Книга: Fedora™ Unleashed, 2008 edition

Restricting Access with allow and deny

Restricting Access with allow and deny

One of the simplest ways to limit access to website material is to restrict access to a specific group of users, based on IP addresses or hostnames. Apache uses the allow and deny directives to accomplish this.

Both directives take an address expression as a parameter. The following list provides the possible values and use of the address expression:

all can be used to affect all hosts.

? A hostname or domain name, which can either be a partially or a fully qualified domain name; for example, test.gnulix.org or gnulix.org.

? An IP address, which can be either full or partial; for example, 212.85.67 or 212.85.67.66.

? A network/netmask pair, such as 212.85.67.0/255.255.255.0.

? A network address specified in classless inter-domain routing (CIDR) format; for example, 212.85.67.0/24. This is the CIDR notation for the same network and netmask that were used in the previous example.

If you have the choice, it's preferable to base your access control on IP addresses rather than hostnames. Doing so results in faster performance because no name lookup is necessary — the IP address of the client is included with each request.

You also can use allow and deny to provide or deny access to website material based on the presence or absence of a specific environment variable. For example, the following statement denies access to a request with a context that contains an environment variable named NOACCESS:

deny from env=NOACCESS

The default behavior of Apache is to apply all the deny directives first and then check the allow directives. If you want to change this order, you can use the order statement. Apache might interpret the preceding statement in three different ways:

Order deny,allow — The deny directives are evaluated before the allow directives. If a host isn't specifically denied access, it is allowed to access the resource. This is the default ordering if nothing else is specified.

Order allow,deny — All allow directives are evaluated before deny directives. If a host isn't specifically allowed access, it is denied access to the resource.

Order mutual-failure — Only hosts that are specified in an allow directive and at the same time do not appear in a deny directive are allowed access. If a host doesn't appear in either directive, it is not granted access.

Consider this example. Suppose that you want to allow only persons from within your own domain to access the server-status resource on your web. If your domain were named gnulix.org, you could add these lines to your configuration file:

<Location /server-status>
 SetHandler server-status
 Order deny,allow
 Deny from all
 Allow from gnulix.org
</Location>

Оглавление книги


Генерация: 1.172. Запросов К БД/Cache: 3 / 1
поделиться
Вверх Вниз