How Can We Help?

Rule-based Access Control for Apache

Table of Content

Apache provides a set of tools that allow administrators to manage server-provided access to specific resources. You can already know about authentication-based access controls, which allow visitors to authenticate the server before accessing resources.

The rule-based access control implemented by Apache allows you to determine which visitors have access to certain resources at a very granular level. You may build rules that block a specified set of IPs from your web server, or access a particular resource, or even just access a certain virtual host.

The most fundamental application of rule-based access control is to set firm limits on which resources are accessible through network link. The Web server refuses all users access to all files on the network in the default Apache configuration. Instead, Apache helps administrators to control unique tools.

Additional uses for such access rules include blocking unique IP ranges that have been responsible for malicious traffic and restricting "internal users" access to a specified resource or collection of resources, among a variety of other possibilities.

Additional uses for these access rules include blocking specific IP ranges that were responsible for malicious traffic and limiting access to a given resource or set of resources to "internal users" among a number of other options.

Examples of Rule Based Access Control

You may want to consult our Apache Configuration Structure Guide to see a number of examples of these directives in practice.

Here is an example of a basic rule:

Apache Configuration Directive

Order Deny,Allow
Deny from all
Allow from

To analyze this in simpler terms:

  • The regulation Order Deny, Allow inform the web server that "Deny" rules should be processed prior to Allow rules.
  • The Deny from all directives inform the web server that access to the provided resource should be denied to all users. First of all, this rule is processed.
  • The Allow from directive informs the web server that it will accept requests originating at IP address This is handled last, and reflects a derogation the Deny from all rule.

In short, access to the resource is denied to all hosts except for

Additional Access Control Rules

By changing and broadening the example above, you may define granular access control rules for your resources. The notes and suggestions below provide some insight into some of the more advanced features that such access control systems can provide.

Controlling Access for a Range of IPs

Apache allows this with the following syntax if you want to manage access for a number of IP addresses and not for a single address:

Apache Configuration Directive

Order Deny,Allow
Deny from all
Allow from 192.168
Allow from 10

The statements above provide for all addresses starting with 192.168 and 10. Such IP ranges are usually reserved for local networking, and are not adresses that can be routed publicly. If used, certain access control regulations can only permit traffic on the network from "local sources."

Here is an additional example of an access rule:

Apache Configuration Directive

Order Allow,Deny
Allow from all
Deny from 185.201.1

This rule requires access to the provided resource for all, and then refuses access to all IP addresses beginning with 185.201.1. That statement will include all traffic originating from the to IP address range.

Be very careful that these directives are placed in the proper sense when developing access control rules, especially those that use the Allow from all directives.

Advanced Access Control

Although IP address is by far the simplest way to use these access control rules to manage access, Apache offers a variety of additional methods.

Firstly, Apache allows administrators to require or deny access based on the requester's hostname. This forces Apache to look up the hostname running the request to do a reverse DNS (rDNS) lookup and then allow or refuse access based on that information. Consider the following example:

Apache Configuration Directive

Order Deny,Allow
Deny from all
Allow from

In this setup, Apache only allows requests from the machine with valid rDNS to access the resource.

Secondly, you can create access rules in the HTTP session around environment variables. This enables you to allow and deny access to resources on the basis of variables such as browser (user agent) and referrer. Take, for example, the following:

Apache Configuration Directive

SetEnvIf Referer search_traffic
Order Deny,Allow
Deny from all
Allow from env=search_traffic

This access control rule works with mod_setenvif of Apache. First, if a request reference matches the search_traffic environment variable is set. Next, all hosts are denied resource access. Finally, requests with the search_traffic environment variable set allow access to the resource. For more information on setting and using environment variables, please review the official Apache documentation for mod_setenvif.


Table of Contents