host provider, this provider does not + rely on reverse DNS lookups: it simply queries the DNS for the host name + and allows a client if its IP matches. As a consequence, it will only + work with complete host names that can be resolved in DNS, not partial domain names. + However, as the reverse DNS is not used, and DNS lookups occur at request processing + time (instead of startup), it will work with clients which use a dynamic DNS service.

+ +

Require forward-dns dynamic.example.org

+ + +

A client the IP of which is resolved from the name + dynamic.example.org will be granted access.

+ +

The forward-dns provider was added in 2.4.19.

+ + +

Require local

+ +

The local provider allows access to the server if any + of the following conditions is true:

+ +

the client address matches 127.0.0.0/8
the client address is ::1
both the client and the server address of the connection are + the same

+ +

This allows a convenient way to match connections that originate from + the local host:

+ +

Require local

+ + + + +

Security Note

+ +

If you are proxying content to your server, you need to be aware + that the client address will be the address of your proxy server, + not the address of the client, and so using the Require + directive in this context may not do what you mean. See + mod_remoteip for one possible solution to this + problem.

+ + + +

Apache Module mod_authz_host

Summary

Topics

Directives

Bugfix checklist

See also

The Require Directives

Require ip

Require host

Require forward-dns

Require local

Security Note

Comments