Apache provides a set of tools that allow administrators to manage server-provided access to specific resources. You can already know about authentication-based access controls, which allow visitors to authenticate the server before accessing resources.
The rule-based access control implemented by Apache allows you to determine which visitors have access to certain resources at a very granular level. You may build rules that block a specified set of IPs from your web server, or access a particular resource, or even just access a certain virtual host.
The most fundamental application of rule-based access control is to set firm limits on which resources are accessible through network link. The Web server refuses all users access to all files on the network in the default Apache configuration. Instead, Apache helps administrators to control unique tools.
Additional uses for such access rules include blocking unique IP ranges that have been responsible for malicious traffic and restricting “internal users” access to a specified resource or collection of resources, among a variety of other possibilities.
Additional uses for these access rules include blocking specific IP ranges that were responsible for malicious traffic and limiting access to a given resource or set of resources to “internal users” among a number of other options.
Examples of Rule Based Access Control
You may want to consult our Apache Configuration Structure Guide to see a number of examples of these directives in practice.
Here is an example of a basic rule:
To analyze this in simpler terms:
- The regulation
Order Deny, Allowinform the web server that “Deny” rules should be processed prior to Allow rules.
Deny fromall directives inform the web server that access to the provided resource should be denied to all users. First of all, this rule is processed.
Allow fromdirective informs the web server that it will accept requests originating at IP address
192.168.2.101. This is handled last, and reflects a derogation the
Deny from allrule.
In short, access to the resource is denied to all hosts except for
Additional Access Control Rules
By changing and broadening the example above, you may define granular access control rules for your resources. The notes and suggestions below provide some insight into some of the more advanced features that such access control systems can provide.
Controlling Access for a Range of IPs
Apache allows this with the following syntax if you want to manage access for a number of IP addresses and not for a single address:
The statements above provide for all addresses starting with
10. Such IP ranges are usually reserved for local networking, and are not adresses that can be routed publicly. If used, certain access control regulations can only permit traffic on the network from “local sources.”
Here is an additional example of an access rule:
This rule requires access to the provided resource for all, and then refuses access to all IP addresses beginning with
185.201.1. That statement will include all traffic originating from the
220.127.116.11 IP address range.
Be very careful that these directives are placed in the proper sense when developing access control rules, especially those that use the Allow from all directives.
Advanced Access Control
Although IP address is by far the simplest way to use these access control rules to manage access, Apache offers a variety of additional methods.
Firstly, Apache allows administrators to require or deny access based on the requester’s hostname. This forces Apache to look up the hostname running the request to do a reverse DNS (rDNS) lookup and then allow or refuse access based on that information. Consider the following example:
In this setup, Apache only allows requests from the
hostname.abc.com machine with valid rDNS to access the resource.
Secondly, you can create access rules in the HTTP session around environment variables. This enables you to allow and deny access to resources on the basis of variables such as browser (user agent) and referrer. Take, for example, the following:
This access control rule works with
mod_setenvif of Apache. First, if a request reference matches
search_traffic environment variable is set. Next, all hosts are denied resource access. Finally, requests with the
search_traffic environment variable set allow access to the resource. For more information on setting and using environment variables, please review the official Apache documentation for mod_setenvif.