Related Modules and Directives
Access control can be done by several different modules. The mostimportant of these is mod_authz_host
. Other modulesdiscussed in this document include mod_setenvif
andmod_rewrite
.
Access control by host
If you wish to restrict access to portions of your site based on the host address of your visitors, this is most easily done using mod_authz_host
.
The Allow
and Deny
directives let you allow and deny access based on the host name, or host address, of the machine requesting a document. The Order
directive goes hand-in-hand with these two, and tells Apache in which order to apply the filters.
The usage of these directives is:
where address is an IP address (or a partial IP address) or a fully qualified domain name (or a partial domain name); you may provide multiple addresses or domain names, if desired.
For example, if you have someone spamming your message board, and you want to keep them out, you could do the following:
Visitors coming from that address will not be able to see the content covered by this directive. If, instead, you have a machine name, rather than an IP address, you can use that.
Deny from host.example.com
And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:
Deny from 192.168.205
Deny from phishers.example.com moreidiots.example
Deny from ke
Using Order
will let you be sure that you are actually restricting things to the group that you want to let in, by combining a Deny
and an Allow
directive:
Order deny,allow
Deny from all
Allow from dev.example.com
Listing just the Allow
directive would not do what you want, because it will let folks from that host in, in addition to letting everyone in. What you want is to let only those folks in.
Access control by environment variable
mod_authz_host
, in conjunction with mod_setenvif
, can be used to restrict access to your website based on the value of arbitrary environment variables. This is done with the Allow from env=
and Deny from env=
syntax.
SetEnvIf User-Agent BadBot GoAway=1
Order allow,deny
Allow from all
Deny from env=GoAway
Warning:
Access control by User-Agent
is an unreliable technique, since the User-Agent
header can be set to anything at all, at the whim of the end user.
In the above example, the environment variable GoAway
is set to 1
if the User-Agent
matches the string BadBot
. Then we deny access for any request when this variable is set. This blocks that particular user agent from the site.
An environment variable test can be negated using the =!
syntax:
Access control with mod_rewrite
The [F]
RewriteRule
flag causes a 403 Forbiddenresponse to be sent. Using this, you can deny access to a resource basedon arbitrary criteria.
For example, if you wish to block access to a resource between 8pmand 6am, you can do this using mod_rewrite
.
RewriteEngine On
RewriteCond %{TIME_HOUR} >20 [OR]
RewriteCond %{TIME_HOUR} <07
RewriteRule ^/fridge - [F]
This will return a 403 Forbidden response for any request after 8pmor before 7am. This technique can be used for any criteria that you wishto check. You can also redirect, or otherwise rewrite these requests, ifthat approach is preferred.