Apache HTTP Server Version 2.3
Apache HTTP Server Version 2.3
Available Languages: en
| Description: | Group authorizations based on host (name or IP address) |
|---|---|
| Status: | Base |
| Module Identifier: | authz_host_module |
| Source File: | mod_authz_host.c |
| Compatibility: | Available in Apache 2.3 and later |
The authorization providers implemented by mod_authz_host are
registered using the Require or
Match directives. These
directives can be referenced within a
<Directory>,
<Files>,
or <Location> section
as well as .htaccess
files to control access to particular parts of the server.
Access can be controlled based on the client hostname, IP address, or
other characteristics of the client request, as captured in environment variables.
In general, access restriction directives apply to all
access methods (GET, PUT,
POST, etc). This is the desired behavior in most
cases. However, it is possible to restrict some methods, while
leaving other methods unrestricted, by enclosing the directives
in a <Limit> section.
This module provides no directives.
Apache's Require and
Match directives are
used during the authorization phase to ensure that a user is allowed or
denied access to a resource. mod_authz_host extends the
authorization types with env, ip,
host and all. Other authorization types may also be
used but may require that additional authorization modules be loaded.
These authorization providers affect which hosts can access an area of the server. Access can be controlled by hostname, IP Address, IP Address range, or by other characteristics of the client request captured in environment variables.
The env provider allows access to the server
to be controlled based on the existence of an environment variable. When Require
env env-variable is specified, then the request is
allowed access if the environment variable env-variable
exists. The server provides the ability to set environment
variables in a flexible way based on characteristics of the client
request using the directives provided by
mod_setenvif. Therefore, this directive can be
used to allow access based on such factors as the clients
User-Agent (browser type), Referer, or
other HTTP request header fields.
SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
<Directory /docroot>
Require env let_me_in
</Directory>
In this case, browsers with a user-agent string beginning
with KnockKnock/2.0 will be allowed access, and all
others will be denied.
The ip provider allows access to the server
to be controlled based on the IP address of the remote client.
When Require ip ip-address is specified,
then the request is allowed access if the IP address matches.
A full IP address:
Require ip 10.1.2.3
Require ip 192.168.1.104 192.168.1.205
An IP address of a host allowed access
A partial IP address:
Require ip 10.1
Require ip 10 172.20 192.168.2
The first 1 to 3 bytes of an IP address, for subnet restriction.
A network/netmask pair:
Require ip 10.1.0.0/255.255.0.0
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.
A network/nnn CIDR specification:
Require ip 10.1.0.0/16
Similar to the previous case, except the netmask consists of nnn high-order 1 bits.
Note that the last three examples above match exactly the same set of hosts.
IPv6 addresses and IPv6 subnets can be specified as shown below:
Require ip 2001:db8::a00:20ff:fea7:ccea
Require ip 2001:db8::a00:20ff:fea7:ccea/10
The host provider allows access to the server
to be controlled based on the host name of the remote client.
When Require host host-name is specified,
then the request is allowed access if the host name matches.
A (partial) domain-name
Require host apache.org
Require host .net example.edu
Hosts whose names match, or end in, this string are allowed
access. Only complete components are matched, so the above
example will match foo.apache.org but it will not
match fooapache.org. This configuration will cause
Apache to perform a double reverse DNS lookup on the client IP
address, regardless of the setting of the HostnameLookups directive. It will do
a reverse DNS lookup on the IP address to find the associated
hostname, and then do a forward lookup on the hostname to assure
that it matches the original IP address. Only if the forward
and reverse DNS are consistent and the hostname matches will
access be allowed.
The all provider mimics the functionality the
was previously provided by the 'Allow from all' and 'Deny from all'
directives. This provider can take one of two arguments which are
'granted' or 'denied'. The following examples will grant or deny
access to all requests.
Require all granted
Require all denied
Available Languages: en
