1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>mod_authz_host - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body> 17<div id="page-header"> 18<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 19<p class="apache">Apache HTTP Server Version 2.4</p> 20<img alt="" src="/images/feather.gif" /></div> 21<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 22<div id="path"> 23<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Modules</a></div> 24<div id="page-content"> 25<div id="preamble"><h1>Apache Module mod_authz_host</h1> 26<div class="toplang"> 27<p><span>Available Languages: </span><a href="/en/mod/mod_authz_host.html" title="English"> en </a> | 28<a href="/fr/mod/mod_authz_host.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 29</div> 30<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Group authorizations based on host (name or IP 31address)</td></tr> 32<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr> 33<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>authz_host_module</td></tr> 34<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_authz_host.c</td></tr> 35<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table> 36<h3>Summary</h3> 37 38 <p>The authorization providers implemented by <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code> are 39 registered using the <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> 40 directive. The directive can be referenced within a 41 <code class="directive"><a href="/mod/core.html#directory"><Directory></a></code>, 42 <code class="directive"><a href="/mod/core.html#files"><Files></a></code>, 43 or <code class="directive"><a href="/mod/core.html#location"><Location></a></code> section 44 as well as <code><a href="core.html#accessfilename">.htaccess</a> 45 </code> files to control access to particular parts of the server. 46 Access can be controlled based on the client hostname or IP address.</p> 47 48 <p>In general, access restriction directives apply to all 49 access methods (<code>GET</code>, <code>PUT</code>, 50 <code>POST</code>, etc). This is the desired behavior in most 51 cases. However, it is possible to restrict some methods, while 52 leaving other methods unrestricted, by enclosing the directives 53 in a <code class="directive"><a href="/mod/core.html#limit"><Limit></a></code> section.</p> 54</div> 55<div id="quickview"><h3 class="directives">Directives</h3> 56<p>This module provides no 57 directives.</p> 58<h3>Topics</h3> 59<ul id="topics"> 60<li><img alt="" src="/images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li> 61</ul><h3>See also</h3> 62<ul class="seealso"> 63<li><a href="/howto/auth.html">Authentication, Authorization, 64 and Access Control</a></li> 65<li><code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code></li> 66</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 67<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 68<div class="section"> 69<h2><a name="requiredirectives" id="requiredirectives">The Require Directives</a></h2> 70 71 <p>Apache's <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> 72 directive is used during the authorization phase to ensure that a user is allowed or 73 denied access to a resource. mod_authz_host extends the 74 authorization types with <code>ip</code>, <code>host</code> and <code>local</code>. 75 Other authorization types may also be 76 used but may require that additional authorization modules be loaded.</p> 77 78 <p>These authorization providers affect which hosts can 79 access an area of the server. Access can be controlled by 80 hostname, IP Address, or IP Address range.</p> 81 82 <p>Since v2.5.0, <a href="/expr.html">expressions</a> are supported 83 within the host require directives.</p> 84 85<h3><a name="reqip" id="reqip">Require ip</a></h3> 86 87 <p>The <code>ip</code> provider allows access to the server 88 to be controlled based on the IP address of the remote client. 89 When <code>Require ip <var>ip-address</var></code> is specified, 90 then the request is allowed access if the IP address matches.</p> 91 92 <p>A full IP address:</p> 93 94 <pre class="prettyprint lang-config">Require ip 10.1.2.3 95Require ip 192.168.1.104 192.168.1.205</pre> 96 97 98 <p>An IP address of a host allowed access</p> 99 100 <p>A partial IP address:</p> 101 102 <pre class="prettyprint lang-config">Require ip 10.1 103Require ip 10 172.20 192.168.2</pre> 104 105 <p>The first 1 to 3 bytes of an IP address, for subnet 106 restriction.