1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>Access Control - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body id="manual-page"><div id="page-header"> 17<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 18<p class="apache">Apache HTTP Server Version 2.4</p> 19<img alt="" src="/images/feather.gif" /></div> 20<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 21<div id="path"> 22<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">How-To / Tutorials</a></div><div id="page-content"><div id="preamble"><h1>Access Control</h1> 23<div class="toplang"> 24<p><span>Available Languages: </span><a href="/en/howto/access.html" title="English"> en </a> | 25<a href="/fr/howto/access.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 26</div> 27 28 <p>Access control refers to any means of controlling access to any 29 resource. This is separate from <a href="auth.html">authentication and authorization</a>.</p> 30</div> 31<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#related">Related Modules and Directives</a></li> 32<li><img alt="" src="/images/down.gif" /> <a href="#host">Access control by host</a></li> 33<li><img alt="" src="/images/down.gif" /> <a href="#env">Access control by arbitrary variables</a></li> 34<li><img alt="" src="/images/down.gif" /> <a href="#rewrite">Access control with mod_rewrite</a></li> 35<li><img alt="" src="/images/down.gif" /> <a href="#moreinformation">More information</a></li> 36</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 37<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 38<div class="section"> 39<h2><a name="related" id="related">Related Modules and Directives</a></h2> 40 41 <p>Access control can be done by several different modules. The most 42 important of these are <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code> and 43 <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code>. Also discussed in this document 44 is access control using <code class="module"><a href="/mod/mod_rewrite.html">mod_rewrite</a></code>.</p> 45 46</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 47<div class="section"> 48<h2><a name="host" id="host">Access control by host</a></h2> 49 <p> 50 If you wish to restrict access to portions of your site based on the 51 host address of your visitors, this is most easily done using 52 <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code>. 53 </p> 54 55 <p>The <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> 56 provides a variety of different ways to allow or deny access to 57 resources. In conjunction with the <code class="directive"><a href="/mod/mod_authz_core.html#requireall">RequireAll</a></code>, <code class="directive"><a href="/mod/mod_authz_core.html#requireany">RequireAny</a></code>, and <code class="directive"><a href="/mod/mod_authz_core.html#requirenone">RequireNone</a></code> directives, these 58 requirements may be combined in arbitrarily complex ways, to enforce 59 whatever your access policy happens to be.</p> 60 61 <div class="warning"><p> 62 The <code class="directive"><a href="/mod/mod_access_compat.html#allow">Allow</a></code>, 63 <code class="directive"><a href="/mod/mod_access_compat.html#deny">Deny</a></code>, and 64 <code class="directive"><a href="/mod/mod_access_compat.html#order">Order</a></code> directives, 65 provided by <code class="module"><a href="/mod/mod_access_compat.html">mod_access_compat</a></code>, are deprecated and 66 will go away in a future version. You should avoid using them, and 67 avoid outdated tutorials recommending their use. 68 </p></div> 69 70 <p>The usage of these directives is:</p> 71 72 <pre class="prettyprint lang-config">Require host address 73Require ip ip.address</pre> 74 75 76 <p>In the first form, <var>address</var> is a fully qualified 77 domain name (or a partial domain name); you may provide multiple 78 addresses or domain names, if desired.</p> 79 80 <p>In the second form, <var>ip.address</var> is an IP address, a 81 partial IP address, a network/netmask pair, or a network/nnn CIDR 82 specification. Either IPv4 or IPv6 addresses may be used.</p> 83 84 <p>See <a href="/mod/mod_authz_host.html#requiredirectives">the 85 mod_authz_host documentation</a> for further examples of this 86 syntax.</p> 87 88 <p>You can insert <code>not</code> to negate a particular requirement. 89 Note, that since a <code>not</code> is a negation of a value, it cannot 90 be used by itself to allow or deny a request, as <em>not true</em> 91 does not constitute <em>false</em>. Thus, to deny a visit using a negation, 92 the block must have one element that evaluates as true or false. 93 For example, if you have someone spamming your message 94 board, and you want to keep them out, you could do the 95 following:</p> 96 97 <pre class="prettyprint lang-config"><RequireAll> 98 Require all granted 99 Require not ip 10.252.46.165 100</RequireAll></pre> 101 102 103 <p>Visitors coming from that address (<code>10.252.46.165</code>) 104 will not be able to see the content covered by this directive. If, 105 instead, you have a machine name, rather than an IP address, you 106 can use that.