Apache provides a number of tools that allow administrators to control access to specific resources provided by servers. You may already be familiar with
authentication based access controls, which requires that visitors authenticate to the server before gaining access to resources.
Apache’s rule-based access control allows you to specify which visitors have access to which resources on a very granular level. You can create rules which block a given range of IPs from your web server, or from accessing a particular resource, or even simply from accessing a particular virtual host.
The most basic use of rule-based access control is to place firm limits on what resources are accessible over the network connection. In the default Apache configuration, the web server denies all users access to all files on the system. Then Apache permits administrators to allow access to specific resources.
Additional uses for these access rules include blocking particular IP ranges that have been responsible for malicious traffic and limiting access to a given resource or set of resources to “internal users,” among a number of other possibilities.
Controlling Access for a Range of IPs
If you want to control access for a range of IP addresses rather than for a single address, Apache permits this with the following syntax:
Apache Configuration Directive
Order Deny,Allow Deny from all Allow from 185.161 Allow from 10
The above statements allow all addresses that begin with
10. These IP ranges are typically reserved for Local networking and are not publicly routable addresses. If used, these access control rules will only allow traffic from “local sources” on the network.
Advanced Access Control
While IP address are by far the easiest way to control access using these access control rules, Apache provides a number of additional methods.
Firstly, Apache permits administrators to allow or deny access based on the hostname of the requester. This forces Apache to do a
reverse DNS (rDNS) lookup of the hostname performing the request, and then allow or deny access based on this information. Consider this example:
Apache Configuration File Order Deny,Allow Deny from all Allow from hostname.example.com
Apache only allows requests from the machine with valid rDNS of
hostname.example.com to access the resource in this configuration.
Secondly, it’s possible to build access rules around environment variables in the HTTP session. This allows you to allow and deny access to resources on the basis of variables such as browser (user agent) and referrer. Let us take the following example:
Apache Configuration File SetEnvIf Referer searchenginez.com search_traffic Order Deny,Allow Deny from all Allow from env=search_traffic
This access control rule works in conjunction with Apache’s
mod_setenvif. First, if a request’s referrer matches
searchenginez.com the environment variable
search_traffic is set. Next, all hosts are denied access to the resource. Finally, requests that have the environment variable search_traffic set are allowed access to the resource. Please consult the official Apache documentation for
mod_setenvif for more information about setting and using environment variables.