Rule-based Access Control for Apache
Apache provides a set of tools that allow administrators to manage server-provided access to specific resources. You can already know about authentication-based access controls, which allow visitors to authenticate the server before accessing resources.
The rule-based access control implemented by Apache allows you to determine which visitors have access to certain resources at a very granular level. You may build rules that block a specified set of IPs from your web server, or access a particular resource, or even just access a certain virtual host.
The most fundamental application of rule-based access control is to set firm limits on which resources are accessible through network link. The Web server refuses all users access to all files on the network in the default Apache configuration. Instead, Apache helps administrators to control unique tools.
Additional uses for such access rules include blocking unique IP ranges that have been responsible for malicious traffic and restricting "internal users" access to a specified resource or collection of resources, among a variety of other possibilities.
Additional uses for these access rules include blocking specific IP ranges that were responsible for malicious traffic and limiting access to a given resource or set of resources to "internal users" among a number of other options.
Examples of Rule Based Access Control
You may want to consult our Apache Configuration Structure Guide to see a number of examples of these directives in practice.
Here is an example of a basic rule:
Order Deny,Allow Deny from all Allow from 192.168.2.101
To analyze this in simpler terms:
- The regulation
Order Deny, Allowinform the web server that "Deny" rules should be processed prior to Allow rules. - The
Deny fromall directives inform the web server that access to the provided resource should be denied to all users. First of all, this rule is processed. - The
Allow fromdirective informs the web server that it will accept requests originating at IP address192.168.2.101. This is handled last, and reflects a derogation theDeny from allrule.
In short, access to the resource is denied to all hosts except for 192.168.2.101.
Additional Access Control Rules
By changing and broadening the example above, you may define granular access control rules for your resources. The notes and suggestions below provide some insight into some of the more advanced features that such access control systems can provide.
Controlling Access for a Range of IPs
Apache allows this with the following syntax if you want to manage access for a number of IP addresses and not for a single address:
Order Deny,Allow Deny from all Allow from 192.Allow from 10
The statements above provide for all addresses starting with 192.168 and 10. Such IP ranges are usually reserved for local networking, and are not adresses that can be routed publicly. If used, certain access control regulations can only permit traffic on the network from "local sources."
Here is an additional example of an access rule:
Order Allow,Deny Allow from all Deny from 185.201.1
This rule requires access to the provided resource for all, and then refuses access to all IP addresses beginning with 185.201.1. That statement will include all traffic originating from the 185.201.1.0 to 185.201.1.255 IP address range.
Be very careful that these directives are placed in the proper sense when developing access control rules, especially those that use the Allow from all directives.
Advanced Access Control
Although IP address is by far the simplest way to use these access control rules to manage access, Apache offers a variety of additional methods.
Firstly, Apache allows administrators to require or deny access based on the requester's hostname. This forces Apache to look up the hostname running the request to do a reverse DNS (rDNS) lookup and then allow or refuse access based on that information. Consider the following example:
Order Deny,Allow Deny from all Allow from hostname.abc.com
In this setup, Apache only allows requests from the hostname.abc.com machine with valid rDNS to access the resource.
Secondly, you can create access rules in the HTTP session around environment variables. This enables you to allow and deny access to resources on the basis of variables such as browser (user agent) and referrer. Take, for example, the following:
SetEnvIf Referer searchenginez.com search_traffic Order Deny,Allow Deny from all Allow from env=search_traffic
This access control rule works with mod_setenvif of Apache. First, if a request reference matches searchenginez.com the search_traffic environment variable is set. Next, all hosts are denied resource access. Finally, requests with the search_traffic environment variable set allow access to the resource. For more information on setting and using environment variables, please review the official Apache documentation for mod_setenvif.
Thankyou..