</p> 107 108 <pre class="prettyprint lang-config">Require not host <var>host.example.com</var></pre> 109 110 111 <p>And, if you'd like to block access from an entire domain, 112 you can specify just part of an address or domain name:</p> 113 114 <pre class="prettyprint lang-config">Require not ip 192.168.205 115Require not host phishers.example.com moreidiots.example 116Require not host gov</pre> 117 118 119 <p>Use of the <code class="directive"><a href="/mod/mod_authz_core.html#requireall">RequireAll</a></code>, <code class="directive"><a href="/mod/mod_authz_core.html#requireany">RequireAny</a></code>, and <code class="directive"><a href="/mod/mod_authz_core.html#requirenone">RequireNone</a></code> directives may be 120 used to enforce more complex sets of requirements.</p> 121 122</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 123<div class="section"> 124<h2><a name="env" id="env">Access control by arbitrary variables</a></h2> 125 126 <p>Using the <code class="directive"><a href="/mod/core.html#if"><If></a></code>, 127 you can allow or deny access based on arbitrary environment 128 variables or request header values. For example, to deny access 129 based on user-agent (the browser type) you might do the 130 following:</p> 131 132 <pre class="prettyprint lang-config"><If "%{HTTP_USER_AGENT} == 'BadBot'"> 133 Require All Denied 134</If></pre> 135 136 137 <div class="note"><h3>Warning:</h3> 138 <p>Access control by <code>User-Agent</code> is an unreliable technique, 139 since the <code>User-Agent</code> header can be set to anything at all, 140 at the whim of the end user.</p> 141 </div> 142 143 <p>See <a href="/expr.html">the expressions document</a> for a 144 further discussion of what expression syntaxes and variables are 145 available to you.</p> 146 147</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 148<div class="section"> 149<h2><a name="rewrite" id="rewrite">Access control with mod_rewrite</a></h2> 150 151 <p>The <code>[F]</code> <code class="directive"><a href="/mod/mod_rewrite.html#rewriterule">RewriteRule</a></code> flag causes a 403 Forbidden 152 response to be sent. Using this, you can deny access to a resource based 153 on arbitrary criteria.</p> 154 155 <p>For example, if you wish to block access to a resource between 8pm 156 and 6am, you can do this using <code class="module"><a href="/mod/mod_rewrite.html">mod_rewrite</a></code>.</p> 157 158 <pre class="prettyprint lang-config">RewriteEngine On 159RewriteCond %{TIME_HOUR} >=20 [OR] 160RewriteCond %{TIME_HOUR} <07 161RewriteRule ^/fridge - [F]</pre> 162 163 164 <p>This will return a 403 Forbidden response for any request after 8pm 165 or before 7am. This technique can be used for any criteria that you wish 166 to check. You can also redirect, or otherwise rewrite these requests, if 167 that approach is preferred.</p> 168 169 <p>The <code class="directive"><a href="/mod/core.html#if"><If></a></code> directive, 170 added in 2.4, replaces many things that <code class="module"><a href="/mod/mod_rewrite.html">mod_rewrite</a></code> has 171 traditionally been used to do, and you should probably look there first 172 before resorting to mod_rewrite.</p> 173 174</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 175<div class="section"> 176<h2><a name="moreinformation" id="moreinformation">More information</a></h2> 177 178 <p>The <a href="/expr.html">expression engine</a> gives you a 179 great deal of power to do a variety of things based on arbitrary 180 server variables, and you should consult that document for more 181 detail.</p> 182 183 <p>Also, you should read the <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code> 184 documentation for examples of combining multiple access requirements 185 and specifying how they interact.</p> 186 187 <p>See also the <a href="auth.html">Authentication and Authorization</a> 188 howto.</p> 189</div></div> 190<div class="bottomlang"> 191<p><span>Available Languages: </span><a href="/en/howto/access.html" title="English"> en </a> | 192<a href="/fr/howto/access.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 193</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 194<script type="text/javascript"><!--//--><![CDATA[//><!-- 195var comments_shortname = 'httpd'; 196var comments_identifier = 'http://httpd.apache.org/docs/2.4/howto/access.html'; 197(function(w, d) { 198 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 199 d.write('<div id="comments_thread"><\/div>'); 200 var s = d.createElement('script'); 201 s.type = 'text/javascript'; 202 s.async = true; 203 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 204 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 205 } 206 else { 207 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 208 } 209})(window, document); 210//--><!]]></script></div><div id="footer"> 211<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 212<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 213if (typeof(prettyPrint) !== 'undefined') { 214 prettyPrint(); 215} 216//--><!]]></script> 217</body></html>