</p> 107 108 <p>A network/netmask pair:</p> 109 110 <pre class="prettyprint lang-config">Require ip 10.1.0.0/255.255.0.0</pre> 111 112 <p>A network a.b.c.d, and a netmask w.x.y.z. For more 113 fine-grained subnet restriction.</p> 114 115 <p>A network/nnn CIDR specification:</p> 116 117 <pre class="prettyprint lang-config">Require ip 10.1.0.0/16</pre> 118 119 <p>Similar to the previous case, except the netmask consists of 120 nnn high-order 1 bits.</p> 121 122 <p>Note that the last three examples above match exactly the 123 same set of hosts.</p> 124 125 <p>IPv6 addresses and IPv6 subnets can be specified as shown 126 below:</p> 127 128 <pre class="prettyprint lang-config">Require ip 2001:db8::a00:20ff:fea7:ccea 129Require ip 2001:db8::a00:20ff:fea7:ccea/10</pre> 130 131 132 <p>Note: As the IP addresses are parsed on startup, expressions are 133 not evaluated at request time.</p> 134 135 136 137<h3><a name="reqhost" id="reqhost">Require host</a></h3> 138 139 <p>The <code>host</code> provider allows access to the server 140 to be controlled based on the host name of the remote client. 141 When <code>Require host <var>host-name</var></code> is specified, 142 then the request is allowed access if the host name matches.</p> 143 144 <p>A (partial) domain-name</p> 145 146 <pre class="prettyprint lang-config">Require host example.org 147Require host .net example.edu</pre> 148 149 150 <p>Hosts whose names match, or end in, this string are allowed 151 access. Only complete components are matched, so the above 152 example will match <code>foo.example.org</code> but it will not 153 match <code>fooexample.org</code>. This configuration will cause 154 Apache to perform a double reverse DNS lookup on the client IP 155 address, regardless of the setting of the <code class="directive"><a href="/mod/core.html#hostnamelookups">HostnameLookups</a></code> directive. It will do 156 a reverse DNS lookup on the IP address to find the associated 157 hostname, and then do a forward lookup on the hostname to assure 158 that it matches the original IP address. Only if the forward 159 and reverse DNS are consistent and the hostname matches will 160 access be allowed.</p> 161 162 163 164<h3><a name="reqlocal" id="reqlocal">Require local</a></h3> 165 <p>The <code>local</code> provider allows access to the server if any 166 of the following conditions is true:</p> 167 168 <ul> 169 <li>the client address matches 127.0.0.0/8</li> 170 <li>the client address is ::1</li> 171 <li>both the client and the server address of the connection are 172 the same</li> 173 </ul> 174 175 <p>This allows a convenient way to match connections that originate from 176 the local host:</p> 177 178 <pre class="prettyprint lang-config">Require local</pre> 179 180 181 182<h3><a name="proxy" id="proxy">Security Note</a></h3> 183 184 <p>If you are proxying content to your server, you need to be aware 185 that the client address will be the address of your proxy server, 186 not the address of the client, and so using the <code>Require</code> 187 directive in this context may not do what you mean. See 188 <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> for one possible solution to this 189 problem.</p> 190 191 192 193</div> 194</div> 195<div class="bottomlang"> 196<p><span>Available Languages: </span><a href="/en/mod/mod_authz_host.html" title="English"> en </a> | 197<a href="/fr/mod/mod_authz_host.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 198</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 199<script type="text/javascript"><!--//--><![CDATA[//><!-- 200var comments_shortname = 'httpd'; 201var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_authz_host.html'; 202(function(w, d) { 203 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 204 d.write('<div id="comments_thread"><\/div>'); 205 var s = d.createElement('script'); 206 s.type = 'text/javascript'; 207 s.async = true; 208 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 209 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 210 } 211 else { 212 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 213 } 214})(window, document); 215//--><!]]></script></div><div id="footer"> 216<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 217<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 218if (typeof(prettyPrint) !== 'undefined') { 219 prettyPrint(); 220} 221//--><!]]></script> 222</body></html>
