Rule-based Access Control for Apache

Apache provides a number of tools that allow administrators to control access to specific resources provided by servers. You may already be familiar with authentication based access controls, which requires that visitors authenticate to the server before gaining access to resources.

 

Apache’s rule-based access control allows you to specify which visitors have access to which resources on a very granular level. You can create rules which block a given range of IPs from your web server, or from accessing a particular resource, or even simply from accessing a particular virtual host.

 

The most basic use of rule-based access control is to place firm limits on what resources are accessible over the network connection. In the default Apache configuration, the web server denies all users access to all files on the system. Then Apache permits administrators to allow access to specific resources.

 

Additional uses for these access rules include blocking particular IP ranges that have been responsible for malicious traffic and limiting access to a given resource or set of resources to “internal users,” among a number of other possibilities.

 

Controlling Access for a Range of IPs

If you want to control access for a range of IP addresses rather than for a single address, Apache permits this with the following syntax:

 

Apache Configuration Directive

 

Order Deny,Allow
Deny from all
Allow from 185.161
Allow from 10

The above statements allow all addresses that begin with 185.161 and 10. These IP ranges are typically reserved for Local networking and are not publicly routable addresses. If used, these access control rules will only allow traffic from “local sources” on the network.

Advanced Access Control

While IP address are by far the easiest way to control access using these access control rules, Apache provides a number of additional methods.

 

Firstly, Apache permits administrators to allow or deny access based on the hostname of the requester. This forces Apache to do a reverse DNS (rDNS) lookup of the hostname performing the request, and then allow or deny access based on this information. Consider this example:

 

Apache Configuration File 
Order Deny,Allow 
 Deny from all 
 Allow from hostname.example.com

Apache only allows requests from the machine with valid rDNS of hostname.example.com to access the resource in this configuration.

 

Secondly, it’s possible to build access rules around environment variables in the HTTP session. This allows you to allow and deny access to resources on the basis of variables such as browser (user agent) and referrer. Let us take the following example:

 

Apache Configuration File
SetEnvIf Referer searchenginez.com search_traffic
Order Deny,Allow
Deny from all
Allow from env=search_traffic

This access control rule works in conjunction with Apache’s mod_setenvif. First, if a request’s referrer matches searchenginez.com the environment variable search_traffic is set. Next, all hosts are denied access to the resource. Finally, requests that have the environment variable search_traffic set are allowed access to the resource. Please consult the official Apache documentation for mod_setenvif for more information about setting and using environment variables.

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)