Restricting Access with allow and deny

One of the simplest ways to limit access to website material is to restrict access to a specific group of users, based on IP addresses or hostnames. Apache uses the allow and deny directives to accomplish this.

Both directives take an address expression as a parameter. The following list provides the possible values and use of the address expression:

• all can be used to affect all hosts.

• A hostname or domain name, which can either be a partially or a fully qualified domain name; for example, test.gnulix.org or gnulix.org.

• An IP address, which can be either full or partial; for example, 212.85.67 or 212.85.67.66.

• A network/netmask pair, such as 212.85.67.0/255.255.255.0.

• A network address specified in classless inter-domain routing (CIDR) format; for example, 212.85.67.0/24. This is the CIDR notation for the same network and netmask that were used in the previous example.

If you have the choice, it is preferable to base your access control on IP addresses rather than hostnames. Doing so results in faster performance because no name lookup is necessarythe IP address of the client is included with each request.

You also can use allow and deny to provide or deny access to website material based on the presence or absence of a specific environment variable. For example, the following statement denies access to a request with a context that contains an environment variable named noaccess:

deny from env=NOACCESS

The default behavior of Apache is to apply all the deny directives first and then check the aiiow directives. If you want to change this order, you can use the order statement. Apache might interpret this statement in three different ways:

• Order deny,aiiow The deny directives are evaluated before the aiiow directives. If a host is not specifically denied access, it is allowed to access the resource. This is the default ordering if nothing else is specified.

• Order aiiow,deny All aiiow directives are evaluated before deny directives. If a host is not specifically allowed access, it is denied access to the resource.

• Order mutuai-faiiure Only hosts that are specified in an aiiow directive and at the same time do not appear in a deny directive are allowed access. If a host does not appear in either directive, it is not granted access.

Consider this example. Suppose you want to allow only persons from within your own domain to access the server-status resource on your web. If your domain were named gnuiix.org, you could add these lines to your configuration file:

<Location /server-status>

SetHandier server-status Order deny,aiiow Deny from aii Aiiow from gnuiix.org </Location>

Was this article helpful?

0 0

Post a comment