You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rb...@apache.org on 2011/02/15 12:54:28 UTC
svn commit: r1070853 - in /httpd/httpd/trunk/docs/manual/howto: access.xml
index.xml
Author: rbowen
Date: Tue Feb 15 11:54:27 2011
New Revision: 1070853
URL: http://svn.apache.org/viewvc?rev=1070853&view=rev
Log:
Copies the access control howto from the 2.2 docs. However, it's going
to need some work to be appropriate for trunk.
Added:
httpd/httpd/trunk/docs/manual/howto/access.xml
Modified:
httpd/httpd/trunk/docs/manual/howto/index.xml
Added: httpd/httpd/trunk/docs/manual/howto/access.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/howto/access.xml?rev=1070853&view=auto
==============================================================================
--- httpd/httpd/trunk/docs/manual/howto/access.xml (added)
+++ httpd/httpd/trunk/docs/manual/howto/access.xml Tue Feb 15 11:54:27 2011
@@ -0,0 +1,188 @@
+<?xml version='1.0' encoding='UTF-8' ?>
+<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision: 675570 $ -->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manualpage metafile="access.xml.meta">
+<parentdocument href="./">How-To / Tutorials</parentdocument>
+
+<title>Access Control</title>
+
+<summary>
+ <p>Access control refers to any means of controlling access to any
+ resource. This is separate from <a
+ href="auth.html">authentication and authorization</a>.</p>
+</summary>
+
+<section id="related"><title>Related Modules and Directives</title>
+
+<p>Access control can be done by several different modules. The most
+important of these is <module>mod_authz_host</module>. Other modules
+discussed in this document include <module>mod_setenvif</module> and
+<module>mod_rewrite</module>.</p>
+
+</section>
+
+<section id="host"><title>Access control by host</title>
+ <p>
+ If you wish to restrict access to portions of your site based on the
+ host address of your visitors, this is most easily done using
+ <module>mod_authz_host</module>.
+ </p>
+
+ <p>The <directive module="mod_authz_host">Allow</directive> and
+ <directive module="mod_authz_host">Deny</directive> directives let
+ you allow and deny access based on the host name, or host
+ address, of the machine requesting a document. The
+ <directive module="mod_authz_host">Order</directive> directive goes
+ hand-in-hand with these two, and tells Apache in which order to
+ apply the filters.</p>
+
+ <p>The usage of these directives is:</p>
+
+ <example>
+ Allow from <var>address</var>
+ </example>
+
+ <p>where <var>address</var> is an IP address (or a partial IP
+ address) or a fully qualified domain name (or a partial domain
+ name); you may provide multiple addresses or domain names, if
+ desired.</p>
+
+ <p>For example, if you have someone spamming your message
+ board, and you want to keep them out, you could do the
+ following:</p>
+
+ <example>
+ Deny from 10.252.46.165
+ </example>
+
+ <p>Visitors coming from that address will not be able to see
+ the content covered by this directive. If, instead, you have a
+ machine name, rather than an IP address, you can use that.</p>
+
+ <example>
+ Deny from <var>host.example.com</var>
+ </example>
+
+ <p>And, if you'd like to block access from an entire domain,
+ you can specify just part of an address or domain name:</p>
+
+ <example>
+ Deny from <var>192.168.205</var><br />
+ Deny from <var>phishers.example.com</var> <var>moreidiots.example</var><br />
+ Deny from ke
+ </example>
+
+ <p>Using <directive module="mod_authz_host">Order</directive> will let you
+ be sure that you are actually restricting things to the group that you want
+ to let in, by combining a <directive
+ module="mod_authz_host">Deny</directive> and an <directive
+ module="mod_authz_host">Allow</directive> directive:</p>
+
+ <example>
+ Order deny,allow<br />
+ Deny from all<br />
+ Allow from <var>dev.example.com</var>
+ </example>
+
+ <p>Listing just the <directive module="mod_authz_host">Allow</directive>
+ directive would not do what you want, because it will let folks from that
+ host in, in addition to letting everyone in. What you want is to let
+ <em>only</em> those folks in.</p>
+</section>
+
+<section id="env"><title>Access control by environment variable</title>
+
+ <p>
+ <module>mod_authz_host</module>, in conjunction with
+ <module>mod_setenvif</module>, can be used to restrict access to
+ your website based on the value of arbitrary environment variables.
+ This is done with the <code>Allow from env=</code> and <code>Deny
+ from env=</code> syntax.
+ </p>
+
+ <example>
+ SetEnvIf User-Agent BadBot GoAway=1<br />
+ Order allow,deny<br />
+ Allow from all<br />
+ Deny from env=GoAway
+ </example>
+
+ <note><title>Warning:</title>
+ <p>Access control by <code>User-Agent</code> is an unreliable technique,
+ since the <code>User-Agent</code> header can be set to anything at all,
+ at the whim of the end user.</p>
+ </note>
+
+ <p>
+ In the above example, the environment variable <code>GoAway</code>
+ is set to <code>1</code> if the <code>User-Agent</code> matches the
+ string <code>BadBot</code>. Then we deny access for any request when
+ this variable is set. This blocks that particular user agent from
+ the site.
+ </p>
+
+ <p>An environment variable test can be negated using the <code>=!</code>
+ syntax:</p>
+
+ <example><p>
+ Allow from env=!GoAway
+ </p></example>
+
+</section>
+
+<section id="rewrite"><title>Access control with mod_rewrite</title>
+
+<p>The <code>[F]</code> <directive
+module="mod_rewrite">RewriteRule</directive> flag causes a 403 Forbidden
+response to be sent. Using this, you can deny access to a resource based
+on arbitrary criteria.</p>
+
+<p>For example, if you wish to block access to a resource between 8pm
+and 6am, you can do this using <module>mod_rewrite</module>.</p>
+
+<example>
+RewriteEngine On<br />
+RewriteCond %{TIME_HOUR} >20 [OR]<br />
+RewriteCond %{TIME_HOUR} <07<br />
+RewriteRule ^/fridge - [F]
+</example>
+
+<p>This will return a 403 Forbidden response for any request after 8pm
+or before 7am. This technique can be used for any criteria that you wish
+to check. You can also redirect, or otherwise rewrite these requests, if
+that approach is preferred.</p>
+
+</section>
+
+<section id="moreinformation"><title>More information</title>
+ <p>You should also read the documentation for
+ <module>mod_auth_basic</module> and <module>mod_authz_host</module> which
+ contain some more information about how this all works.
+ <module>mod_authn_alias</module> can also help in simplifying certain
+ authentication configurations.</p>
+
+ <p>See the <a href="auth.html">Authentication and Authorization</a>
+ howto.</p>
+</section>
+
+</manualpage>
+
Modified: httpd/httpd/trunk/docs/manual/howto/index.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/howto/index.xml?rev=1070853&r1=1070852&r2=1070853&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/howto/index.xml (original)
+++ httpd/httpd/trunk/docs/manual/howto/index.xml Tue Feb 15 11:54:27 2011
@@ -41,6 +41,18 @@
</dd>
</dl>
+ <dl>
+ <dt>Access Control</dt>
+ <dd>
+ <p>Access control refers to the process of restricting, or
+ granting access to a resource based on arbitrary criteria. There
+ are a variety of different ways that this can be
+ accomplished.</p>
+
+ <p>See: <a href="access.html">Access Control</a></p>
+ </dd>
+ </dl>
+
<dl>
<dt>Dynamic Content with CGI</dt>
<dd>