Using Apache for Access Control
The mod_access module, enabled by default, allows you to restrict access to resources based on parameters of the client request, such as the presence of a specific header or the IP address or hostname of the client.
Implementing Access Rules
Allow/Deny Access by IP Addresses
Allow from 10.0.0.1 10.0.0.2 10.0.0.3
You can also specify IP address ranges with a partial IP address or a network/mask pair. Additionally, you can specify the first one, two, or three bytes of an IP address. Any IP address containing those will match this rule. For example, the rule
Deny from 10.0
will match any address starting with 10.0, such as 10.0.1.0 and 10.0.0.1.
Allow from 10.0.0.0/255.255.255.0
will match IP addresses 10.0.0.1, 10.0.0.2, and so on, to 10.0.0.254.
You can also specify the network mask via high-order bits. For example, you could write the previous rule as
Allow from 10.0.0.0/24
Allow/Deny Access by Domain Name
By the Way
Allow/Deny Access Based on Environment Variables
You can specify access rules based on the presence of a certain environment variable by prefixing the name of the variable with the string env=. You can use this feature to grant or deny access to certain browsers or browser versions, to prevent specific sites from linking to your resources, and so on. For this example to work as intended, the client needs to transmit the User-Agent header.
BrowserMatch MSIE iexplorer Deny from env=iexplorer
Because the client sends the User-Agent header, it could possibly be omitted or manipulated, but most users will not do so and this technique will work in most cases.
Allow/Deny Access to All Clients
Evaluating Access Rules
You can have several Allow and Deny access rules. You can choose the order in which the rules are evaluated by using the Order directive. Rules that are evaluated later have higher precedence. Order accepts one argument, which can be Deny,Allow, Allow,Deny, or Mutual-Failure. Deny,Allow is the default value for the Order directive. Note that there is no space in the value.
Deny,Allow specifies that Deny directives are evaluated before Allow directives. With Deny,Allow, the client is granted access by default if there are no Allow or Deny directives or the client does not match any of the rules. If the client matches a Deny rule, it will be denied access unless it also matches an Allow rule, which will take precedence because Allow directives are evaluated last and have greater priority.
Listing 24.2 shows how to configure Apache to allow access to the /private location to clients coming from the internal network or the domain example.com and deny access to everyone else.
Listing 24.2. Sample Deny,Allow Access Control Configuration
1: <Location /private> 2: Order Deny,Allow 3: Deny from all 4: Allow from 10.0.0.0/255.255.255.0 example.com 5: </Location>
Allow,Deny specifies that Allow directives are evaluated before Deny directives. With Allow,Deny, the client is denied access by default if there are no Allow or Deny directives or if the client does not match any of the rules. If the client matches an Allow rule, it will be granted access unless it also matches a Deny rule, which will take precedence.
Note that the presence of Order Allow,Deny without any Allow or Deny rules causes all requests to the specified resource to be denied because the default behavior is to deny access.
Listing 24.3 allows access to everyone except a specific host.
Listing 24.3. Sample Allow,Deny Access Control Configuration
1: <Location /some/location/> 2: Order Allow,Deny 3: Allow from all 4: Deny from host.example.com 5: </Location>