The mod_access module, enabled by default, allows you to restrict access to resources based on parameters of the client request, such as the presence of a specific header or the IP address or hostname of the client.
You can specify access rules using the Allow and Deny directives. Each of these directives takes a list of arguments such as IP addresses, environment variables, and domain names.
You can deny or grant access to a client based on its IP address:
Allow from 10.0.0.1 10.0.0.2 10.0.0.3
You can also specify IP address ranges, with a partial IP address or a network/mask pair. Additionally, you can specify the first one, two, or three bytes of an IP address. Any IP address containing those will match this rule. For example, the rule
Deny from 10.0
will match any address starting with 10.0, such as 10.0.1.0 and 10.0.0.1.
You can also utilize the IP address and the netmask; the IP address specifies the network and the mask specifies which bits belong to the network prefix and which ones belong to the nodes. The rule
Allow from 10.0.0.0/255.255.255.0
will match IP addresses 10.0.0.1, 10.0.0.2, and so on, to 10.0.0.254.
You can also specify the network mask via high-order bits. For example, you could write the previous rule as
Allow from 10.0.0.0/24
You can control access based on specific hostnames or partial domain names. For example, Allow from example.com will match www.example.com, foo.example.com, and so on.
Enabling access rules based on domain names forces Apache to do a reverse DNS lookup on the client address, bypassing the settings of the HostNameLookups directive. This has performance implications.
You can specify access rules based on the presence of a certain environment variable, prefixing the name of the variable with env=. You can use this feature to grant or deny access to certain browsers or browser versions, to prevent specific sites from linking to your resources, and so on. For this example to work as intended, the client needs to transmit the User-Agent header.
BrowserMatch MSIE iexplorer Deny from env=iexplorer
Because the client sends the User-Agent header, it could possibly be omitted or manipulated, but most users will not do so and this technique will work in most cases.
The keyword all matches all clients. You can specify Allow from all or Deny from all to grant or deny access to all clients.
You can have several Allow and Deny access rules. You can choose the order in which the rules are evaluated by using the Order directive. Rules that are evaluated later have higher precedence. Order accepts one argument, which can be Deny,Allow, Allow,Deny, or Mutual-Failure. Deny,Allow is the default value for the Order directive. Note that there is no space in the value.
Deny,Allow specifies that Deny directives are evaluated before Allow directives. With Deny,Allow, the client is granted access by default if there are no Allow or Deny directives or the client does not match any of the rules. If the client matches a Deny rule, it will be denied access unless it also matches an Allow rule, which will take precedence because Allow directives are evaluated last and have greater priority.
Listing 15.2 shows how to configure Apache to allow access to the /private location to clients coming from the internal network or the domain example.com and deny access to everyone else.
1: <Location /private> 2: Order Deny,Allow 3: Deny from all 4: Allow from 10.0.0.0/255.255.255.0 example.com 5: </Location>
Allow,Deny specifies that Allow directives are evaluated before Deny directives. With Allow,Deny, the client is denied access by default if there are no Allow or Deny directives or if the client does not match any of the rules. If the client matches an Allow rule, it will be granted access unless it also matches a Deny rule, which will take precedence.
Note that the presence of Order Allow,Deny without any Allow or Deny rules causes all requests to the specified resource to be denied because the default behavior is to deny access.
Listing 15.3 allows access to everyone except a specific host.
1: <Location /some/location/> 2: Order Allow,Deny 3: Allow from all 4: Deny from host.example.com 5: </Location>
In the case of Mutual-Failure, the host will be granted access only if it matches an Allow directive and does not match any Deny directive.