fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder<!DOCTYPE manualpage SYSTEM "/style/manualpage.dtd">
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder<!-- $LastChangedRevision$ -->
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder Licensed to the Apache Software Foundation (ASF) under one or more
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder contributor license agreements. See the NOTICE file distributed with
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder this work for additional information regarding copyright ownership.
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder The ASF licenses this file to You under the Apache License, Version 2.0
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder (the "License"); you may not use this file except in compliance with
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder the License. You may obtain a copy of the License at
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder Unless required by applicable law or agreed to in writing, software
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder distributed under the License is distributed on an "AS IS" BASIS,
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder See the License for the specific language governing permissions and
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder limitations under the License.
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder<parentdocument href="./">How-To / Tutorials</parentdocument>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <p>Access control refers to any means of controlling access to any
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder resource. This is separate from <a
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder href="auth.html">authentication and authorization</a>.</p>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder<section id="related"><title>Related Modules and Directives</title>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <p>Access control can be done by several different modules. The most
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder important of these are <module>mod_authz_core</module> and
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <module>mod_authz_host</module>. Also discussed in this document
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder is access control using <module>mod_rewrite</module>.</p>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder<section id="host"><title>Access control by host</title>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder If you wish to restrict access to portions of your site based on the
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder host address of your visitors, this is most easily done using
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <p>The <directive module="mod_authz_core">Require</directive>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder provides a variety of different ways to allow or deny access to
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder resources. In conjunction with the <directive
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder module="mod_authz_core">RequireAll</directive>, <directive
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder module="mod_authz_core">RequireAny</directive>, and <directive
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder module="mod_authz_core">RequireNone</directive> directives, these
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder requirements may be combined in arbitrarily complex ways, to enforce
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder whatever your access policy happens to be.</p>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder The <directive module="mod_access_compat">Allow</directive>,
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <directive module="mod_access_compat">Deny</directive>, and
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <directive module="mod_access_compat">Order</directive> directives,
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder provided by <module>mod_access_compat</module>, are deprecated and
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder will go away in a future version. You should avoid using them, and
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder avoid outdated tutorials recommending their use.
fa43fb19389da6eb222a2a1377943a96d55869e3Christian MaederRequire host address
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <p>In the first form, <var>address</var> is a fully qualified
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder domain name (or a partial domain name); you may provide multiple
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder addresses or domain names, if desired.</p>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <p>In the second form, <var>ip.address</var> is an IP address, a
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder partial IP address, a network/netmask pair, or a network/nnn CIDR
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder specification. Either IPv4 or IPv6 addresses may be used.</p>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <p>See <a href="/mod/mod_authz_host.html#requiredirectives">the
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder mod_authz_host documentation</a> for further examples of this
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <p>You can insert <code>not</code> to negate a particular requirement.
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder Note, that since a <code>not</code> is a negation of a value, it cannot
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder be used by itself to allow or deny a request, as <em>not true</em>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder does not constitute <em>false</em>. Thus, to deny a visit using a negation,
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder the block must have one element that evaluates as true or false.
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder For example, if you have someone spamming your message
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder board, and you want to keep them out, you could do the
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder following:</p>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder<RequireAll>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder Require all granted
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder Require not ip 10.252.46.165
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder</RequireAll>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <p>Visitors coming from that address (<code>10.252.46.165</code>)
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder will not be able to see the content covered by this directive. If,
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder instead, you have a machine name, rather than an IP address, you
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder can use that.</p>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian MaederRequire not host <var>host.example.com</var>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder <p>And, if you'd like to block access from an entire domain,
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder you can specify just part of an address or domain name:</p>
fa43fb19389da6eb222a2a1377943a96d55869e3Christian MaederRequire not ip 192.168.205
fa43fb19389da6eb222a2a1377943a96d55869e3Christian MaederRequire not host phishers.example.com moreidiots.example
fa43fb19389da6eb222a2a1377943a96d55869e3Christian MaederRequire not host gov
fa43fb19389da6eb222a2a1377943a96d55869e3Christian Maeder module="mod_authz_core">RequireAll</directive>, <directive