mirror of
https://github.com/apache/httpd.git
synced 2025-08-10 02:56:11 +00:00
a3d2bba55b
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1330911 13f79535-47bb-0310-9956-ffa450edef68
175 lines
6.4 KiB
XML
175 lines
6.4 KiB
XML
<?xml version="1.0"?>
|
|
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
|
|
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
|
|
<!-- $LastChangedRevision$ -->
|
|
|
|
<!--
|
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
contributor license agreements. See the NOTICE file distributed with
|
|
this work for additional information regarding copyright ownership.
|
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
(the "License"); you may not use this file except in compliance with
|
|
the License. You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
|
|
<modulesynopsis metafile="mod_authz_host.xml.meta">
|
|
|
|
<name>mod_authz_host</name>
|
|
<description>Group authorizations based on host (name or IP
|
|
address)</description>
|
|
<status>Base</status>
|
|
<sourcefile>mod_authz_host.c</sourcefile>
|
|
<identifier>authz_host_module</identifier>
|
|
<compatibility>Available in Apache 2.3 and later</compatibility>
|
|
|
|
<summary>
|
|
<p>The authorization providers implemented by <module>mod_authz_host</module> are
|
|
registered using the <directive module="mod_authz_core">Require</directive>
|
|
directive. The directive can be referenced within a
|
|
<directive module="core" type="section">Directory</directive>,
|
|
<directive module="core" type="section">Files</directive>,
|
|
or <directive module="core" type="section">Location</directive> section
|
|
as well as <code><a href="core.html#accessfilename">.htaccess</a>
|
|
</code> files to control access to particular parts of the server.
|
|
Access can be controlled based on the client hostname or IP address.</p>
|
|
|
|
<p>In general, access restriction directives apply to all
|
|
access methods (<code>GET</code>, <code>PUT</code>,
|
|
<code>POST</code>, etc). This is the desired behavior in most
|
|
cases. However, it is possible to restrict some methods, while
|
|
leaving other methods unrestricted, by enclosing the directives
|
|
in a <directive module="core" type="section">Limit</directive> section.</p>
|
|
</summary>
|
|
|
|
<seealso><a href="../howto/auth.html">Authentication, Authorization,
|
|
and Access Control</a></seealso>
|
|
<seealso><directive module="mod_authz_core">Require</directive></seealso>
|
|
|
|
<section id="requiredirectives"><title>The Require Directives</title>
|
|
|
|
<p>Apache's <directive module="mod_authz_core">Require</directive>
|
|
directive is used during the authorization phase to ensure that a user is allowed or
|
|
denied access to a resource. mod_authz_host extends the
|
|
authorization types with <code>ip</code> and <code>host</code>.
|
|
Other authorization types may also be
|
|
used but may require that additional authorization modules be loaded.</p>
|
|
|
|
<p>These authorization providers affect which hosts can
|
|
access an area of the server. Access can be controlled by
|
|
hostname, IP Address, or IP Address range.</p>
|
|
|
|
<section id="reqip"><title>Require ip</title>
|
|
|
|
<p>The <code>ip</code> provider allows access to the server
|
|
to be controlled based on the IP address of the remote client.
|
|
When <code>Require ip <var>ip-address</var></code> is specified,
|
|
then the request is allowed access if the IP address matches.</p>
|
|
|
|
<p>A full IP address:</p>
|
|
|
|
<highlight language="config">
|
|
Require ip 10.1.2.3
|
|
Require ip 192.168.1.104 192.168.1.205
|
|
</highlight>
|
|
|
|
<p>An IP address of a host allowed access</p>
|
|
|
|
<p>A partial IP address:</p>
|
|
|
|
<highlight language="config">
|
|
Require ip 10.1
|
|
Require ip 10 172.20 192.168.2
|
|
</highlight>
|
|
<p>The first 1 to 3 bytes of an IP address, for subnet
|
|
restriction.</p>
|
|
|
|
<p>A network/netmask pair:</p>
|
|
|
|
<highlight language="config">
|
|
Require ip 10.1.0.0/255.255.0.0
|
|
</highlight>
|
|
<p>A network a.b.c.d, and a netmask w.x.y.z. For more
|
|
fine-grained subnet restriction.</p>
|
|
|
|
<p>A network/nnn CIDR specification:</p>
|
|
|
|
<highlight language="config">
|
|
Require ip 10.1.0.0/16
|
|
</highlight>
|
|
<p>Similar to the previous case, except the netmask consists of
|
|
nnn high-order 1 bits.</p>
|
|
|
|
<p>Note that the last three examples above match exactly the
|
|
same set of hosts.</p>
|
|
|
|
<p>IPv6 addresses and IPv6 subnets can be specified as shown
|
|
below:</p>
|
|
|
|
<highlight language="config">
|
|
Require ip 2001:db8::a00:20ff:fea7:ccea
|
|
Require ip 2001:db8::a00:20ff:fea7:ccea/10
|
|
</highlight>
|
|
|
|
|
|
</section>
|
|
|
|
<section id="reqhost"><title>Require host</title>
|
|
|
|
<p>The <code>host</code> provider allows access to the server
|
|
to be controlled based on the host name of the remote client.
|
|
When <code>Require host <var>host-name</var></code> is specified,
|
|
then the request is allowed access if the host name matches.</p>
|
|
|
|
<p>A (partial) domain-name</p>
|
|
|
|
<highlight language="config">
|
|
Require host example.org
|
|
Require host .net example.edu
|
|
</highlight>
|
|
|
|
<p>Hosts whose names match, or end in, this string are allowed
|
|
access. Only complete components are matched, so the above
|
|
example will match <code>foo.example.org</code> but it will not
|
|
match <code>fooexample.org</code>. This configuration will cause
|
|
Apache to perform a double reverse DNS lookup on the client IP
|
|
address, regardless of the setting of the <directive
|
|
module="core">HostnameLookups</directive> directive. It will do
|
|
a reverse DNS lookup on the IP address to find the associated
|
|
hostname, and then do a forward lookup on the hostname to assure
|
|
that it matches the original IP address. Only if the forward
|
|
and reverse DNS are consistent and the hostname matches will
|
|
access be allowed.</p>
|
|
|
|
</section>
|
|
|
|
<section id="reqlocal"><title>Require local</title>
|
|
<p>The <code>local</code> provider allows access to the server if any
|
|
of the following conditions is true:</p>
|
|
|
|
<ul>
|
|
<li>the client address matches 127.0.0.0/8</li>
|
|
<li>the client address is ::1</li>
|
|
<li>both the client and the server address of the connection are
|
|
the same</li>
|
|
</ul>
|
|
|
|
<p>This allows a convenient way to match connections that originate from
|
|
the local host:</p>
|
|
|
|
<highlight language="config">
|
|
Require local
|
|
</highlight>
|
|
</section>
|
|
|
|
</section>
|
|
|
|
</modulesynopsis>
|