Prohibit IP segment in Apache, writing in httpd.conf

Source: Internet
Author: User
Tags access address apache based client configuration default directory

Description: Controls which hosts have access to one area of the server
Syntax: Allow from all|host|env=env-variable [host|env=env-variable] ...
Context: directory,. htaccess
Overlays: Limit
Status: Base
Module: mod_access

The Allow directive affects which hosts can access one area of the server. Access can be controlled with the host name, IP address, IP address range, or client request attributes captured in other environment variables.

The first parameter of this instruction is always from. Subsequent parameters can have three different forms. If allow from all is specified, all host access is allowed, and the deny and order directives are configured as discussed below. To allow only certain parts of the host or primary cluster to access the server, the host can be specified in any of the following formats:

A domain name (part)
Example: Allow from apache.org
Allows the name to match the given string or host access at the end of the string. Only the complete name component is matched, so the above example will match foo.apache.org and not match fooapache.org. Such a configuration will cause the server to perform a reverse domain name operation on the client IP address regardless of whether the hostnamelookups directive is set
Full IP Address
Example: Allow from 10.1.2.3
Allows access to one IP address of a host.
Partial IP Address
Example: Allow from 10.1
The start of the IP address is 1 to 3 bytes, used for subnet restrictions.
Network/Mask Pair
Example: Allow from 10.1.0.0/255.255.0.0
A network a.b.c.d, and a mask w.x.y.z. For more precise subnet limits.
Network/NNN Routing specification without inter-domain
Example: Allow from 10.1.0.0/16
Similar to the previous case, except that the mask is composed of nnn high byte.
Note that the following three examples exactly match the same set of hosts.

IPV6 addresses and IPV6 subnets can be specified as follows:

Allow from Fe80::a00:20ff:fea7:ccea
Allow from FE80::A00:20FF:FEA7:CCEA/10

The third parameter format of the Allow directive allows access to the server to be specified by an extension of the environment variable. When the Allow from Env=env-variable is specified, the access request is allowed if the environment variable env-variable exists. Using the instructions provided by MOD_SETENVIF, the server provides the ability to set environment variables in a flexible way based on client requests. Therefore, this instruction can be used to allow access based on like user (browser type), Referer, or other HTTP request header fields.

Example:
Setenvif User ^knockknock/2.0 Let_me_in
<Directory/docroot>
Order Deny,allow
Deny from all
Allow from Env=let_me_in
</Directory>

In this case, the browser that sends the user agent that starts with knockknock/2.0 will be allowed access, and all other browsers will be barred from accessing it.

Deny directive
Description: Control which hosts are blocked from accessing the server
Syntax: Deny from all|host|env=env-variable [host|env=env-variable] ...
Context: directory,. htaccess
Overlays: Limit
Status: Base
Module: mod_access

This directive allows access to the server to be restricted based on the hostname, IP address, or environment variable. The parameter settings of the Deny directive are identical to the Allow directives.

Order directives
Description: Controls the default access state and the order in which the Allow and deny directives are evaluated.
Syntax: Order ordering
Default value: Order Deny,allow
Context: directory,. htaccess
Overlays: Limit
Status: Base
Module: mod_access

The order instruction controls the default access state and the sequence in which the Allow and deny directives are evaluated. Ordering is one of several examples:

Deny,allow
The deny instruction is evaluated before the allow instruction. All access is allowed by default. Any client that does not match the deny directive or matches the allow instruction is allowed access to the server.
Allow,deny
The Allow instruction is evaluated before the deny instruction. All access is disabled by default. Any client that does not match the Allow directive or matches the deny instruction will be barred from accessing the server.
Mutual-failure
Only hosts that appear in the Allow list and do not appear in the Deny list are allowed access. This sequence has the same effect as the order Allow,deny, it does not approve of the use, it includes which configuration.
Keywords can only be separated by commas; Note that in all cases each allow and deny instruction statement will be evaluated.

In the following example, all hosts in the apache.org domain are allowed access, and any other host access is denied.

Order Deny,allow
Deny from all
Allow from apache.org

In the following example, all hosts in the apache.org domain are allowed access except for hosts that are included in the foo.apache.org subdomain. All hosts that are not in the apache.org domain are not allowed access because the default state is to deny access to the server.

Order Allow,deny
Allow from apache.org
Deny from foo.apache.org

On the other hand, if the order instruction in the last example changes to Deny,allow, all hosts will be allowed access. This is because, regardless of the actual order of instructions in the configuration file, the Allow from apache.org instruction is finally evaluated and overwritten with the previous Deny from foo.apache.org. All hosts that are not in the apache.org domain also allow access because the default state is changed to allow.

Even if there is no accompanying allow and deny directives, the presence of an order directive can affect access to one part of the server because of his influence on the default access state. For example

<Directory/www>
Order Allow,deny
</Directory>

This will prevent all access to the WWW directory because the default state will be set to reject.

The order instruction controls the processing of access directives only within each segment of the server configuration. This implies, for example, that a allow or deny instruction appearing in <Location> will always be evaluated after the Allow or deny instruction appearing in a <Directory> segment or. htaccess file. Regardless of the setting in the Order directive. For more information about configuring paragraph merging, see how Directory, Location and files sections work related documentation.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.